Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Salary_Receipt.exe

Overview

General Information

Sample name:Salary_Receipt.exe
Analysis ID:1561148
MD5:08a71f36822c8207f16013ed296ff269
SHA1:4b7bcd2c3246f98be32330a20892a28e998e4b19
SHA256:003b578a15479fac58ada62d5bb903102d3d3113f530ce3c51cd10c28f479868
Infos:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Salary_Receipt.exe (PID: 6188 cmdline: "C:\Users\user\Desktop\Salary_Receipt.exe" MD5: 08A71F36822C8207F16013ED296FF269)
    • svchost.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\Salary_Receipt.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ParentImage: C:\Users\user\Desktop\Salary_Receipt.exe, ParentProcessId: 6188, ParentProcessName: Salary_Receipt.exe, ProcessCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ProcessId: 1992, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ParentImage: C:\Users\user\Desktop\Salary_Receipt.exe, ParentProcessId: 6188, ParentProcessName: Salary_Receipt.exe, ProcessCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ProcessId: 1992, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Salary_Receipt.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Salary_Receipt.exeJoe Sandbox ML: detected
          Source: Salary_Receipt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Salary_Receipt.exe, 00000000.00000003.2058303515.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.2056629971.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2506329671.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2507940545.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Salary_Receipt.exe, 00000000.00000003.2058303515.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.2056629971.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2506329671.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2507940545.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006F4696
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FC93C FindFirstFileW,FindClose,0_2_006FC93C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006FC9C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF200
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF35D
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FF65E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3A2B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3D4E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FBF27
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_007025E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_007025E2
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0070425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0070425A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00704458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00704458
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0070425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_0070425A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_006F0219
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0071CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0071CDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: This is a third-party compiled AutoIt script.0_2_00693B4C
          Source: Salary_Receipt.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Salary_Receipt.exe, 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fdbcc138-d
          Source: Salary_Receipt.exe, 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2e61bbad-d
          Source: Salary_Receipt.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_805aa1ec-b
          Source: Salary_Receipt.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_6869cd47-9
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Salary_Receipt.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CD33 NtClose,2_2_0042CD33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B60 NtClose,LdrInitializeThunk,2_2_03B72B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03B72DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B735C0 NtCreateMutant,LdrInitializeThunk,2_2_03B735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74340 NtSetContextThread,2_2_03B74340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B74650 NtSuspendThread,2_2_03B74650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BA0 NtEnumerateValueKey,2_2_03B72BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72B80 NtQueryInformationFile,2_2_03B72B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BF0 NtAllocateVirtualMemory,2_2_03B72BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72BE0 NtQueryValueKey,2_2_03B72BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AB0 NtWaitForSingleObject,2_2_03B72AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AF0 NtWriteFile,2_2_03B72AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72AD0 NtReadFile,2_2_03B72AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FB0 NtResumeThread,2_2_03B72FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FA0 NtQuerySection,2_2_03B72FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F90 NtProtectVirtualMemory,2_2_03B72F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72FE0 NtCreateFile,2_2_03B72FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F30 NtCreateSection,2_2_03B72F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72F60 NtCreateProcessEx,2_2_03B72F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EA0 NtAdjustPrivilegesToken,2_2_03B72EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E80 NtReadVirtualMemory,2_2_03B72E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72EE0 NtQueueApcThread,2_2_03B72EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72E30 NtWriteVirtualMemory,2_2_03B72E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DB0 NtEnumerateKey,2_2_03B72DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72DD0 NtDelayExecution,2_2_03B72DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D30 NtUnmapViewOfSection,2_2_03B72D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D10 NtMapViewOfSection,2_2_03B72D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72D00 NtSetInformationFile,2_2_03B72D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CA0 NtQueryInformationToken,2_2_03B72CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CF0 NtOpenProcess,2_2_03B72CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72CC0 NtQueryVirtualMemory,2_2_03B72CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C00 NtQueryInformationProcess,2_2_03B72C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C70 NtFreeVirtualMemory,2_2_03B72C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72C60 NtCreateKey,2_2_03B72C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73090 NtSetValueKey,2_2_03B73090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73010 NtOpenDirectoryObject,2_2_03B73010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B739B0 NtGetContextThread,2_2_03B739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D10 NtOpenProcessToken,2_2_03B73D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B73D70 NtOpenThread,2_2_03B73D70
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_006F4021
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_006E8858
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006F545F
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0069E8000_2_0069E800
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BDBB50_2_006BDBB5
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0069E0600_2_0069E060
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0071804A0_2_0071804A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A41400_2_006A4140
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B24050_2_006B2405
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C65220_2_006C6522
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C267E0_2_006C267E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_007106650_2_00710665
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A68430_2_006A6843
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B283A0_2_006B283A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C89DF0_2_006C89DF
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A8A0E0_2_006A8A0E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00710AE20_2_00710AE2
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C6A940_2_006C6A94
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006EEB070_2_006EEB07
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F8B130_2_006F8B13
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BCD610_2_006BCD61
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C70060_2_006C7006
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A710E0_2_006A710E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A31900_2_006A3190
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006912870_2_00691287
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B33C70_2_006B33C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BF4190_2_006BF419
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B16C40_2_006B16C4
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A56800_2_006A5680
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006A58C00_2_006A58C0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B78D30_2_006B78D3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B1BB80_2_006B1BB8
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C9D050_2_006C9D05
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0069FE400_2_0069FE40
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BBFE60_2_006BBFE6
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B1FD00_2_006B1FD0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_012436000_2_01243600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E8EA2_2_0040E8EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E8F32_2_0040E8F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E93C2_2_0040E93C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011802_2_00401180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029A02_2_004029A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032F02_2_004032F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F3632_2_0042F363
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041057A2_2_0041057A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004105832_2_00410583
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026B02_2_004026B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416F432_2_00416F43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004107A32_2_004107A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E7A32_2_0040E7A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C003E62_2_03C003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F02_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA3522_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC02C02_2_03BC02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE02742_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF41A22_2_03BF41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C001AA2_2_03C001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF81CC2_2_03BF81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA1182_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B301002_2_03B30100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC81582_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD20002_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C02_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B407702_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B647502_2_03B64750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C6E02_2_03B5C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C005912_2_03C00591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B405352_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEE4F62_2_03BEE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE44202_2_03BE4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF24462_2_03BF2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF6BD72_2_03BF6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB402_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA802_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A02_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0A9A62_2_03C0A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B569622_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B268B82_2_03B268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E8F02_2_03B6E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4A8402_2_03B4A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B428402_2_03B42840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBEFA02_2_03BBEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4CFE02_2_03B4CFE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32FC82_2_03B32FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60F302_2_03B60F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE2F302_2_03BE2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B82F282_2_03B82F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4F402_2_03BB4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52E902_2_03B52E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFCE932_2_03BFCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEEDB2_2_03BFEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFEE262_2_03BFEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40E592_2_03B40E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B58DBF2_2_03B58DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3ADE02_2_03B3ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDCD1F2_2_03BDCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4AD002_2_03B4AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0CB52_2_03BE0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30CF22_2_03B30CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40C002_2_03B40C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B8739A2_2_03B8739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF132D2_2_03BF132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2D34C2_2_03B2D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B452A02_2_03B452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE12ED2_2_03BE12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B2C02_2_03B5B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4B1B02_2_03B4B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0B16B2_2_03C0B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2F1722_2_03B2F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7516C2_2_03B7516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF70E92_2_03BF70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF0E02_2_03BFF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEF0CC2_2_03BEF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B470C02_2_03B470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF7B02_2_03BFF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF16CC2_2_03BF16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B856302_2_03B85630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDD5B02_2_03BDD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF75712_2_03BF7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFF43F2_2_03BFF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B314602_2_03B31460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FB802_2_03B5FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB5BF02_2_03BB5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7DBF92_2_03B7DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFB762_2_03BFFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDDAAC2_2_03BDDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B85AA02_2_03B85AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE1AA32_2_03BE1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEDAC62_2_03BEDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB3A6C2_2_03BB3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFA492_2_03BFFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7A462_2_03BF7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD59102_2_03BD5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B499502_2_03B49950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5B9502_2_03B5B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B438E02_2_03B438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAD8002_2_03BAD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFFB12_2_03BFFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B41F922_2_03B41F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFF092_2_03BFFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B49EB02_2_03B49EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5FDC02_2_03B5FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF7D732_2_03BF7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF1D5A2_2_03BF1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B43D402_2_03B43D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFFCF22_2_03BFFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB9C322_2_03BB9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BAEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B75130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03BBF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B2B970 appears 280 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03B87E54 appears 109 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 00697F41 appears 35 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 006B0D27 appears 70 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 006B8B40 appears 42 times
          Source: Salary_Receipt.exe, 00000000.00000003.2058759983.0000000003E6D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Salary_Receipt.exe
          Source: Salary_Receipt.exe, 00000000.00000003.2057796086.0000000003C73000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Salary_Receipt.exe
          Source: Salary_Receipt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal84.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FA2D5 GetLastError,FormatMessageW,0_2_006FA2D5
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E8713 AdjustTokenPrivileges,CloseHandle,0_2_006E8713
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_006E8CC3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_006FB59E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0070F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_0070F121
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_006FC602
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00694FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00694FE9
          Source: C:\Users\user\Desktop\Salary_Receipt.exeFile created: C:\Users\user\AppData\Local\Temp\autD6DE.tmpJump to behavior
          Source: Salary_Receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Salary_Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Salary_Receipt.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\Salary_Receipt.exe "C:\Users\user\Desktop\Salary_Receipt.exe"
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: ntmarta.dllJump to behavior
          Source: Salary_Receipt.exeStatic file information: File size 1368064 > 1048576
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Salary_Receipt.exe, 00000000.00000003.2058303515.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.2056629971.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2506329671.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2507940545.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Salary_Receipt.exe, 00000000.00000003.2058303515.0000000003D40000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.2056629971.0000000003B50000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.2506329671.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2507940545.0000000003900000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003C9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2546079977.0000000003B00000.00000040.00001000.00020000.00000000.sdmp
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0070C304 LoadLibraryA,GetProcAddress,0_2_0070C304
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B8B85 push ecx; ret 0_2_006B8B98
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042D863 push edi; iretd 2_2_0042D86C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004051C0 pushad ; ret 2_2_004051CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D48E push cs; ret 2_2_0040D4BB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00424CB3 push edi; ret 2_2_00424CD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004164BD push ecx; ret 2_2_004164DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403570 push eax; ret 2_2_00403572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041AEB5 push cs; iretd 2_2_0041AEBC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD push ecx; mov dword ptr [esp], ecx2_2_03B309B6
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00694A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00694A35
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_007155FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_007155FD
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006B33C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Salary_Receipt.exeAPI/Special instruction interceptor: Address: 1243224
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeAPI coverage: 4.4 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 5772Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_006F4696
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FC93C FindFirstFileW,FindClose,0_2_006FC93C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_006FC9C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF200
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_006FF35D
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FF65E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3A2B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_006F3D4E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006FBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_006FBF27
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00694AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00694AFE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E rdtsc 2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417ED3 LdrLoadDll,2_2_00417ED3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_007041FD BlockInput,0_2_007041FD
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00693B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00693B4C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_006C5CCC
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0070C304 LoadLibraryA,GetProcAddress,0_2_0070C304
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_01243490 mov eax, dword ptr fs:[00000030h]0_2_01243490
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_012434F0 mov eax, dword ptr fs:[00000030h]0_2_012434F0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_01241E70 mov eax, dword ptr fs:[00000030h]0_2_01241E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28397 mov eax, dword ptr fs:[00000030h]2_2_03B28397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E388 mov eax, dword ptr fs:[00000030h]2_2_03B2E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5438F mov eax, dword ptr fs:[00000030h]2_2_03B5438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E3F0 mov eax, dword ptr fs:[00000030h]2_2_03B4E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B663FF mov eax, dword ptr fs:[00000030h]2_2_03B663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B403E9 mov eax, dword ptr fs:[00000030h]2_2_03B403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov ecx, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE3DB mov eax, dword ptr fs:[00000030h]2_2_03BDE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD43D4 mov eax, dword ptr fs:[00000030h]2_2_03BD43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC3CD mov eax, dword ptr fs:[00000030h]2_2_03BEC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A3C0 mov eax, dword ptr fs:[00000030h]2_2_03B3A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B383C0 mov eax, dword ptr fs:[00000030h]2_2_03B383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB63C0 mov eax, dword ptr fs:[00000030h]2_2_03BB63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C0634F mov eax, dword ptr fs:[00000030h]2_2_03C0634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C310 mov ecx, dword ptr fs:[00000030h]2_2_03B2C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50310 mov ecx, dword ptr fs:[00000030h]2_2_03B50310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A30B mov eax, dword ptr fs:[00000030h]2_2_03B6A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD437C mov eax, dword ptr fs:[00000030h]2_2_03BD437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov ecx, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB035C mov eax, dword ptr fs:[00000030h]2_2_03BB035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA352 mov eax, dword ptr fs:[00000030h]2_2_03BFA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8350 mov ecx, dword ptr fs:[00000030h]2_2_03BD8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB2349 mov eax, dword ptr fs:[00000030h]2_2_03BB2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402A0 mov eax, dword ptr fs:[00000030h]2_2_03B402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C062D6 mov eax, dword ptr fs:[00000030h]2_2_03C062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov ecx, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC62A0 mov eax, dword ptr fs:[00000030h]2_2_03BC62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E284 mov eax, dword ptr fs:[00000030h]2_2_03B6E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0283 mov eax, dword ptr fs:[00000030h]2_2_03BB0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B402E1 mov eax, dword ptr fs:[00000030h]2_2_03B402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A2C3 mov eax, dword ptr fs:[00000030h]2_2_03B3A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2823B mov eax, dword ptr fs:[00000030h]2_2_03B2823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE0274 mov eax, dword ptr fs:[00000030h]2_2_03BE0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34260 mov eax, dword ptr fs:[00000030h]2_2_03B34260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2826B mov eax, dword ptr fs:[00000030h]2_2_03B2826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A250 mov eax, dword ptr fs:[00000030h]2_2_03B2A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36259 mov eax, dword ptr fs:[00000030h]2_2_03B36259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA250 mov eax, dword ptr fs:[00000030h]2_2_03BEA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov eax, dword ptr fs:[00000030h]2_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB8243 mov ecx, dword ptr fs:[00000030h]2_2_03BB8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB019F mov eax, dword ptr fs:[00000030h]2_2_03BB019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A197 mov eax, dword ptr fs:[00000030h]2_2_03B2A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C061E5 mov eax, dword ptr fs:[00000030h]2_2_03C061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B70185 mov eax, dword ptr fs:[00000030h]2_2_03B70185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEC188 mov eax, dword ptr fs:[00000030h]2_2_03BEC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4180 mov eax, dword ptr fs:[00000030h]2_2_03BD4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B601F8 mov eax, dword ptr fs:[00000030h]2_2_03B601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov ecx, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE1D0 mov eax, dword ptr fs:[00000030h]2_2_03BAE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF61C3 mov eax, dword ptr fs:[00000030h]2_2_03BF61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60124 mov eax, dword ptr fs:[00000030h]2_2_03B60124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04164 mov eax, dword ptr fs:[00000030h]2_2_03C04164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov ecx, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDA118 mov eax, dword ptr fs:[00000030h]2_2_03BDA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF0115 mov eax, dword ptr fs:[00000030h]2_2_03BF0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov eax, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDE10E mov ecx, dword ptr fs:[00000030h]2_2_03BDE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C156 mov eax, dword ptr fs:[00000030h]2_2_03B2C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC8158 mov eax, dword ptr fs:[00000030h]2_2_03BC8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36154 mov eax, dword ptr fs:[00000030h]2_2_03B36154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov ecx, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC4144 mov eax, dword ptr fs:[00000030h]2_2_03BC4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov eax, dword ptr fs:[00000030h]2_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF60B8 mov ecx, dword ptr fs:[00000030h]2_2_03BF60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B280A0 mov eax, dword ptr fs:[00000030h]2_2_03B280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC80A8 mov eax, dword ptr fs:[00000030h]2_2_03BC80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3208A mov eax, dword ptr fs:[00000030h]2_2_03B3208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C0F0 mov eax, dword ptr fs:[00000030h]2_2_03B2C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B720F0 mov ecx, dword ptr fs:[00000030h]2_2_03B720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A0E3 mov ecx, dword ptr fs:[00000030h]2_2_03B2A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B380E9 mov eax, dword ptr fs:[00000030h]2_2_03B380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB60E0 mov eax, dword ptr fs:[00000030h]2_2_03BB60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB20DE mov eax, dword ptr fs:[00000030h]2_2_03BB20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6030 mov eax, dword ptr fs:[00000030h]2_2_03BC6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2A020 mov eax, dword ptr fs:[00000030h]2_2_03B2A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C020 mov eax, dword ptr fs:[00000030h]2_2_03B2C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E016 mov eax, dword ptr fs:[00000030h]2_2_03B4E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4000 mov ecx, dword ptr fs:[00000030h]2_2_03BB4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD2000 mov eax, dword ptr fs:[00000030h]2_2_03BD2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5C073 mov eax, dword ptr fs:[00000030h]2_2_03B5C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32050 mov eax, dword ptr fs:[00000030h]2_2_03B32050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6050 mov eax, dword ptr fs:[00000030h]2_2_03BB6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B307AF mov eax, dword ptr fs:[00000030h]2_2_03B307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE47A0 mov eax, dword ptr fs:[00000030h]2_2_03BE47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD678E mov eax, dword ptr fs:[00000030h]2_2_03BD678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B347FB mov eax, dword ptr fs:[00000030h]2_2_03B347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B527ED mov eax, dword ptr fs:[00000030h]2_2_03B527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE7E1 mov eax, dword ptr fs:[00000030h]2_2_03BBE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3C7C0 mov eax, dword ptr fs:[00000030h]2_2_03B3C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB07C3 mov eax, dword ptr fs:[00000030h]2_2_03BB07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov ecx, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6273C mov eax, dword ptr fs:[00000030h]2_2_03B6273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAC730 mov eax, dword ptr fs:[00000030h]2_2_03BAC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C720 mov eax, dword ptr fs:[00000030h]2_2_03B6C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30710 mov eax, dword ptr fs:[00000030h]2_2_03B30710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B60710 mov eax, dword ptr fs:[00000030h]2_2_03B60710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C700 mov eax, dword ptr fs:[00000030h]2_2_03B6C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38770 mov eax, dword ptr fs:[00000030h]2_2_03B38770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40770 mov eax, dword ptr fs:[00000030h]2_2_03B40770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30750 mov eax, dword ptr fs:[00000030h]2_2_03B30750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE75D mov eax, dword ptr fs:[00000030h]2_2_03BBE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72750 mov eax, dword ptr fs:[00000030h]2_2_03B72750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB4755 mov eax, dword ptr fs:[00000030h]2_2_03BB4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov esi, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6674D mov eax, dword ptr fs:[00000030h]2_2_03B6674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B666B0 mov eax, dword ptr fs:[00000030h]2_2_03B666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C6A6 mov eax, dword ptr fs:[00000030h]2_2_03B6C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B34690 mov eax, dword ptr fs:[00000030h]2_2_03B34690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE6F2 mov eax, dword ptr fs:[00000030h]2_2_03BAE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB06F1 mov eax, dword ptr fs:[00000030h]2_2_03BB06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov ebx, dword ptr fs:[00000030h]2_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A6C7 mov eax, dword ptr fs:[00000030h]2_2_03B6A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4E627 mov eax, dword ptr fs:[00000030h]2_2_03B4E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B66620 mov eax, dword ptr fs:[00000030h]2_2_03B66620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68620 mov eax, dword ptr fs:[00000030h]2_2_03B68620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3262C mov eax, dword ptr fs:[00000030h]2_2_03B3262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B72619 mov eax, dword ptr fs:[00000030h]2_2_03B72619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE609 mov eax, dword ptr fs:[00000030h]2_2_03BAE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4260B mov eax, dword ptr fs:[00000030h]2_2_03B4260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B62674 mov eax, dword ptr fs:[00000030h]2_2_03B62674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF866E mov eax, dword ptr fs:[00000030h]2_2_03BF866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A660 mov eax, dword ptr fs:[00000030h]2_2_03B6A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B4C640 mov eax, dword ptr fs:[00000030h]2_2_03B4C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B545B1 mov eax, dword ptr fs:[00000030h]2_2_03B545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB05A7 mov eax, dword ptr fs:[00000030h]2_2_03BB05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E59C mov eax, dword ptr fs:[00000030h]2_2_03B6E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov eax, dword ptr fs:[00000030h]2_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B32582 mov ecx, dword ptr fs:[00000030h]2_2_03B32582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64588 mov eax, dword ptr fs:[00000030h]2_2_03B64588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E5E7 mov eax, dword ptr fs:[00000030h]2_2_03B5E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B325E0 mov eax, dword ptr fs:[00000030h]2_2_03B325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C5ED mov eax, dword ptr fs:[00000030h]2_2_03B6C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B365D0 mov eax, dword ptr fs:[00000030h]2_2_03B365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A5D0 mov eax, dword ptr fs:[00000030h]2_2_03B6A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E5CF mov eax, dword ptr fs:[00000030h]2_2_03B6E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40535 mov eax, dword ptr fs:[00000030h]2_2_03B40535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E53E mov eax, dword ptr fs:[00000030h]2_2_03B5E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6500 mov eax, dword ptr fs:[00000030h]2_2_03BC6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04500 mov eax, dword ptr fs:[00000030h]2_2_03C04500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6656A mov eax, dword ptr fs:[00000030h]2_2_03B6656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38550 mov eax, dword ptr fs:[00000030h]2_2_03B38550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B644B0 mov ecx, dword ptr fs:[00000030h]2_2_03B644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBA4B0 mov eax, dword ptr fs:[00000030h]2_2_03BBA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B364AB mov eax, dword ptr fs:[00000030h]2_2_03B364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA49A mov eax, dword ptr fs:[00000030h]2_2_03BEA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B304E5 mov ecx, dword ptr fs:[00000030h]2_2_03B304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A430 mov eax, dword ptr fs:[00000030h]2_2_03B6A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2E420 mov eax, dword ptr fs:[00000030h]2_2_03B2E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2C427 mov eax, dword ptr fs:[00000030h]2_2_03B2C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB6420 mov eax, dword ptr fs:[00000030h]2_2_03BB6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68402 mov eax, dword ptr fs:[00000030h]2_2_03B68402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5A470 mov eax, dword ptr fs:[00000030h]2_2_03B5A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC460 mov ecx, dword ptr fs:[00000030h]2_2_03BBC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BEA456 mov eax, dword ptr fs:[00000030h]2_2_03BEA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2645D mov eax, dword ptr fs:[00000030h]2_2_03B2645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5245A mov eax, dword ptr fs:[00000030h]2_2_03B5245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6E443 mov eax, dword ptr fs:[00000030h]2_2_03B6E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40BBE mov eax, dword ptr fs:[00000030h]2_2_03B40BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4BB0 mov eax, dword ptr fs:[00000030h]2_2_03BE4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38BF0 mov eax, dword ptr fs:[00000030h]2_2_03B38BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EBFC mov eax, dword ptr fs:[00000030h]2_2_03B5EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCBF0 mov eax, dword ptr fs:[00000030h]2_2_03BBCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEBD0 mov eax, dword ptr fs:[00000030h]2_2_03BDEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B50BCB mov eax, dword ptr fs:[00000030h]2_2_03B50BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30BCD mov eax, dword ptr fs:[00000030h]2_2_03B30BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EB20 mov eax, dword ptr fs:[00000030h]2_2_03B5EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BF8B28 mov eax, dword ptr fs:[00000030h]2_2_03BF8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C02B57 mov eax, dword ptr fs:[00000030h]2_2_03C02B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAEB1D mov eax, dword ptr fs:[00000030h]2_2_03BAEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04B00 mov eax, dword ptr fs:[00000030h]2_2_03C04B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B2CB7E mov eax, dword ptr fs:[00000030h]2_2_03B2CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28B50 mov eax, dword ptr fs:[00000030h]2_2_03B28B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEB50 mov eax, dword ptr fs:[00000030h]2_2_03BDEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BE4B4B mov eax, dword ptr fs:[00000030h]2_2_03BE4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC6B40 mov eax, dword ptr fs:[00000030h]2_2_03BC6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFAB40 mov eax, dword ptr fs:[00000030h]2_2_03BFAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD8B42 mov eax, dword ptr fs:[00000030h]2_2_03BD8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B38AA0 mov eax, dword ptr fs:[00000030h]2_2_03B38AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86AA4 mov eax, dword ptr fs:[00000030h]2_2_03B86AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B68A90 mov edx, dword ptr fs:[00000030h]2_2_03B68A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3EA80 mov eax, dword ptr fs:[00000030h]2_2_03B3EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04A80 mov eax, dword ptr fs:[00000030h]2_2_03C04A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6AAEE mov eax, dword ptr fs:[00000030h]2_2_03B6AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30AD0 mov eax, dword ptr fs:[00000030h]2_2_03B30AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B64AD0 mov eax, dword ptr fs:[00000030h]2_2_03B64AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B86ACC mov eax, dword ptr fs:[00000030h]2_2_03B86ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B54A35 mov eax, dword ptr fs:[00000030h]2_2_03B54A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA38 mov eax, dword ptr fs:[00000030h]2_2_03B6CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA24 mov eax, dword ptr fs:[00000030h]2_2_03B6CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5EA2E mov eax, dword ptr fs:[00000030h]2_2_03B5EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBCA11 mov eax, dword ptr fs:[00000030h]2_2_03BBCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BACA72 mov eax, dword ptr fs:[00000030h]2_2_03BACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6CA6F mov eax, dword ptr fs:[00000030h]2_2_03B6CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BDEA60 mov eax, dword ptr fs:[00000030h]2_2_03BDEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B36A50 mov eax, dword ptr fs:[00000030h]2_2_03B36A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B40A5B mov eax, dword ptr fs:[00000030h]2_2_03B40A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov esi, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB89B3 mov eax, dword ptr fs:[00000030h]2_2_03BB89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B429A0 mov eax, dword ptr fs:[00000030h]2_2_03B429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B309AD mov eax, dword ptr fs:[00000030h]2_2_03B309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B629F9 mov eax, dword ptr fs:[00000030h]2_2_03B629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBE9E0 mov eax, dword ptr fs:[00000030h]2_2_03BBE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B3A9D0 mov eax, dword ptr fs:[00000030h]2_2_03B3A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B649D0 mov eax, dword ptr fs:[00000030h]2_2_03B649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA9D3 mov eax, dword ptr fs:[00000030h]2_2_03BFA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC69C0 mov eax, dword ptr fs:[00000030h]2_2_03BC69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C04940 mov eax, dword ptr fs:[00000030h]2_2_03C04940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB892A mov eax, dword ptr fs:[00000030h]2_2_03BB892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BC892B mov eax, dword ptr fs:[00000030h]2_2_03BC892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC912 mov eax, dword ptr fs:[00000030h]2_2_03BBC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B28918 mov eax, dword ptr fs:[00000030h]2_2_03B28918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BAE908 mov eax, dword ptr fs:[00000030h]2_2_03BAE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD4978 mov eax, dword ptr fs:[00000030h]2_2_03BD4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC97C mov eax, dword ptr fs:[00000030h]2_2_03BBC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B56962 mov eax, dword ptr fs:[00000030h]2_2_03B56962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov edx, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B7096E mov eax, dword ptr fs:[00000030h]2_2_03B7096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BB0946 mov eax, dword ptr fs:[00000030h]2_2_03BB0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03C008C0 mov eax, dword ptr fs:[00000030h]2_2_03C008C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BBC89D mov eax, dword ptr fs:[00000030h]2_2_03BBC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B30887 mov eax, dword ptr fs:[00000030h]2_2_03B30887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6C8F9 mov eax, dword ptr fs:[00000030h]2_2_03B6C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BFA8E4 mov eax, dword ptr fs:[00000030h]2_2_03BFA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B5E8C0 mov eax, dword ptr fs:[00000030h]2_2_03B5E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov ecx, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B52835 mov eax, dword ptr fs:[00000030h]2_2_03B52835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03B6A830 mov eax, dword ptr fs:[00000030h]2_2_03B6A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03BD483A mov eax, dword ptr fs:[00000030h]2_2_03BD483A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006E81F7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BA364 SetUnhandledExceptionFilter,0_2_006BA364
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006BA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_006BA395

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Salary_Receipt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 312C008Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E8C93 LogonUserW,0_2_006E8C93
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00693B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00693B4C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00694A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00694A35
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F4EF5 mouse_event,0_2_006F4EF5
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006E81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_006E81F7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006F4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006F4C03
          Source: Salary_Receipt.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: Salary_Receipt.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006B886B cpuid 0_2_006B886B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_006C50D7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006D2230 GetUserNameW,0_2_006D2230
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_006C418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_006C418A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00694AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00694AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Salary_Receipt.exeBinary or memory string: WIN_81
          Source: Salary_Receipt.exeBinary or memory string: WIN_XP
          Source: Salary_Receipt.exeBinary or memory string: WIN_XPe
          Source: Salary_Receipt.exeBinary or memory string: WIN_VISTA
          Source: Salary_Receipt.exeBinary or memory string: WIN_7
          Source: Salary_Receipt.exeBinary or memory string: WIN_8
          Source: Salary_Receipt.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00706596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00706596
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00706A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00706A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Salary_Receipt.exe34%ReversingLabs
          Salary_Receipt.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1561148
          Start date and time:2024-11-22 20:21:44 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 6m 10s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Salary_Receipt.exe
          Detection:MAL
          Classification:mal84.troj.evad.winEXE@3/2@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 47
          • Number of non-executed functions: 276
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: Salary_Receipt.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:23:23API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Maianthemum

          Download File
          Process:C:\Users\user\Desktop\Salary_Receipt.exe
          File Type:data
          Category:dropped
          Size (bytes):289792
          Entropy (8bit):7.9910645089588295
          Encrypted:true
          SSDEEP:6144:KEkcGHBeDQAT5VxfLDVf+MS+Lf+7tvCm4:KEohejvvZHDbOtvCr
          MD5:408A5EC1F110188E8E21593DD50900A6
          SHA1:B0C4D492BA2DF8DB21535294E8A2A231847F0B8B
          SHA-256:9DF8C4DC27FCA123110DCD510C14F03058632CB2A761C3028436B8016D8A50B2
          SHA-512:94A20041DBA945DB7FC179C0BF2B4498E10CFE0645946E7A0788727D209EA4D35485534FBFCD891B1B79842ED85E4638D8A5A966F02121960A11D6B8F57E2D6C
          Malicious:false
          Reputation:low
          Preview:x..34DQCB55R..7D.CF55RQ3wDQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5.RQ39[.MF.<.p.6..b.]\!qCE+61'X.10]Y+%c$P. $].-?c.zfr<\S!.NK?.RQ37DQC?4<.lSP.l#!..26.-...|UR.K...m#!./....$6..\V:lSP.QCF55RQ3g.QC.44R.(].QCF55RQ3.DSBM4>RQi3DQCF55RQ3.PQCF%5RQC3DQC.55BQ37FQC@55RQ37DWCF55RQ374UCF75RQ37DSC..5RA37TQCF5%RQ#7DQCF5%RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55R.GR<%CF5A.U37TQCFo1RQ#7DQCF55RQ37DQCf552Q37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5

          C:\Users\user\AppData\Local\Temp\autD6DE.tmp

          Download File
          Process:C:\Users\user\Desktop\Salary_Receipt.exe
          File Type:data
          Category:dropped
          Size (bytes):289792
          Entropy (8bit):7.9910645089588295
          Encrypted:true
          SSDEEP:6144:KEkcGHBeDQAT5VxfLDVf+MS+Lf+7tvCm4:KEohejvvZHDbOtvCr
          MD5:408A5EC1F110188E8E21593DD50900A6
          SHA1:B0C4D492BA2DF8DB21535294E8A2A231847F0B8B
          SHA-256:9DF8C4DC27FCA123110DCD510C14F03058632CB2A761C3028436B8016D8A50B2
          SHA-512:94A20041DBA945DB7FC179C0BF2B4498E10CFE0645946E7A0788727D209EA4D35485534FBFCD891B1B79842ED85E4638D8A5A966F02121960A11D6B8F57E2D6C
          Malicious:false
          Reputation:low
          Preview:x..34DQCB55R..7D.CF55RQ3wDQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5.RQ39[.MF.<.p.6..b.]\!qCE+61'X.10]Y+%c$P. $].-?c.zfr<\S!.NK?.RQ37DQC?4<.lSP.l#!..26.-...|UR.K...m#!./....$6..\V:lSP.QCF55RQ3g.QC.44R.(].QCF55RQ3.DSBM4>RQi3DQCF55RQ3.PQCF%5RQC3DQC.55BQ37FQC@55RQ37DWCF55RQ374UCF75RQ37DSC..5RA37TQCF5%RQ#7DQCF5%RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55R.GR<%CF5A.U37TQCFo1RQ#7DQCF55RQ37DQCf552Q37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.2006815532797
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Salary_Receipt.exe
          File size:1'368'064 bytes
          MD5:08a71f36822c8207f16013ed296ff269
          SHA1:4b7bcd2c3246f98be32330a20892a28e998e4b19
          SHA256:003b578a15479fac58ada62d5bb903102d3d3113f530ce3c51cd10c28f479868
          SHA512:9afed6b147a13a83899a1f039de34fa26579bf3aff112e1bae9dc36c024542e6ce7c2556ff178cd9e8e885a30c8952888f0860e776a8201f927b4e06f8c1f678
          SSDEEP:24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaO6GGVDL/8CMbyHa9AoodgPWo5:kh+ZkldoPK8YaO6GGx/tMbyzgPp
          TLSH:7F55CF82B3D18031FFAA92735B66BB25567F7D699433851F12883C74BDB11B2123E623
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

          File Icon

          Icon Hash:3121090929212160

          Static PE Info

          General

          Entrypoint:0x42800a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x674039F2 [Fri Nov 22 07:59:46 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:afcdf79be1557326c854b6e20cb900a7

          Entrypoint Preview

          Instruction
          call 00007F3610B9C94Dh
          jmp 00007F3610B8F704h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007F3610B8F88Ah
          cmp edi, eax
          jc 00007F3610B8FBEEh
          bt dword ptr [004C41FCh], 01h
          jnc 00007F3610B8F889h
          rep movsb
          jmp 00007F3610B8FB9Ch
          cmp ecx, 00000080h
          jc 00007F3610B8FA54h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007F3610B8F890h
          bt dword ptr [004BF324h], 01h
          jc 00007F3610B8FD60h
          bt dword ptr [004C41FCh], 00000000h
          jnc 00007F3610B8FA2Dh
          test edi, 00000003h
          jne 00007F3610B8FA3Eh
          test esi, 00000003h
          jne 00007F3610B8FA1Dh
          bt edi, 02h
          jnc 00007F3610B8F88Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007F3610B8F893h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007F3610B8F8E5h
          bt esi, 03h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD5 build 40629
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD5 build 40629

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x8397c.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000x7134.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc80000x8397c0x83a009719e0473e6d737b733d73d3d1018f23False0.865052602682811data7.657639937806841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x14c0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc85480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc86700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc87980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc88c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.47606382978723405
          RT_ICON0xc8d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.4120544090056285
          RT_ICON0xc9dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.37572614107883817
          RT_ICON0xcc3780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.36254133207368916
          RT_ICON0xd05a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.339701880988998
          RT_ICON0xe0dc80x16c88PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.998692670381483
          RT_MENU0xf7a500x50dataEnglishGreat Britain0.9
          RT_STRING0xf7aa00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xf80340x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xf86c00x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xf8b500x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xf914c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xf97a80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xf9c100x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xf9d680x516afdata1.0003328465577368
          RT_GROUP_ICON0x14b4180x5adataEnglishGreat Britain0.7888888888888889
          RT_GROUP_ICON0x14b4740x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x14b4880x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x14b49c0x14dataEnglishGreat Britain1.25
          RT_VERSION0x14b4b00xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x14b58c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:14:22:35
          Start date:22/11/2024
          Path:C:\Users\user\Desktop\Salary_Receipt.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Salary_Receipt.exe"
          Imagebase:0x690000
          File size:1'368'064 bytes
          MD5 hash:08A71F36822C8207F16013ED296FF269
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:2
          Start time:14:22:36
          Start date:22/11/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Salary_Receipt.exe"
          Imagebase:0x740000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2545760387.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2546047689.0000000003950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.4%
            Dynamic/Decrypted Code Coverage:0.9%
            Signature Coverage:7.5%
            Total number of Nodes:1990
            Total number of Limit Nodes:170
            execution_graph 97683 69107d 97688 6971eb 97683->97688 97685 69108c 97719 6b2f80 97685->97719 97689 6971fb __ftell_nolock 97688->97689 97722 6977c7 97689->97722 97693 6972ba 97734 6b074f 97693->97734 97700 6977c7 59 API calls 97701 6972eb 97700->97701 97753 697eec 97701->97753 97703 6972f4 RegOpenKeyExW 97704 6cecda RegQueryValueExW 97703->97704 97705 697316 Mailbox 97703->97705 97706 6ced6c RegCloseKey 97704->97706 97707 6cecf7 97704->97707 97705->97685 97706->97705 97718 6ced7e _wcscat Mailbox __wsetenvp 97706->97718 97757 6b0ff6 97707->97757 97709 6ced10 97767 69538e 97709->97767 97710 697b52 59 API calls 97710->97718 97713 6ced38 97770 697d2c 97713->97770 97715 6ced52 97715->97706 97717 693f84 59 API calls 97717->97718 97718->97705 97718->97710 97718->97717 97779 697f41 97718->97779 97844 6b2e84 97719->97844 97721 691096 97723 6b0ff6 Mailbox 59 API calls 97722->97723 97724 6977e8 97723->97724 97725 6b0ff6 Mailbox 59 API calls 97724->97725 97726 6972b1 97725->97726 97727 694864 97726->97727 97783 6c1b90 97727->97783 97730 697f41 59 API calls 97731 694897 97730->97731 97785 6948ae 97731->97785 97733 6948a1 Mailbox 97733->97693 97735 6c1b90 __ftell_nolock 97734->97735 97736 6b075c GetFullPathNameW 97735->97736 97737 6b077e 97736->97737 97738 697d2c 59 API calls 97737->97738 97739 6972c5 97738->97739 97740 697e0b 97739->97740 97741 697e1f 97740->97741 97742 6cf173 97740->97742 97807 697db0 97741->97807 97812 698189 97742->97812 97745 6972d3 97747 693f84 97745->97747 97746 6cf17e __wsetenvp _memmove 97748 693f92 97747->97748 97752 693fb4 _memmove 97747->97752 97750 6b0ff6 Mailbox 59 API calls 97748->97750 97749 6b0ff6 Mailbox 59 API calls 97751 693fc8 97749->97751 97750->97752 97751->97700 97752->97749 97754 697ef9 97753->97754 97755 697f06 97753->97755 97754->97703 97756 6b0ff6 Mailbox 59 API calls 97755->97756 97756->97754 97760 6b0ffe 97757->97760 97759 6b1018 97759->97709 97760->97759 97762 6b101c std::exception::exception 97760->97762 97815 6b594c 97760->97815 97832 6b35e1 DecodePointer 97760->97832 97833 6b87db RaiseException 97762->97833 97764 6b1046 97834 6b8711 58 API calls _free 97764->97834 97766 6b1058 97766->97709 97768 6b0ff6 Mailbox 59 API calls 97767->97768 97769 6953a0 RegQueryValueExW 97768->97769 97769->97713 97769->97715 97771 697d38 __wsetenvp 97770->97771 97772 697da5 97770->97772 97774 697d4e 97771->97774 97775 697d73 97771->97775 97773 697e8c 59 API calls 97772->97773 97778 697d56 _memmove 97773->97778 97843 698087 59 API calls Mailbox 97774->97843 97776 698189 59 API calls 97775->97776 97776->97778 97778->97715 97780 697f50 __wsetenvp _memmove 97779->97780 97781 6b0ff6 Mailbox 59 API calls 97780->97781 97782 697f8e 97781->97782 97782->97718 97784 694871 GetModuleFileNameW 97783->97784 97784->97730 97786 6c1b90 __ftell_nolock 97785->97786 97787 6948bb GetFullPathNameW 97786->97787 97788 6948da 97787->97788 97789 6948f7 97787->97789 97790 697d2c 59 API calls 97788->97790 97791 697eec 59 API calls 97789->97791 97792 6948e6 97790->97792 97791->97792 97795 697886 97792->97795 97796 697894 97795->97796 97799 697e8c 97796->97799 97798 6948f2 97798->97733 97800 697e9a 97799->97800 97801 697ea3 _memmove 97799->97801 97800->97801 97803 697faf 97800->97803 97801->97798 97804 697fc2 97803->97804 97806 697fbf _memmove 97803->97806 97805 6b0ff6 Mailbox 59 API calls 97804->97805 97805->97806 97806->97801 97808 697dbf __wsetenvp 97807->97808 97809 698189 59 API calls 97808->97809 97810 697dd0 _memmove 97808->97810 97811 6cf130 _memmove 97809->97811 97810->97745 97813 6b0ff6 Mailbox 59 API calls 97812->97813 97814 698193 97813->97814 97814->97746 97816 6b59c7 97815->97816 97821 6b5958 97815->97821 97841 6b35e1 DecodePointer 97816->97841 97818 6b5963 97818->97821 97835 6ba3ab 58 API calls __NMSG_WRITE 97818->97835 97836 6ba408 58 API calls 7 library calls 97818->97836 97837 6b32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97818->97837 97819 6b59cd 97842 6b8d68 58 API calls __getptd_noexit 97819->97842 97821->97818 97823 6b598b RtlAllocateHeap 97821->97823 97826 6b59b3 97821->97826 97830 6b59b1 97821->97830 97838 6b35e1 DecodePointer 97821->97838 97823->97821 97824 6b59bf 97823->97824 97824->97760 97839 6b8d68 58 API calls __getptd_noexit 97826->97839 97840 6b8d68 58 API calls __getptd_noexit 97830->97840 97832->97760 97833->97764 97834->97766 97835->97818 97836->97818 97838->97821 97839->97830 97840->97824 97841->97819 97842->97824 97843->97778 97845 6b2e90 __alloc_osfhnd 97844->97845 97852 6b3457 97845->97852 97851 6b2eb7 __alloc_osfhnd 97851->97721 97869 6b9e4b 97852->97869 97854 6b2e99 97855 6b2ec8 DecodePointer DecodePointer 97854->97855 97856 6b2ea5 97855->97856 97857 6b2ef5 97855->97857 97866 6b2ec2 97856->97866 97857->97856 97915 6b89e4 59 API calls __filbuf 97857->97915 97859 6b2f58 EncodePointer EncodePointer 97859->97856 97860 6b2f07 97860->97859 97863 6b2f2c 97860->97863 97916 6b8aa4 61 API calls 2 library calls 97860->97916 97863->97856 97865 6b2f46 EncodePointer 97863->97865 97917 6b8aa4 61 API calls 2 library calls 97863->97917 97864 6b2f40 97864->97856 97864->97865 97865->97859 97918 6b3460 97866->97918 97870 6b9e6f EnterCriticalSection 97869->97870 97871 6b9e5c 97869->97871 97870->97854 97876 6b9ed3 97871->97876 97873 6b9e62 97873->97870 97900 6b32f5 58 API calls 3 library calls 97873->97900 97877 6b9edf __alloc_osfhnd 97876->97877 97878 6b9ee8 97877->97878 97879 6b9f00 97877->97879 97901 6ba3ab 58 API calls __NMSG_WRITE 97878->97901 97887 6b9f21 __alloc_osfhnd 97879->97887 97904 6b8a5d 58 API calls __malloc_crt 97879->97904 97882 6b9eed 97902 6ba408 58 API calls 7 library calls 97882->97902 97883 6b9f15 97885 6b9f2b 97883->97885 97886 6b9f1c 97883->97886 97890 6b9e4b __lock 58 API calls 97885->97890 97905 6b8d68 58 API calls __getptd_noexit 97886->97905 97887->97873 97888 6b9ef4 97903 6b32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97888->97903 97893 6b9f32 97890->97893 97894 6b9f3f 97893->97894 97895 6b9f57 97893->97895 97906 6ba06b InitializeCriticalSectionAndSpinCount 97894->97906 97907 6b2f95 97895->97907 97898 6b9f4b 97913 6b9f73 LeaveCriticalSection _doexit 97898->97913 97901->97882 97902->97888 97904->97883 97905->97887 97906->97898 97908 6b2fc7 _free 97907->97908 97909 6b2f9e RtlFreeHeap 97907->97909 97908->97898 97909->97908 97910 6b2fb3 97909->97910 97914 6b8d68 58 API calls __getptd_noexit 97910->97914 97912 6b2fb9 GetLastError 97912->97908 97913->97887 97914->97912 97915->97860 97916->97863 97917->97864 97921 6b9fb5 LeaveCriticalSection 97918->97921 97920 6b2ec7 97920->97851 97921->97920 97922 12423b0 97936 1240000 97922->97936 97924 124245f 97939 12422a0 97924->97939 97926 1242488 CreateFileW 97928 12424d7 97926->97928 97929 12424dc 97926->97929 97929->97928 97930 12424f3 VirtualAlloc 97929->97930 97930->97928 97931 1242511 ReadFile 97930->97931 97931->97928 97932 124252c 97931->97932 97933 12412a0 13 API calls 97932->97933 97934 124255f 97933->97934 97935 1242582 ExitProcess 97934->97935 97935->97928 97942 1243490 GetPEB 97936->97942 97938 124068b 97938->97924 97940 12422a9 Sleep 97939->97940 97941 12422b7 97940->97941 97943 12434ba 97942->97943 97943->97938 97944 6d4599 97948 6e655c 97944->97948 97946 6d45a4 97947 6e655c 85 API calls 97946->97947 97947->97946 97949 6e6596 97948->97949 97954 6e6569 97948->97954 97949->97946 97950 6e6598 97987 699488 84 API calls Mailbox 97950->97987 97952 6e659d 97959 699997 97952->97959 97954->97949 97954->97950 97954->97952 97957 6e6590 97954->97957 97986 699700 59 API calls _wcsstr 97957->97986 97960 6999b1 97959->97960 97972 6999ab 97959->97972 97961 6cf9fc __i64tow 97960->97961 97962 6999f9 97960->97962 97963 6999b7 __itow 97960->97963 97968 6cf903 97960->97968 97988 6b38d8 83 API calls 3 library calls 97962->97988 97965 6b0ff6 Mailbox 59 API calls 97963->97965 97969 6999d1 97965->97969 97967 6cf97b Mailbox _wcscpy 97989 6b38d8 83 API calls 3 library calls 97967->97989 97968->97967 97970 6b0ff6 Mailbox 59 API calls 97968->97970 97971 697f41 59 API calls 97969->97971 97969->97972 97973 6cf948 97970->97973 97971->97972 97977 697c8e 97972->97977 97974 6b0ff6 Mailbox 59 API calls 97973->97974 97975 6cf96e 97974->97975 97975->97967 97976 697f41 59 API calls 97975->97976 97976->97967 97978 6cf094 97977->97978 97979 697ca0 97977->97979 97996 6e8123 59 API calls _memmove 97978->97996 97990 697bb1 97979->97990 97982 697cac 97982->97949 97983 6cf09e 97997 6981a7 97983->97997 97985 6cf0a6 Mailbox 97986->97949 97987->97952 97988->97963 97989->97961 97991 697bbf 97990->97991 97992 697be5 _memmove 97990->97992 97991->97992 97993 6b0ff6 Mailbox 59 API calls 97991->97993 97992->97982 97994 697c34 97993->97994 97995 6b0ff6 Mailbox 59 API calls 97994->97995 97995->97992 97996->97983 97998 6981ba 97997->97998 97999 6981b2 97997->97999 97998->97985 98001 6980d7 59 API calls 2 library calls 97999->98001 98001->97998 98002 6b7e93 98003 6b7e9f __alloc_osfhnd 98002->98003 98039 6ba048 GetStartupInfoW 98003->98039 98005 6b7ea4 98041 6b8dbc GetProcessHeap 98005->98041 98007 6b7efc 98008 6b7f07 98007->98008 98124 6b7fe3 58 API calls 3 library calls 98007->98124 98042 6b9d26 98008->98042 98011 6b7f0d 98012 6b7f18 __RTC_Initialize 98011->98012 98125 6b7fe3 58 API calls 3 library calls 98011->98125 98063 6bd812 98012->98063 98015 6b7f27 98016 6b7f33 GetCommandLineW 98015->98016 98126 6b7fe3 58 API calls 3 library calls 98015->98126 98082 6c5173 GetEnvironmentStringsW 98016->98082 98019 6b7f32 98019->98016 98022 6b7f4d 98023 6b7f58 98022->98023 98127 6b32f5 58 API calls 3 library calls 98022->98127 98092 6c4fa8 98023->98092 98026 6b7f5e 98027 6b7f69 98026->98027 98128 6b32f5 58 API calls 3 library calls 98026->98128 98106 6b332f 98027->98106 98030 6b7f71 98032 6b7f7c __wwincmdln 98030->98032 98129 6b32f5 58 API calls 3 library calls 98030->98129 98112 69492e 98032->98112 98034 6b7f90 98035 6b7f9f 98034->98035 98130 6b3598 58 API calls _doexit 98034->98130 98131 6b3320 58 API calls _doexit 98035->98131 98038 6b7fa4 __alloc_osfhnd 98040 6ba05e 98039->98040 98040->98005 98041->98007 98132 6b33c7 36 API calls 2 library calls 98042->98132 98044 6b9d2b 98133 6b9f7c InitializeCriticalSectionAndSpinCount __alloc_osfhnd 98044->98133 98046 6b9d30 98047 6b9d34 98046->98047 98135 6b9fca TlsAlloc 98046->98135 98134 6b9d9c 61 API calls 2 library calls 98047->98134 98050 6b9d39 98050->98011 98051 6b9d46 98051->98047 98052 6b9d51 98051->98052 98136 6b8a15 98052->98136 98055 6b9d93 98144 6b9d9c 61 API calls 2 library calls 98055->98144 98058 6b9d72 98058->98055 98060 6b9d78 98058->98060 98059 6b9d98 98059->98011 98143 6b9c73 58 API calls 4 library calls 98060->98143 98062 6b9d80 GetCurrentThreadId 98062->98011 98064 6bd81e __alloc_osfhnd 98063->98064 98065 6b9e4b __lock 58 API calls 98064->98065 98066 6bd825 98065->98066 98067 6b8a15 __calloc_crt 58 API calls 98066->98067 98068 6bd836 98067->98068 98069 6bd841 __alloc_osfhnd @_EH4_CallFilterFunc@8 98068->98069 98070 6bd8a1 GetStartupInfoW 98068->98070 98069->98015 98076 6bd8b6 98070->98076 98077 6bd9e5 98070->98077 98071 6bdaad 98158 6bdabd LeaveCriticalSection _doexit 98071->98158 98073 6b8a15 __calloc_crt 58 API calls 98073->98076 98074 6bda32 GetStdHandle 98074->98077 98075 6bda45 GetFileType 98075->98077 98076->98073 98076->98077 98079 6bd904 98076->98079 98077->98071 98077->98074 98077->98075 98157 6ba06b InitializeCriticalSectionAndSpinCount 98077->98157 98078 6bd938 GetFileType 98078->98079 98079->98077 98079->98078 98156 6ba06b InitializeCriticalSectionAndSpinCount 98079->98156 98083 6b7f43 98082->98083 98084 6c5184 98082->98084 98088 6c4d6b GetModuleFileNameW 98083->98088 98159 6b8a5d 58 API calls __malloc_crt 98084->98159 98086 6c51aa _memmove 98087 6c51c0 FreeEnvironmentStringsW 98086->98087 98087->98083 98089 6c4d9f _wparse_cmdline 98088->98089 98091 6c4ddf _wparse_cmdline 98089->98091 98160 6b8a5d 58 API calls __malloc_crt 98089->98160 98091->98022 98093 6c4fb9 98092->98093 98094 6c4fc1 __wsetenvp 98092->98094 98093->98026 98095 6b8a15 __calloc_crt 58 API calls 98094->98095 98098 6c4fea __wsetenvp 98095->98098 98096 6c5041 98097 6b2f95 _free 58 API calls 98096->98097 98097->98093 98098->98093 98098->98096 98099 6b8a15 __calloc_crt 58 API calls 98098->98099 98100 6c5066 98098->98100 98103 6c507d 98098->98103 98161 6c4857 58 API calls __filbuf 98098->98161 98099->98098 98102 6b2f95 _free 58 API calls 98100->98102 98102->98093 98162 6b9006 IsProcessorFeaturePresent 98103->98162 98105 6c5089 98105->98026 98107 6b333b __IsNonwritableInCurrentImage 98106->98107 98185 6ba711 98107->98185 98109 6b3359 __initterm_e 98110 6b2f80 __cinit 67 API calls 98109->98110 98111 6b3378 _doexit __IsNonwritableInCurrentImage 98109->98111 98110->98111 98111->98030 98113 694948 98112->98113 98123 6949e7 98112->98123 98114 694982 IsThemeActive 98113->98114 98188 6b35ac 98114->98188 98118 6949ae 98200 694a5b SystemParametersInfoW SystemParametersInfoW 98118->98200 98120 6949ba 98201 693b4c 98120->98201 98122 6949c2 SystemParametersInfoW 98122->98123 98123->98034 98124->98008 98125->98012 98126->98019 98130->98035 98131->98038 98132->98044 98133->98046 98134->98050 98135->98051 98137 6b8a1c 98136->98137 98139 6b8a57 98137->98139 98141 6b8a3a 98137->98141 98145 6c5446 98137->98145 98139->98055 98142 6ba026 TlsSetValue 98139->98142 98141->98137 98141->98139 98153 6ba372 Sleep 98141->98153 98142->98058 98143->98062 98144->98059 98146 6c5451 98145->98146 98150 6c546c 98145->98150 98147 6c545d 98146->98147 98146->98150 98154 6b8d68 58 API calls __getptd_noexit 98147->98154 98149 6c547c RtlAllocateHeap 98149->98150 98151 6c5462 98149->98151 98150->98149 98150->98151 98155 6b35e1 DecodePointer 98150->98155 98151->98137 98153->98141 98154->98151 98155->98150 98156->98079 98157->98077 98158->98069 98159->98086 98160->98091 98161->98098 98163 6b9011 98162->98163 98168 6b8e99 98163->98168 98167 6b902c 98167->98105 98169 6b8eb3 _memset __call_reportfault 98168->98169 98170 6b8ed3 IsDebuggerPresent 98169->98170 98176 6ba395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98170->98176 98173 6b8f97 __call_reportfault 98177 6bc836 98173->98177 98174 6b8fba 98175 6ba380 GetCurrentProcess TerminateProcess 98174->98175 98175->98167 98176->98173 98178 6bc83e 98177->98178 98179 6bc840 IsProcessorFeaturePresent 98177->98179 98178->98174 98181 6c5b5a 98179->98181 98184 6c5b09 5 API calls 2 library calls 98181->98184 98183 6c5c3d 98183->98174 98184->98183 98186 6ba714 EncodePointer 98185->98186 98186->98186 98187 6ba72e 98186->98187 98187->98109 98189 6b9e4b __lock 58 API calls 98188->98189 98190 6b35b7 DecodePointer EncodePointer 98189->98190 98253 6b9fb5 LeaveCriticalSection 98190->98253 98192 6949a7 98193 6b3614 98192->98193 98194 6b3638 98193->98194 98195 6b361e 98193->98195 98194->98118 98195->98194 98254 6b8d68 58 API calls __getptd_noexit 98195->98254 98197 6b3628 98255 6b8ff6 9 API calls __filbuf 98197->98255 98199 6b3633 98199->98118 98200->98120 98202 693b59 __ftell_nolock 98201->98202 98203 6977c7 59 API calls 98202->98203 98204 693b63 GetCurrentDirectoryW 98203->98204 98256 693778 98204->98256 98206 693b8c IsDebuggerPresent 98207 6cd4ad MessageBoxA 98206->98207 98208 693b9a 98206->98208 98210 6cd4c7 98207->98210 98208->98210 98211 693bb7 98208->98211 98240 693c73 98208->98240 98209 693c7a SetCurrentDirectoryW 98212 693c87 Mailbox 98209->98212 98466 697373 59 API calls Mailbox 98210->98466 98337 6973e5 98211->98337 98212->98122 98215 6cd4d7 98221 6cd4ed SetCurrentDirectoryW 98215->98221 98217 693bd5 GetFullPathNameW 98218 697d2c 59 API calls 98217->98218 98219 693c10 98218->98219 98353 6a0a8d 98219->98353 98221->98212 98223 693c2e 98224 693c38 98223->98224 98467 6f4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98223->98467 98369 693a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98224->98369 98227 6cd50a 98227->98224 98230 6cd51b 98227->98230 98232 694864 61 API calls 98230->98232 98231 693c42 98233 693c55 98231->98233 98377 6943db 98231->98377 98234 6cd523 98232->98234 98388 6a0b30 98233->98388 98237 697f41 59 API calls 98234->98237 98239 6cd530 98237->98239 98238 693c60 98238->98240 98465 6944cb Shell_NotifyIconW _memset 98238->98465 98241 6cd55f 98239->98241 98242 6cd53a 98239->98242 98240->98209 98244 697e0b 59 API calls 98241->98244 98245 697e0b 59 API calls 98242->98245 98252 6cd55b GetForegroundWindow ShellExecuteW 98244->98252 98246 6cd545 98245->98246 98248 697c8e 59 API calls 98246->98248 98250 6cd552 98248->98250 98249 6cd58f Mailbox 98249->98240 98251 697e0b 59 API calls 98250->98251 98251->98252 98252->98249 98253->98192 98254->98197 98255->98199 98257 6977c7 59 API calls 98256->98257 98258 69378e 98257->98258 98468 693d43 98258->98468 98260 6937ac 98261 694864 61 API calls 98260->98261 98262 6937c0 98261->98262 98263 697f41 59 API calls 98262->98263 98264 6937cd 98263->98264 98482 694f3d 98264->98482 98267 6cd3ae 98549 6f97e5 98267->98549 98269 6937ee Mailbox 98272 6981a7 59 API calls 98269->98272 98271 6cd3cd 98274 6b2f95 _free 58 API calls 98271->98274 98275 693801 98272->98275 98276 6cd3da 98274->98276 98506 6993ea 98275->98506 98278 694faa 84 API calls 98276->98278 98281 6cd3e3 98278->98281 98280 697f41 59 API calls 98282 69381a 98280->98282 98284 693ee2 59 API calls 98281->98284 98509 698620 98282->98509 98286 6cd3fe 98284->98286 98285 69382c Mailbox 98287 697f41 59 API calls 98285->98287 98288 693ee2 59 API calls 98286->98288 98289 693852 98287->98289 98290 6cd41a 98288->98290 98291 698620 69 API calls 98289->98291 98292 694864 61 API calls 98290->98292 98294 693861 Mailbox 98291->98294 98293 6cd43f 98292->98293 98295 693ee2 59 API calls 98293->98295 98297 6977c7 59 API calls 98294->98297 98296 6cd44b 98295->98296 98298 6981a7 59 API calls 98296->98298 98299 69387f 98297->98299 98301 6cd459 98298->98301 98513 693ee2 98299->98513 98302 693ee2 59 API calls 98301->98302 98304 6cd468 98302->98304 98310 6981a7 59 API calls 98304->98310 98306 693899 98306->98281 98307 6938a3 98306->98307 98308 6b313d _W_store_winword 60 API calls 98307->98308 98309 6938ae 98308->98309 98309->98286 98311 6938b8 98309->98311 98312 6cd48a 98310->98312 98313 6b313d _W_store_winword 60 API calls 98311->98313 98314 693ee2 59 API calls 98312->98314 98315 6938c3 98313->98315 98316 6cd497 98314->98316 98315->98290 98317 6938cd 98315->98317 98316->98316 98318 6b313d _W_store_winword 60 API calls 98317->98318 98319 6938d8 98318->98319 98319->98304 98320 693919 98319->98320 98322 693ee2 59 API calls 98319->98322 98320->98304 98321 693926 98320->98321 98529 69942e 98321->98529 98323 6938fc 98322->98323 98325 6981a7 59 API calls 98323->98325 98327 69390a 98325->98327 98329 693ee2 59 API calls 98327->98329 98329->98320 98332 6993ea 59 API calls 98334 693961 98332->98334 98333 699040 60 API calls 98333->98334 98334->98332 98334->98333 98335 693ee2 59 API calls 98334->98335 98336 6939a7 Mailbox 98334->98336 98335->98334 98336->98206 98338 6973f2 __ftell_nolock 98337->98338 98339 69740b 98338->98339 98340 6cee4b _memset 98338->98340 98341 6948ae 60 API calls 98339->98341 98343 6cee67 GetOpenFileNameW 98340->98343 98342 697414 98341->98342 99168 6b09d5 98342->99168 98345 6ceeb6 98343->98345 98347 697d2c 59 API calls 98345->98347 98349 6ceecb 98347->98349 98349->98349 98350 697429 99186 6969ca 98350->99186 98354 6a0a9a __ftell_nolock 98353->98354 99438 696ee0 98354->99438 98356 6a0a9f 98368 693c26 98356->98368 99449 6a12fe 89 API calls 98356->99449 98358 6a0aac 98358->98368 99450 6a4047 91 API calls Mailbox 98358->99450 98360 6a0ab5 98361 6a0ab9 GetFullPathNameW 98360->98361 98360->98368 98362 697d2c 59 API calls 98361->98362 98363 6a0ae5 98362->98363 98364 697d2c 59 API calls 98363->98364 98365 6a0af2 98364->98365 98366 6d50d5 _wcscat 98365->98366 98367 697d2c 59 API calls 98365->98367 98367->98368 98368->98215 98368->98223 98370 6cd49c 98369->98370 98371 693ac2 LoadImageW RegisterClassExW 98369->98371 99454 6948fe LoadImageW EnumResourceNamesW 98370->99454 99453 693041 7 API calls 98371->99453 98374 693b46 98376 6939e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98374->98376 98375 6cd4a5 98376->98231 98378 694406 _memset 98377->98378 99455 694213 98378->99455 98381 69448b 98383 6944c1 Shell_NotifyIconW 98381->98383 98384 6944a5 Shell_NotifyIconW 98381->98384 98385 6944b3 98383->98385 98384->98385 99459 69410d 98385->99459 98387 6944ba 98387->98233 98389 6d50ed 98388->98389 98403 6a0b55 98388->98403 99542 6fa0b5 89 API calls 4 library calls 98389->99542 98391 6a0e5a 98391->98238 98393 6a1044 98393->98391 98395 6a1051 98393->98395 99540 6a11f3 341 API calls Mailbox 98395->99540 98396 6a0bab PeekMessageW 98464 6a0b65 Mailbox 98396->98464 98398 6a1058 LockWindowUpdate DestroyWindow GetMessageW 98398->98391 98401 6a108a 98398->98401 98400 6d52ab Sleep 98400->98464 98404 6d6082 TranslateMessage DispatchMessageW GetMessageW 98401->98404 98402 6a0e44 98402->98391 99539 6a11d0 10 API calls Mailbox 98402->99539 98403->98464 99543 699fbd 60 API calls 98403->99543 99544 6e68bf 341 API calls 98403->99544 98404->98404 98406 6d60b2 98404->98406 98406->98391 98407 6a0fbf TranslateMessage DispatchMessageW 98408 6a0fa3 PeekMessageW 98407->98408 98408->98464 98409 6d517a TranslateAcceleratorW 98409->98408 98409->98464 98410 699fbd 60 API calls 98410->98464 98411 6d5c49 WaitForSingleObject 98415 6d5c66 GetExitCodeProcess CloseHandle 98411->98415 98411->98464 98413 6b0ff6 59 API calls Mailbox 98413->98464 98414 6a0e73 timeGetTime 98414->98464 98449 6a10f5 98415->98449 98416 6a0fdd Sleep 98450 6a0fee Mailbox 98416->98450 98417 6981a7 59 API calls 98417->98464 98418 6977c7 59 API calls 98418->98450 98419 6d5f22 Sleep 98419->98450 98421 69b89c 314 API calls 98421->98464 98423 6b0719 timeGetTime 98423->98450 98424 6a10ae timeGetTime 99541 699fbd 60 API calls 98424->99541 98427 6d5fb9 GetExitCodeProcess 98431 6d5fcf WaitForSingleObject 98427->98431 98432 6d5fe5 CloseHandle 98427->98432 98428 699997 84 API calls 98428->98464 98429 7161ac 110 API calls 98429->98450 98430 69b93d 109 API calls 98430->98450 98431->98432 98431->98464 98432->98450 98435 6d5c9e 98435->98449 98436 6d54a2 Sleep 98436->98464 98437 6d6041 Sleep 98437->98464 98439 697f41 59 API calls 98439->98450 98443 69a000 314 API calls 98443->98464 98449->98238 98450->98418 98450->98423 98450->98427 98450->98429 98450->98430 98450->98435 98450->98436 98450->98437 98450->98439 98450->98449 98450->98464 99551 6f28f7 60 API calls 98450->99551 99552 699fbd 60 API calls 98450->99552 99553 698b13 69 API calls Mailbox 98450->99553 99554 69b89c 341 API calls 98450->99554 99555 6e6a50 60 API calls 98450->99555 99556 6f54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98450->99556 99557 6f3e91 66 API calls Mailbox 98450->99557 98451 6fa0b5 89 API calls 98451->98464 98453 698620 69 API calls 98453->98464 98454 699df0 59 API calls Mailbox 98454->98464 98456 6e66f4 59 API calls Mailbox 98456->98464 98457 697f41 59 API calls 98457->98464 98458 698b13 69 API calls 98458->98464 98459 6d59ff VariantClear 98459->98464 98460 6e7405 59 API calls 98460->98464 98461 6d5a95 VariantClear 98461->98464 98462 698e34 59 API calls Mailbox 98462->98464 98463 6d5843 VariantClear 98463->98464 98464->98396 98464->98400 98464->98402 98464->98407 98464->98408 98464->98409 98464->98410 98464->98411 98464->98413 98464->98414 98464->98416 98464->98417 98464->98419 98464->98421 98464->98424 98464->98428 98464->98443 98464->98449 98464->98450 98464->98451 98464->98453 98464->98454 98464->98456 98464->98457 98464->98458 98464->98459 98464->98460 98464->98461 98464->98462 98464->98463 99487 69e800 98464->99487 99518 69f5c0 98464->99518 99536 69e580 341 API calls 98464->99536 99537 69fe40 341 API calls 2 library calls 98464->99537 99538 6931ce IsDialogMessageW GetClassLongW 98464->99538 99545 71629f 59 API calls 98464->99545 99546 6f9c9f 59 API calls Mailbox 98464->99546 99547 6ed9e3 59 API calls 98464->99547 99548 6e6665 59 API calls 2 library calls 98464->99548 99549 698561 59 API calls 98464->99549 99550 69843f 59 API calls Mailbox 98464->99550 98465->98240 98466->98215 98467->98227 98469 693d50 __ftell_nolock 98468->98469 98470 697d2c 59 API calls 98469->98470 98475 693eb6 Mailbox 98469->98475 98472 693d82 98470->98472 98481 693db8 Mailbox 98472->98481 98590 697b52 98472->98590 98473 697b52 59 API calls 98473->98481 98474 693e89 98474->98475 98476 697f41 59 API calls 98474->98476 98475->98260 98478 693eaa 98476->98478 98477 697f41 59 API calls 98477->98481 98479 693f84 59 API calls 98478->98479 98479->98475 98480 693f84 59 API calls 98480->98481 98481->98473 98481->98474 98481->98475 98481->98477 98481->98480 98593 694d13 98482->98593 98487 694f68 LoadLibraryExW 98603 694cc8 98487->98603 98488 6cdd0f 98489 694faa 84 API calls 98488->98489 98491 6cdd16 98489->98491 98493 694cc8 3 API calls 98491->98493 98495 6cdd1e 98493->98495 98629 69506b 98495->98629 98496 694f8f 98496->98495 98497 694f9b 98496->98497 98498 694faa 84 API calls 98497->98498 98500 6937e6 98498->98500 98500->98267 98500->98269 98503 6cdd45 98637 695027 98503->98637 98505 6cdd52 98507 6b0ff6 Mailbox 59 API calls 98506->98507 98508 69380d 98507->98508 98508->98280 98510 69862b 98509->98510 98511 698652 98510->98511 98888 698b13 69 API calls Mailbox 98510->98888 98511->98285 98514 693eec 98513->98514 98515 693f05 98513->98515 98517 6981a7 59 API calls 98514->98517 98516 697d2c 59 API calls 98515->98516 98518 69388b 98516->98518 98517->98518 98519 6b313d 98518->98519 98520 6b3149 98519->98520 98521 6b31be 98519->98521 98528 6b316e 98520->98528 98889 6b8d68 58 API calls __getptd_noexit 98520->98889 98891 6b31d0 60 API calls 3 library calls 98521->98891 98524 6b31cb 98524->98306 98525 6b3155 98890 6b8ff6 9 API calls __filbuf 98525->98890 98527 6b3160 98527->98306 98528->98306 98530 699436 98529->98530 98531 6b0ff6 Mailbox 59 API calls 98530->98531 98532 699444 98531->98532 98533 693936 98532->98533 98892 69935c 59 API calls Mailbox 98532->98892 98535 6991b0 98533->98535 98893 6992c0 98535->98893 98537 6991bf 98538 6b0ff6 Mailbox 59 API calls 98537->98538 98539 693944 98537->98539 98538->98539 98540 699040 98539->98540 98541 6cf5a5 98540->98541 98543 699057 98540->98543 98541->98543 98903 698d3b 59 API calls Mailbox 98541->98903 98544 699158 98543->98544 98545 6991a0 98543->98545 98548 69915f 98543->98548 98547 6b0ff6 Mailbox 59 API calls 98544->98547 98902 699e9c 60 API calls Mailbox 98545->98902 98547->98548 98548->98334 98550 695045 85 API calls 98549->98550 98551 6f9854 98550->98551 98904 6f99be 98551->98904 98554 69506b 74 API calls 98555 6f9881 98554->98555 98556 69506b 74 API calls 98555->98556 98557 6f9891 98556->98557 98558 69506b 74 API calls 98557->98558 98559 6f98ac 98558->98559 98560 69506b 74 API calls 98559->98560 98561 6f98c7 98560->98561 98562 695045 85 API calls 98561->98562 98563 6f98de 98562->98563 98564 6b594c __malloc_crt 58 API calls 98563->98564 98565 6f98e5 98564->98565 98566 6b594c __malloc_crt 58 API calls 98565->98566 98567 6f98ef 98566->98567 98568 69506b 74 API calls 98567->98568 98569 6f9903 98568->98569 98570 6f9393 GetSystemTimeAsFileTime 98569->98570 98571 6f9916 98570->98571 98572 6f992b 98571->98572 98573 6f9940 98571->98573 98574 6b2f95 _free 58 API calls 98572->98574 98575 6f9946 98573->98575 98576 6f99a5 98573->98576 98578 6f9931 98574->98578 98910 6f8d90 116 API calls __fcloseall 98575->98910 98577 6b2f95 _free 58 API calls 98576->98577 98580 6cd3c1 98577->98580 98581 6b2f95 _free 58 API calls 98578->98581 98580->98271 98584 694faa 98580->98584 98581->98580 98582 6f999d 98583 6b2f95 _free 58 API calls 98582->98583 98583->98580 98585 694fb4 98584->98585 98589 694fbb 98584->98589 98911 6b55d6 98585->98911 98587 694fdb FreeLibrary 98588 694fca 98587->98588 98588->98271 98589->98587 98589->98588 98591 697faf 59 API calls 98590->98591 98592 697b5d 98591->98592 98592->98472 98642 694d61 98593->98642 98596 694d3a 98598 694d4a FreeLibrary 98596->98598 98599 694d53 98596->98599 98597 694d61 2 API calls 98597->98596 98598->98599 98600 6b548b 98599->98600 98646 6b54a0 98600->98646 98602 694f5c 98602->98487 98602->98488 98806 694d94 98603->98806 98606 694d94 2 API calls 98609 694ced 98606->98609 98607 694d08 98610 694dd0 98607->98610 98608 694cff FreeLibrary 98608->98607 98609->98607 98609->98608 98611 6b0ff6 Mailbox 59 API calls 98610->98611 98612 694de5 98611->98612 98613 69538e 59 API calls 98612->98613 98614 694df1 _memmove 98613->98614 98615 694e2c 98614->98615 98617 694ee9 98614->98617 98618 694f21 98614->98618 98616 695027 69 API calls 98615->98616 98622 694e35 98616->98622 98810 694fe9 CreateStreamOnHGlobal 98617->98810 98821 6f9ba5 95 API calls 98618->98821 98621 69506b 74 API calls 98621->98622 98622->98621 98624 694ec9 98622->98624 98625 6cdcd0 98622->98625 98816 695045 98622->98816 98624->98496 98626 695045 85 API calls 98625->98626 98627 6cdce4 98626->98627 98628 69506b 74 API calls 98627->98628 98628->98624 98630 69507d 98629->98630 98631 6cddf6 98629->98631 98845 6b5812 98630->98845 98634 6f9393 98865 6f91e9 98634->98865 98636 6f93a9 98636->98503 98638 6cddb9 98637->98638 98639 695036 98637->98639 98870 6b5e90 98639->98870 98641 69503e 98641->98505 98643 694d2e 98642->98643 98644 694d6a LoadLibraryA 98642->98644 98643->98596 98643->98597 98644->98643 98645 694d7b GetProcAddress 98644->98645 98645->98643 98648 6b54ac __alloc_osfhnd 98646->98648 98647 6b54bf 98695 6b8d68 58 API calls __getptd_noexit 98647->98695 98648->98647 98651 6b54f0 98648->98651 98650 6b54c4 98696 6b8ff6 9 API calls __filbuf 98650->98696 98665 6c0738 98651->98665 98654 6b54f5 98655 6b550b 98654->98655 98656 6b54fe 98654->98656 98658 6b5535 98655->98658 98659 6b5515 98655->98659 98697 6b8d68 58 API calls __getptd_noexit 98656->98697 98680 6c0857 98658->98680 98698 6b8d68 58 API calls __getptd_noexit 98659->98698 98664 6b54cf __alloc_osfhnd @_EH4_CallFilterFunc@8 98664->98602 98666 6c0744 __alloc_osfhnd 98665->98666 98667 6b9e4b __lock 58 API calls 98666->98667 98673 6c0752 98667->98673 98668 6c07cd 98705 6b8a5d 58 API calls __malloc_crt 98668->98705 98671 6c07d4 98678 6c07c6 98671->98678 98706 6ba06b InitializeCriticalSectionAndSpinCount 98671->98706 98672 6c0843 __alloc_osfhnd 98672->98654 98673->98668 98675 6b9ed3 __mtinitlocknum 58 API calls 98673->98675 98673->98678 98703 6b6e8d 59 API calls __lock 98673->98703 98704 6b6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98673->98704 98675->98673 98677 6c07fa EnterCriticalSection 98677->98678 98700 6c084e 98678->98700 98689 6c0877 __wopenfile 98680->98689 98681 6c0891 98711 6b8d68 58 API calls __getptd_noexit 98681->98711 98683 6c0a4c 98683->98681 98687 6c0aaf 98683->98687 98684 6c0896 98712 6b8ff6 9 API calls __filbuf 98684->98712 98686 6b5540 98699 6b5562 LeaveCriticalSection LeaveCriticalSection _fseek 98686->98699 98708 6c87f1 98687->98708 98689->98681 98689->98683 98713 6b3a0b 60 API calls 2 library calls 98689->98713 98691 6c0a45 98691->98683 98714 6b3a0b 60 API calls 2 library calls 98691->98714 98693 6c0a64 98693->98683 98715 6b3a0b 60 API calls 2 library calls 98693->98715 98695->98650 98696->98664 98697->98664 98698->98664 98699->98664 98707 6b9fb5 LeaveCriticalSection 98700->98707 98702 6c0855 98702->98672 98703->98673 98704->98673 98705->98671 98706->98677 98707->98702 98716 6c7fd5 98708->98716 98710 6c880a 98710->98686 98711->98684 98712->98686 98713->98691 98714->98693 98715->98683 98717 6c7fe1 __alloc_osfhnd 98716->98717 98718 6c7ff7 98717->98718 98721 6c802d 98717->98721 98803 6b8d68 58 API calls __getptd_noexit 98718->98803 98720 6c7ffc 98804 6b8ff6 9 API calls __filbuf 98720->98804 98727 6c809e 98721->98727 98724 6c8049 98805 6c8072 LeaveCriticalSection __unlock_fhandle 98724->98805 98726 6c8006 __alloc_osfhnd 98726->98710 98728 6c80be 98727->98728 98729 6b471a __wsopen_nolock 58 API calls 98728->98729 98732 6c80da 98729->98732 98730 6b9006 __invoke_watson 8 API calls 98731 6c87f0 98730->98731 98734 6c7fd5 __wsopen_helper 103 API calls 98731->98734 98733 6c8114 98732->98733 98740 6c8137 98732->98740 98776 6c8211 98732->98776 98735 6b8d34 __commit 58 API calls 98733->98735 98736 6c880a 98734->98736 98737 6c8119 98735->98737 98736->98724 98738 6b8d68 __filbuf 58 API calls 98737->98738 98739 6c8126 98738->98739 98742 6b8ff6 __filbuf 9 API calls 98739->98742 98741 6c81f5 98740->98741 98748 6c81d3 98740->98748 98743 6b8d34 __commit 58 API calls 98741->98743 98769 6c8130 98742->98769 98744 6c81fa 98743->98744 98745 6b8d68 __filbuf 58 API calls 98744->98745 98746 6c8207 98745->98746 98747 6b8ff6 __filbuf 9 API calls 98746->98747 98747->98776 98749 6bd4d4 __alloc_osfhnd 61 API calls 98748->98749 98750 6c82a1 98749->98750 98751 6c82ce 98750->98751 98752 6c82ab 98750->98752 98753 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98751->98753 98754 6b8d34 __commit 58 API calls 98752->98754 98762 6c82f0 98753->98762 98755 6c82b0 98754->98755 98757 6b8d68 __filbuf 58 API calls 98755->98757 98756 6c836e GetFileType 98760 6c8379 GetLastError 98756->98760 98761 6c83bb 98756->98761 98759 6c82ba 98757->98759 98758 6c833c GetLastError 98763 6b8d47 __dosmaperr 58 API calls 98758->98763 98764 6b8d68 __filbuf 58 API calls 98759->98764 98765 6b8d47 __dosmaperr 58 API calls 98760->98765 98772 6bd76a __set_osfhnd 59 API calls 98761->98772 98762->98756 98762->98758 98767 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98762->98767 98768 6c8361 98763->98768 98764->98769 98766 6c83a0 CloseHandle 98765->98766 98766->98768 98770 6c83ae 98766->98770 98771 6c8331 98767->98771 98774 6b8d68 __filbuf 58 API calls 98768->98774 98769->98724 98773 6b8d68 __filbuf 58 API calls 98770->98773 98771->98756 98771->98758 98778 6c83d9 98772->98778 98775 6c83b3 98773->98775 98774->98776 98775->98768 98776->98730 98777 6c8594 98777->98776 98780 6c8767 CloseHandle 98777->98780 98778->98777 98779 6c1b11 __lseeki64_nolock 60 API calls 98778->98779 98794 6c845a 98778->98794 98781 6c8443 98779->98781 98782 6c7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98780->98782 98783 6b8d34 __commit 58 API calls 98781->98783 98799 6c8462 98781->98799 98784 6c878e 98782->98784 98783->98794 98785 6c861e 98784->98785 98786 6c8796 GetLastError 98784->98786 98785->98776 98787 6b8d47 __dosmaperr 58 API calls 98786->98787 98788 6c87a2 98787->98788 98791 6bd67d __free_osfhnd 59 API calls 98788->98791 98789 6c0d2d __close_nolock 61 API calls 98789->98799 98790 6c10ab 70 API calls __read_nolock 98790->98799 98791->98785 98792 6c99f2 __chsize_nolock 82 API calls 98792->98799 98793 6bdac6 __write 78 API calls 98793->98794 98794->98777 98794->98793 98796 6c1b11 60 API calls __lseeki64_nolock 98794->98796 98794->98799 98795 6c8611 98798 6c0d2d __close_nolock 61 API calls 98795->98798 98796->98794 98797 6c85fa 98797->98777 98801 6c8618 98798->98801 98799->98789 98799->98790 98799->98792 98799->98794 98799->98795 98799->98797 98800 6c1b11 60 API calls __lseeki64_nolock 98799->98800 98800->98799 98802 6b8d68 __filbuf 58 API calls 98801->98802 98802->98785 98803->98720 98804->98726 98805->98726 98807 694ce1 98806->98807 98808 694d9d LoadLibraryA 98806->98808 98807->98606 98807->98609 98808->98807 98809 694dae GetProcAddress 98808->98809 98809->98807 98811 695003 FindResourceExW 98810->98811 98815 695020 98810->98815 98812 6cdd5c LoadResource 98811->98812 98811->98815 98813 6cdd71 SizeofResource 98812->98813 98812->98815 98814 6cdd85 LockResource 98813->98814 98813->98815 98814->98815 98815->98615 98817 6cddd4 98816->98817 98818 695054 98816->98818 98822 6b5a7d 98818->98822 98820 695062 98820->98622 98821->98615 98823 6b5a89 __alloc_osfhnd 98822->98823 98824 6b5a9b 98823->98824 98825 6b5ac1 98823->98825 98835 6b8d68 58 API calls __getptd_noexit 98824->98835 98837 6b6e4e 98825->98837 98828 6b5aa0 98836 6b8ff6 9 API calls __filbuf 98828->98836 98829 6b5ac7 98843 6b59ee 83 API calls 4 library calls 98829->98843 98832 6b5ad6 98844 6b5af8 LeaveCriticalSection LeaveCriticalSection _fseek 98832->98844 98834 6b5aab __alloc_osfhnd 98834->98820 98835->98828 98836->98834 98838 6b6e5e 98837->98838 98839 6b6e80 EnterCriticalSection 98837->98839 98838->98839 98840 6b6e66 98838->98840 98841 6b6e76 98839->98841 98842 6b9e4b __lock 58 API calls 98840->98842 98841->98829 98842->98841 98843->98832 98844->98834 98848 6b582d 98845->98848 98847 69508e 98847->98634 98849 6b5839 __alloc_osfhnd 98848->98849 98850 6b587c 98849->98850 98852 6b584f _memset 98849->98852 98860 6b5874 __alloc_osfhnd 98849->98860 98851 6b6e4e __lock_file 59 API calls 98850->98851 98853 6b5882 98851->98853 98861 6b8d68 58 API calls __getptd_noexit 98852->98861 98863 6b564d 72 API calls 4 library calls 98853->98863 98856 6b5869 98862 6b8ff6 9 API calls __filbuf 98856->98862 98857 6b5898 98864 6b58b6 LeaveCriticalSection LeaveCriticalSection _fseek 98857->98864 98860->98847 98861->98856 98862->98860 98863->98857 98864->98860 98868 6b543a GetSystemTimeAsFileTime 98865->98868 98867 6f91f8 98867->98636 98869 6b5468 __aulldiv 98868->98869 98869->98867 98871 6b5e9c __alloc_osfhnd 98870->98871 98872 6b5eae 98871->98872 98873 6b5ec3 98871->98873 98884 6b8d68 58 API calls __getptd_noexit 98872->98884 98874 6b6e4e __lock_file 59 API calls 98873->98874 98877 6b5ec9 98874->98877 98876 6b5eb3 98885 6b8ff6 9 API calls __filbuf 98876->98885 98886 6b5b00 67 API calls 5 library calls 98877->98886 98880 6b5ebe __alloc_osfhnd 98880->98641 98881 6b5ed4 98887 6b5ef4 LeaveCriticalSection LeaveCriticalSection _fseek 98881->98887 98883 6b5ee6 98883->98880 98884->98876 98885->98880 98886->98881 98887->98883 98888->98511 98889->98525 98890->98527 98891->98524 98892->98533 98894 6992c9 Mailbox 98893->98894 98895 6cf5c8 98894->98895 98900 6992d3 98894->98900 98896 6b0ff6 Mailbox 59 API calls 98895->98896 98898 6cf5d4 98896->98898 98897 6992da 98897->98537 98900->98897 98901 699df0 59 API calls Mailbox 98900->98901 98901->98900 98902->98548 98903->98543 98908 6f99d2 __tzset_nolock _wcscmp 98904->98908 98905 69506b 74 API calls 98905->98908 98906 6f9866 98906->98554 98906->98580 98907 6f9393 GetSystemTimeAsFileTime 98907->98908 98908->98905 98908->98906 98908->98907 98909 695045 85 API calls 98908->98909 98909->98908 98910->98582 98912 6b55e2 __alloc_osfhnd 98911->98912 98913 6b560e 98912->98913 98914 6b55f6 98912->98914 98916 6b6e4e __lock_file 59 API calls 98913->98916 98923 6b5606 __alloc_osfhnd 98913->98923 98940 6b8d68 58 API calls __getptd_noexit 98914->98940 98918 6b5620 98916->98918 98917 6b55fb 98941 6b8ff6 9 API calls __filbuf 98917->98941 98924 6b556a 98918->98924 98923->98589 98925 6b5579 98924->98925 98926 6b558d 98924->98926 98986 6b8d68 58 API calls __getptd_noexit 98925->98986 98928 6b5589 98926->98928 98943 6b4c6d 98926->98943 98942 6b5645 LeaveCriticalSection LeaveCriticalSection _fseek 98928->98942 98929 6b557e 98987 6b8ff6 9 API calls __filbuf 98929->98987 98936 6b55a7 98960 6c0c52 98936->98960 98938 6b55ad 98938->98928 98939 6b2f95 _free 58 API calls 98938->98939 98939->98928 98940->98917 98941->98923 98942->98923 98944 6b4c80 98943->98944 98948 6b4ca4 98943->98948 98945 6b4916 __filbuf 58 API calls 98944->98945 98944->98948 98946 6b4c9d 98945->98946 98988 6bdac6 98946->98988 98949 6c0dc7 98948->98949 98950 6c0dd4 98949->98950 98952 6b55a1 98949->98952 98951 6b2f95 _free 58 API calls 98950->98951 98950->98952 98951->98952 98953 6b4916 98952->98953 98954 6b4920 98953->98954 98955 6b4935 98953->98955 99123 6b8d68 58 API calls __getptd_noexit 98954->99123 98955->98936 98957 6b4925 99124 6b8ff6 9 API calls __filbuf 98957->99124 98959 6b4930 98959->98936 98961 6c0c5e __alloc_osfhnd 98960->98961 98962 6c0c6b 98961->98962 98963 6c0c82 98961->98963 99140 6b8d34 58 API calls __getptd_noexit 98962->99140 98965 6c0d0d 98963->98965 98967 6c0c92 98963->98967 99145 6b8d34 58 API calls __getptd_noexit 98965->99145 98966 6c0c70 99141 6b8d68 58 API calls __getptd_noexit 98966->99141 98970 6c0cba 98967->98970 98971 6c0cb0 98967->98971 98974 6bd446 ___lock_fhandle 59 API calls 98970->98974 99142 6b8d34 58 API calls __getptd_noexit 98971->99142 98972 6c0cb5 99146 6b8d68 58 API calls __getptd_noexit 98972->99146 98976 6c0cc0 98974->98976 98978 6c0cde 98976->98978 98979 6c0cd3 98976->98979 98977 6c0d19 99147 6b8ff6 9 API calls __filbuf 98977->99147 99143 6b8d68 58 API calls __getptd_noexit 98978->99143 99125 6c0d2d 98979->99125 98983 6c0c77 __alloc_osfhnd 98983->98938 98984 6c0cd9 99144 6c0d05 LeaveCriticalSection __unlock_fhandle 98984->99144 98986->98929 98987->98928 98989 6bdad2 __alloc_osfhnd 98988->98989 98990 6bdadf 98989->98990 98991 6bdaf6 98989->98991 99089 6b8d34 58 API calls __getptd_noexit 98990->99089 98993 6bdb95 98991->98993 98995 6bdb0a 98991->98995 99095 6b8d34 58 API calls __getptd_noexit 98993->99095 98994 6bdae4 99090 6b8d68 58 API calls __getptd_noexit 98994->99090 98998 6bdb28 98995->98998 98999 6bdb32 98995->98999 99091 6b8d34 58 API calls __getptd_noexit 98998->99091 99016 6bd446 98999->99016 99000 6bdb2d 99096 6b8d68 58 API calls __getptd_noexit 99000->99096 99003 6bdb38 99005 6bdb4b 99003->99005 99006 6bdb5e 99003->99006 99025 6bdbb5 99005->99025 99092 6b8d68 58 API calls __getptd_noexit 99006->99092 99007 6bdba1 99097 6b8ff6 9 API calls __filbuf 99007->99097 99008 6bdaeb __alloc_osfhnd 99008->98948 99012 6bdb63 99093 6b8d34 58 API calls __getptd_noexit 99012->99093 99013 6bdb57 99094 6bdb8d LeaveCriticalSection __unlock_fhandle 99013->99094 99017 6bd452 __alloc_osfhnd 99016->99017 99018 6bd4a1 EnterCriticalSection 99017->99018 99019 6b9e4b __lock 58 API calls 99017->99019 99020 6bd4c7 __alloc_osfhnd 99018->99020 99021 6bd477 99019->99021 99020->99003 99022 6bd48f 99021->99022 99098 6ba06b InitializeCriticalSectionAndSpinCount 99021->99098 99099 6bd4cb LeaveCriticalSection _doexit 99022->99099 99026 6bdbc2 __ftell_nolock 99025->99026 99027 6bdc01 99026->99027 99028 6bdc20 99026->99028 99053 6bdbf6 99026->99053 99109 6b8d34 58 API calls __getptd_noexit 99027->99109 99032 6bdc78 99028->99032 99033 6bdc5c 99028->99033 99030 6bc836 __call_reportfault 6 API calls 99034 6be416 99030->99034 99031 6bdc06 99110 6b8d68 58 API calls __getptd_noexit 99031->99110 99036 6bdc91 99032->99036 99115 6c1b11 60 API calls 3 library calls 99032->99115 99112 6b8d34 58 API calls __getptd_noexit 99033->99112 99034->99013 99100 6c5ebb 99036->99100 99038 6bdc0d 99111 6b8ff6 9 API calls __filbuf 99038->99111 99041 6bdc61 99113 6b8d68 58 API calls __getptd_noexit 99041->99113 99043 6bdc9f 99045 6bdff8 99043->99045 99116 6b9bec 58 API calls 2 library calls 99043->99116 99047 6be38b WriteFile 99045->99047 99048 6be016 99045->99048 99046 6bdc68 99114 6b8ff6 9 API calls __filbuf 99046->99114 99051 6bdfeb GetLastError 99047->99051 99058 6bdfb8 99047->99058 99052 6be13a 99048->99052 99061 6be02c 99048->99061 99051->99058 99062 6be145 99052->99062 99066 6be22f 99052->99066 99053->99030 99054 6bdccb GetConsoleMode 99054->99045 99056 6bdd0a 99054->99056 99055 6be3c4 99055->99053 99121 6b8d68 58 API calls __getptd_noexit 99055->99121 99056->99045 99059 6bdd1a GetConsoleCP 99056->99059 99058->99053 99058->99055 99065 6be118 99058->99065 99059->99055 99087 6bdd49 99059->99087 99060 6be09b WriteFile 99060->99051 99063 6be0d8 99060->99063 99061->99055 99061->99060 99062->99055 99067 6be1aa WriteFile 99062->99067 99063->99061 99068 6be0fc 99063->99068 99064 6be3f2 99122 6b8d34 58 API calls __getptd_noexit 99064->99122 99070 6be3bb 99065->99070 99071 6be123 99065->99071 99066->99055 99072 6be2a4 WideCharToMultiByte 99066->99072 99067->99051 99073 6be1f9 99067->99073 99068->99058 99120 6b8d47 58 API calls 3 library calls 99070->99120 99118 6b8d68 58 API calls __getptd_noexit 99071->99118 99072->99051 99081 6be2eb 99072->99081 99073->99058 99073->99062 99073->99068 99076 6be2f3 WriteFile 99079 6be346 GetLastError 99076->99079 99076->99081 99077 6be128 99119 6b8d34 58 API calls __getptd_noexit 99077->99119 99079->99081 99081->99058 99081->99066 99081->99068 99081->99076 99082 6c650a 60 API calls __write_nolock 99082->99087 99083 6bde32 WideCharToMultiByte 99083->99058 99084 6bde6d WriteFile 99083->99084 99084->99051 99086 6bde9f 99084->99086 99085 6c7cae WriteConsoleW CreateFileW __putwch_nolock 99085->99086 99086->99051 99086->99058 99086->99085 99086->99087 99088 6bdec7 WriteFile 99086->99088 99087->99058 99087->99082 99087->99083 99087->99086 99117 6b3835 58 API calls __isleadbyte_l 99087->99117 99088->99051 99088->99086 99089->98994 99090->99008 99091->99000 99092->99012 99093->99013 99094->99008 99095->99000 99096->99007 99097->99008 99098->99022 99099->99018 99101 6c5ec6 99100->99101 99102 6c5ed3 99100->99102 99103 6b8d68 __filbuf 58 API calls 99101->99103 99105 6c5edf 99102->99105 99106 6b8d68 __filbuf 58 API calls 99102->99106 99104 6c5ecb 99103->99104 99104->99043 99105->99043 99107 6c5f00 99106->99107 99108 6b8ff6 __filbuf 9 API calls 99107->99108 99108->99104 99109->99031 99110->99038 99111->99053 99112->99041 99113->99046 99114->99053 99115->99036 99116->99054 99117->99087 99118->99077 99119->99053 99120->99053 99121->99064 99122->99053 99123->98957 99124->98959 99148 6bd703 99125->99148 99127 6c0d3b 99128 6c0d91 99127->99128 99130 6bd703 __commit 58 API calls 99127->99130 99139 6c0d6f 99127->99139 99161 6bd67d 59 API calls 2 library calls 99128->99161 99133 6c0d66 99130->99133 99131 6bd703 __commit 58 API calls 99134 6c0d7b CloseHandle 99131->99134 99132 6c0d99 99135 6c0dbb 99132->99135 99162 6b8d47 58 API calls 3 library calls 99132->99162 99136 6bd703 __commit 58 API calls 99133->99136 99134->99128 99137 6c0d87 GetLastError 99134->99137 99135->98984 99136->99139 99137->99128 99139->99128 99139->99131 99140->98966 99141->98983 99142->98972 99143->98984 99144->98983 99145->98972 99146->98977 99147->98983 99149 6bd70e 99148->99149 99150 6bd723 99148->99150 99163 6b8d34 58 API calls __getptd_noexit 99149->99163 99156 6bd748 99150->99156 99165 6b8d34 58 API calls __getptd_noexit 99150->99165 99152 6bd713 99164 6b8d68 58 API calls __getptd_noexit 99152->99164 99154 6bd752 99166 6b8d68 58 API calls __getptd_noexit 99154->99166 99156->99127 99158 6bd75a 99167 6b8ff6 9 API calls __filbuf 99158->99167 99159 6bd71b 99159->99127 99161->99132 99162->99135 99163->99152 99164->99159 99165->99154 99166->99158 99167->99159 99169 6c1b90 __ftell_nolock 99168->99169 99170 6b09e2 GetLongPathNameW 99169->99170 99171 697d2c 59 API calls 99170->99171 99172 69741d 99171->99172 99173 69716b 99172->99173 99174 6977c7 59 API calls 99173->99174 99175 69717d 99174->99175 99176 6948ae 60 API calls 99175->99176 99177 697188 99176->99177 99178 697193 99177->99178 99181 6cecae 99177->99181 99180 693f84 59 API calls 99178->99180 99182 69719f 99180->99182 99183 6cecc8 99181->99183 99226 697a68 61 API calls 99181->99226 99220 6934c2 99182->99220 99185 6971b2 Mailbox 99185->98350 99187 694f3d 136 API calls 99186->99187 99188 6969ef 99187->99188 99189 6ce45a 99188->99189 99191 694f3d 136 API calls 99188->99191 99190 6f97e5 122 API calls 99189->99190 99192 6ce46f 99190->99192 99193 696a03 99191->99193 99194 6ce490 99192->99194 99195 6ce473 99192->99195 99193->99189 99196 696a0b 99193->99196 99198 6b0ff6 Mailbox 59 API calls 99194->99198 99197 694faa 84 API calls 99195->99197 99199 6ce47b 99196->99199 99200 696a17 99196->99200 99197->99199 99219 6ce4d5 Mailbox 99198->99219 99334 6f4534 90 API calls _wprintf 99199->99334 99227 696bec 99200->99227 99204 6ce489 99204->99194 99205 6ce689 99206 6b2f95 _free 58 API calls 99205->99206 99207 6ce691 99206->99207 99208 694faa 84 API calls 99207->99208 99213 6ce69a 99208->99213 99212 6b2f95 _free 58 API calls 99212->99213 99213->99212 99214 694faa 84 API calls 99213->99214 99338 6efcb1 89 API calls 4 library calls 99213->99338 99214->99213 99216 697f41 59 API calls 99216->99219 99219->99205 99219->99213 99219->99216 99320 69766f 99219->99320 99328 6974bd 99219->99328 99335 6efc4d 59 API calls 2 library calls 99219->99335 99336 6efb6e 61 API calls 2 library calls 99219->99336 99337 6f7621 59 API calls Mailbox 99219->99337 99221 6934d4 99220->99221 99225 6934f3 _memmove 99220->99225 99223 6b0ff6 Mailbox 59 API calls 99221->99223 99222 6b0ff6 Mailbox 59 API calls 99224 69350a 99222->99224 99223->99225 99224->99185 99225->99222 99226->99181 99228 6ce847 99227->99228 99229 696c15 99227->99229 99411 6efcb1 89 API calls 4 library calls 99228->99411 99344 695906 60 API calls Mailbox 99229->99344 99232 696c37 99345 695956 67 API calls 99232->99345 99233 6ce85a 99412 6efcb1 89 API calls 4 library calls 99233->99412 99235 696c4c 99235->99233 99236 696c54 99235->99236 99238 6977c7 59 API calls 99236->99238 99240 696c60 99238->99240 99239 6ce876 99268 696cc1 99239->99268 99346 6b0b9b 60 API calls __ftell_nolock 99240->99346 99242 696c6c 99246 6977c7 59 API calls 99242->99246 99243 6ce889 99247 695dcf CloseHandle 99243->99247 99244 696ccf 99245 6977c7 59 API calls 99244->99245 99249 696cd8 99245->99249 99250 696c78 99246->99250 99248 6ce895 99247->99248 99251 694f3d 136 API calls 99248->99251 99252 6977c7 59 API calls 99249->99252 99253 6948ae 60 API calls 99250->99253 99254 6ce8b1 99251->99254 99255 696ce1 99252->99255 99256 696c86 99253->99256 99257 6ce8da 99254->99257 99260 6f97e5 122 API calls 99254->99260 99349 6946f9 99255->99349 99347 6959b0 ReadFile SetFilePointerEx 99256->99347 99413 6efcb1 89 API calls 4 library calls 99257->99413 99264 6ce8cd 99260->99264 99261 696cf8 99265 697c8e 59 API calls 99261->99265 99263 696cb2 99348 695c4e SetFilePointerEx SetFilePointerEx 99263->99348 99269 6ce8d5 99264->99269 99270 6ce8f6 99264->99270 99271 696d09 SetCurrentDirectoryW 99265->99271 99266 6ce8f1 99299 696e6c Mailbox 99266->99299 99268->99243 99268->99244 99272 694faa 84 API calls 99269->99272 99273 694faa 84 API calls 99270->99273 99276 696d1c Mailbox 99271->99276 99272->99257 99274 6ce8fb 99273->99274 99275 6b0ff6 Mailbox 59 API calls 99274->99275 99282 6ce92f 99275->99282 99278 6b0ff6 Mailbox 59 API calls 99276->99278 99280 696d2f 99278->99280 99279 693bcd 99279->98217 99279->98240 99281 69538e 59 API calls 99280->99281 99309 696d3a Mailbox __wsetenvp 99281->99309 99283 69766f 59 API calls 99282->99283 99314 6ce978 Mailbox 99283->99314 99284 696e47 99407 695dcf 99284->99407 99287 6ceb69 99418 6f7581 59 API calls Mailbox 99287->99418 99288 696e53 SetCurrentDirectoryW 99288->99299 99291 6ceb8b 99419 6ff835 59 API calls 2 library calls 99291->99419 99294 6ceb98 99296 6b2f95 _free 58 API calls 99294->99296 99295 6cec02 99422 6efcb1 89 API calls 4 library calls 99295->99422 99296->99299 99339 695934 99299->99339 99300 6cec1b 99300->99284 99301 69766f 59 API calls 99301->99314 99303 6cebfa 99421 6efb07 59 API calls 4 library calls 99303->99421 99305 697f41 59 API calls 99305->99309 99309->99284 99309->99295 99309->99303 99309->99305 99400 6959cd 67 API calls _wcscpy 99309->99400 99401 6970bd GetStringTypeW 99309->99401 99402 69702c 60 API calls __wcsnicmp 99309->99402 99403 69710a GetStringTypeW __wsetenvp 99309->99403 99404 6b387d GetStringTypeW _iswctype 99309->99404 99405 696a3c 165 API calls 3 library calls 99309->99405 99406 697373 59 API calls Mailbox 99309->99406 99310 697f41 59 API calls 99310->99314 99313 6cebbb 99420 6efcb1 89 API calls 4 library calls 99313->99420 99314->99287 99314->99301 99314->99310 99314->99313 99414 6efc4d 59 API calls 2 library calls 99314->99414 99415 6efb6e 61 API calls 2 library calls 99314->99415 99416 6f7621 59 API calls Mailbox 99314->99416 99417 697373 59 API calls Mailbox 99314->99417 99317 6cebd4 99318 6b2f95 _free 58 API calls 99317->99318 99319 6cebe7 99318->99319 99319->99299 99321 69770f 99320->99321 99327 697682 _memmove 99320->99327 99323 6b0ff6 Mailbox 59 API calls 99321->99323 99322 6b0ff6 Mailbox 59 API calls 99324 697689 99322->99324 99323->99327 99325 6b0ff6 Mailbox 59 API calls 99324->99325 99326 6976b2 99324->99326 99325->99326 99326->99219 99327->99322 99329 6974d0 99328->99329 99332 69757e 99328->99332 99331 6b0ff6 Mailbox 59 API calls 99329->99331 99333 697502 99329->99333 99330 6b0ff6 59 API calls Mailbox 99330->99333 99331->99333 99332->99219 99333->99330 99333->99332 99334->99204 99335->99219 99336->99219 99337->99219 99338->99213 99340 695dcf CloseHandle 99339->99340 99341 69593c Mailbox 99340->99341 99342 695dcf CloseHandle 99341->99342 99343 69594b 99342->99343 99343->99279 99344->99232 99345->99235 99346->99242 99347->99263 99348->99268 99350 6977c7 59 API calls 99349->99350 99351 69470f 99350->99351 99352 6977c7 59 API calls 99351->99352 99353 694717 99352->99353 99354 6977c7 59 API calls 99353->99354 99355 69471f 99354->99355 99356 6977c7 59 API calls 99355->99356 99357 694727 99356->99357 99358 69475b 99357->99358 99359 6cd8fb 99357->99359 99360 6979ab 59 API calls 99358->99360 99361 6981a7 59 API calls 99359->99361 99362 694769 99360->99362 99363 6cd904 99361->99363 99364 697e8c 59 API calls 99362->99364 99365 697eec 59 API calls 99363->99365 99367 694773 99364->99367 99366 69479e 99365->99366 99371 6947bd 99366->99371 99384 6cd924 99366->99384 99386 6947de 99366->99386 99367->99366 99368 6979ab 59 API calls 99367->99368 99370 694794 99368->99370 99373 697e8c 59 API calls 99370->99373 99372 697b52 59 API calls 99371->99372 99375 6947c7 99372->99375 99373->99366 99374 6cd9f4 99378 697d2c 59 API calls 99374->99378 99381 6979ab 59 API calls 99375->99381 99375->99386 99376 694801 99380 694811 99376->99380 99382 6981a7 59 API calls 99376->99382 99377 6947ef 99377->99376 99379 6981a7 59 API calls 99377->99379 99395 6cd9b1 99378->99395 99379->99376 99385 694818 99380->99385 99387 6981a7 59 API calls 99380->99387 99381->99386 99382->99380 99383 6cd9dd 99383->99374 99391 6cd9c8 99383->99391 99384->99374 99384->99383 99394 6cd95b 99384->99394 99388 6981a7 59 API calls 99385->99388 99397 69481f Mailbox 99385->99397 99423 6979ab 99386->99423 99387->99385 99388->99397 99389 697b52 59 API calls 99389->99395 99390 6cd9b9 99392 697d2c 59 API calls 99390->99392 99393 697d2c 59 API calls 99391->99393 99392->99395 99393->99395 99394->99390 99398 6cd9a4 99394->99398 99395->99386 99395->99389 99436 697a84 59 API calls 2 library calls 99395->99436 99397->99261 99399 697d2c 59 API calls 99398->99399 99399->99395 99400->99309 99401->99309 99402->99309 99403->99309 99404->99309 99405->99309 99406->99309 99408 695dd9 99407->99408 99409 695de8 99407->99409 99408->99288 99409->99408 99410 695ded CloseHandle 99409->99410 99410->99408 99411->99233 99412->99239 99413->99266 99414->99314 99415->99314 99416->99314 99417->99314 99418->99291 99419->99294 99420->99317 99421->99295 99422->99300 99424 6979ba 99423->99424 99425 697a17 99423->99425 99424->99425 99427 6979c5 99424->99427 99426 697e8c 59 API calls 99425->99426 99428 6979e8 _memmove 99426->99428 99429 6979e0 99427->99429 99430 6cef32 99427->99430 99428->99377 99437 698087 59 API calls Mailbox 99429->99437 99431 698189 59 API calls 99430->99431 99433 6cef3c 99431->99433 99434 6b0ff6 Mailbox 59 API calls 99433->99434 99435 6cef5c 99434->99435 99436->99395 99437->99428 99439 696ef5 99438->99439 99444 697009 99438->99444 99440 6b0ff6 Mailbox 59 API calls 99439->99440 99439->99444 99442 696f1c 99440->99442 99441 6b0ff6 Mailbox 59 API calls 99448 696f91 99441->99448 99442->99441 99444->98356 99446 6974bd 59 API calls 99446->99448 99447 69766f 59 API calls 99447->99448 99448->99444 99448->99446 99448->99447 99451 6963a0 94 API calls 2 library calls 99448->99451 99452 6e6ac9 59 API calls Mailbox 99448->99452 99449->98358 99450->98360 99451->99448 99452->99448 99453->98374 99454->98375 99456 6cd638 99455->99456 99457 694227 99455->99457 99456->99457 99458 6cd641 DestroyIcon 99456->99458 99457->98381 99481 6f3226 62 API calls _W_store_winword 99457->99481 99458->99457 99460 694129 99459->99460 99480 694200 Mailbox 99459->99480 99482 697b76 99460->99482 99463 6cd5dd LoadStringW 99467 6cd5f7 99463->99467 99464 694144 99465 697d2c 59 API calls 99464->99465 99466 694159 99465->99466 99466->99467 99468 69416a 99466->99468 99469 697c8e 59 API calls 99467->99469 99470 694205 99468->99470 99471 694174 99468->99471 99474 6cd601 99469->99474 99472 6981a7 59 API calls 99470->99472 99473 697c8e 59 API calls 99471->99473 99479 69417e _memset _wcscpy 99472->99479 99473->99479 99475 697e0b 59 API calls 99474->99475 99474->99479 99476 6cd623 99475->99476 99478 697e0b 59 API calls 99476->99478 99477 6941e6 Shell_NotifyIconW 99477->99480 99478->99479 99479->99477 99480->98387 99481->98381 99483 6b0ff6 Mailbox 59 API calls 99482->99483 99484 697b9b 99483->99484 99485 698189 59 API calls 99484->99485 99486 694137 99485->99486 99486->99463 99486->99464 99488 69e835 99487->99488 99489 6d3ed3 99488->99489 99491 69e89f 99488->99491 99501 69e8f9 99488->99501 99559 69a000 99489->99559 99494 6977c7 59 API calls 99491->99494 99491->99501 99492 6d3ee8 99516 69ead0 Mailbox 99492->99516 99582 6fa0b5 89 API calls 4 library calls 99492->99582 99493 6977c7 59 API calls 99493->99501 99496 6d3f2e 99494->99496 99498 6b2f80 __cinit 67 API calls 99496->99498 99497 6b2f80 __cinit 67 API calls 99497->99501 99498->99501 99499 6d3f50 99499->98464 99500 698620 69 API calls 99500->99516 99501->99493 99501->99497 99501->99499 99505 69eaba 99501->99505 99501->99516 99503 69a000 341 API calls 99503->99516 99504 6fa0b5 89 API calls 99504->99516 99505->99516 99583 6fa0b5 89 API calls 4 library calls 99505->99583 99506 698ea0 59 API calls 99506->99516 99507 69f2f5 99587 6fa0b5 89 API calls 4 library calls 99507->99587 99511 6d424f 99511->98464 99516->99500 99516->99503 99516->99504 99516->99506 99516->99507 99517 69ebd8 99516->99517 99558 6980d7 59 API calls 2 library calls 99516->99558 99584 6e7405 59 API calls 99516->99584 99585 70c8d7 341 API calls 99516->99585 99586 70b851 341 API calls Mailbox 99516->99586 99588 699df0 59 API calls Mailbox 99516->99588 99589 7096db 341 API calls Mailbox 99516->99589 99517->98464 99519 69f61a 99518->99519 99520 69f7b0 99518->99520 99522 6d4848 99519->99522 99523 69f626 99519->99523 99521 697f41 59 API calls 99520->99521 99529 69f6ec Mailbox 99521->99529 99684 70bf80 341 API calls Mailbox 99522->99684 99682 69f3f0 341 API calls 2 library calls 99523->99682 99526 6d4856 99530 69f790 99526->99530 99685 6fa0b5 89 API calls 4 library calls 99526->99685 99528 69f65d 99528->99526 99528->99529 99528->99530 99596 70e237 99529->99596 99599 6fcde5 99529->99599 99679 6f3e73 99529->99679 99530->98464 99531 69f743 99531->99530 99683 699df0 59 API calls Mailbox 99531->99683 99536->98464 99537->98464 99538->98464 99539->98393 99540->98398 99541->98464 99542->98403 99543->98403 99544->98403 99545->98464 99546->98464 99547->98464 99548->98464 99549->98464 99550->98464 99551->98450 99552->98450 99553->98450 99554->98450 99555->98450 99556->98450 99557->98450 99558->99516 99560 69a01f 99559->99560 99577 69a04d Mailbox 99559->99577 99562 6b0ff6 Mailbox 59 API calls 99560->99562 99561 6b2f80 67 API calls __cinit 99561->99577 99562->99577 99563 69b5d5 99564 6981a7 59 API calls 99563->99564 99576 69a1b7 99564->99576 99565 6e7405 59 API calls 99565->99577 99568 6b0ff6 59 API calls Mailbox 99568->99577 99569 6981a7 59 API calls 99569->99577 99571 6d047f 99592 6fa0b5 89 API calls 4 library calls 99571->99592 99573 6977c7 59 API calls 99573->99577 99575 6d048e 99575->99492 99576->99492 99577->99561 99577->99563 99577->99565 99577->99568 99577->99569 99577->99571 99577->99573 99577->99576 99578 6d0e00 99577->99578 99580 69b5da 99577->99580 99581 69a6ba 99577->99581 99590 69ca20 341 API calls 2 library calls 99577->99590 99591 69ba60 60 API calls Mailbox 99577->99591 99594 6fa0b5 89 API calls 4 library calls 99578->99594 99595 6fa0b5 89 API calls 4 library calls 99580->99595 99593 6fa0b5 89 API calls 4 library calls 99581->99593 99582->99516 99583->99516 99584->99516 99585->99516 99586->99516 99587->99511 99588->99516 99589->99516 99590->99577 99591->99577 99592->99575 99593->99576 99594->99580 99595->99576 99686 70cdf1 99596->99686 99598 70e247 99598->99531 99600 6977c7 59 API calls 99599->99600 99601 6fce1a 99600->99601 99602 6977c7 59 API calls 99601->99602 99603 6fce23 99602->99603 99604 6fce37 99603->99604 99885 699c9c 59 API calls 99603->99885 99606 699997 84 API calls 99604->99606 99607 6fce54 99606->99607 99608 6fce76 99607->99608 99609 6fcf55 99607->99609 99678 6fcf85 Mailbox 99607->99678 99610 699997 84 API calls 99608->99610 99611 694f3d 136 API calls 99609->99611 99613 6fce82 99610->99613 99612 6fcf69 99611->99612 99614 6fcf81 99612->99614 99617 694f3d 136 API calls 99612->99617 99615 6981a7 59 API calls 99613->99615 99618 6977c7 59 API calls 99614->99618 99614->99678 99616 6fce8e 99615->99616 99621 6fced4 99616->99621 99622 6fcea2 99616->99622 99617->99614 99619 6fcfb6 99618->99619 99620 6977c7 59 API calls 99619->99620 99623 6fcfbf 99620->99623 99625 699997 84 API calls 99621->99625 99624 6981a7 59 API calls 99622->99624 99626 6977c7 59 API calls 99623->99626 99627 6fceb2 99624->99627 99628 6fcee1 99625->99628 99629 6fcfc8 99626->99629 99631 697e0b 59 API calls 99627->99631 99632 6981a7 59 API calls 99628->99632 99630 6977c7 59 API calls 99629->99630 99633 6fcfd1 99630->99633 99634 6fcebc 99631->99634 99635 6fceed 99632->99635 99637 699997 84 API calls 99633->99637 99638 699997 84 API calls 99634->99638 99886 6f4cd3 GetFileAttributesW 99635->99886 99640 6fcfde 99637->99640 99641 6fcec8 99638->99641 99639 6fcef6 99642 6fcf09 99639->99642 99645 697b52 59 API calls 99639->99645 99643 6946f9 59 API calls 99640->99643 99644 697c8e 59 API calls 99641->99644 99647 699997 84 API calls 99642->99647 99653 6fcf0f 99642->99653 99646 6fcff9 99643->99646 99644->99621 99645->99642 99648 697b52 59 API calls 99646->99648 99649 6fcf36 99647->99649 99650 6fd008 99648->99650 99887 6f3a2b 75 API calls Mailbox 99649->99887 99652 6fd03c 99650->99652 99655 697b52 59 API calls 99650->99655 99654 6981a7 59 API calls 99652->99654 99653->99678 99656 6fd04a 99654->99656 99657 6fd019 99655->99657 99658 697c8e 59 API calls 99656->99658 99657->99652 99660 697d2c 59 API calls 99657->99660 99659 6fd058 99658->99659 99661 697c8e 59 API calls 99659->99661 99662 6fd02e 99660->99662 99663 6fd066 99661->99663 99664 697d2c 59 API calls 99662->99664 99665 697c8e 59 API calls 99663->99665 99664->99652 99666 6fd074 99665->99666 99667 699997 84 API calls 99666->99667 99668 6fd080 99667->99668 99776 6f42ad 99668->99776 99670 6fd091 99671 6f3e73 3 API calls 99670->99671 99672 6fd09b 99671->99672 99673 699997 84 API calls 99672->99673 99676 6fd0cc 99672->99676 99674 6fd0b9 99673->99674 99830 6f93df 99674->99830 99677 694faa 84 API calls 99676->99677 99677->99678 99678->99531 99928 6f4696 GetFileAttributesW 99679->99928 99682->99528 99683->99531 99684->99526 99685->99530 99687 699997 84 API calls 99686->99687 99688 70ce2e 99687->99688 99692 70ce75 Mailbox 99688->99692 99724 70dab9 99688->99724 99690 70d242 99763 70dbdc 92 API calls Mailbox 99690->99763 99691 70d0db 99737 70cc82 99691->99737 99692->99598 99695 70d251 99695->99691 99696 70d25d 99695->99696 99696->99692 99697 699997 84 API calls 99712 70cec6 Mailbox 99697->99712 99702 70d114 99752 6b0e48 99702->99752 99705 70d147 99707 69942e 59 API calls 99705->99707 99706 70d12e 99758 6fa0b5 89 API calls 4 library calls 99706->99758 99710 70d153 99707->99710 99709 70d0cd 99709->99690 99709->99691 99713 6991b0 59 API calls 99710->99713 99711 70d139 GetCurrentProcess TerminateProcess 99711->99705 99712->99692 99712->99697 99712->99709 99756 6ff835 59 API calls 2 library calls 99712->99756 99757 70d2f3 61 API calls 2 library calls 99712->99757 99714 70d169 99713->99714 99723 70d190 99714->99723 99759 698ea0 59 API calls Mailbox 99714->99759 99716 70d2b8 99716->99692 99720 70d2cc FreeLibrary 99716->99720 99717 70d17f 99760 70d95d 107 API calls _free 99717->99760 99720->99692 99723->99716 99761 698ea0 59 API calls Mailbox 99723->99761 99762 699e9c 60 API calls Mailbox 99723->99762 99764 70d95d 107 API calls _free 99723->99764 99725 697faf 59 API calls 99724->99725 99726 70dad4 CharLowerBuffW 99725->99726 99765 6ef658 99726->99765 99730 6977c7 59 API calls 99731 70db0d 99730->99731 99732 6979ab 59 API calls 99731->99732 99733 70db24 99732->99733 99734 697e8c 59 API calls 99733->99734 99735 70db30 Mailbox 99734->99735 99736 70db6c Mailbox 99735->99736 99772 70d2f3 61 API calls 2 library calls 99735->99772 99736->99712 99738 70cc9d 99737->99738 99739 70ccf2 99737->99739 99740 6b0ff6 Mailbox 59 API calls 99738->99740 99743 70dd64 99739->99743 99742 70ccbf 99740->99742 99741 6b0ff6 Mailbox 59 API calls 99741->99742 99742->99739 99742->99741 99744 70df8d Mailbox 99743->99744 99748 70dd87 _strcat _wcscpy __wsetenvp 99743->99748 99744->99702 99745 699c9c 59 API calls 99745->99748 99746 699cf8 59 API calls 99746->99748 99747 699d46 59 API calls 99747->99748 99748->99744 99748->99745 99748->99746 99748->99747 99749 699997 84 API calls 99748->99749 99750 6b594c 58 API calls __malloc_crt 99748->99750 99775 6f5b29 61 API calls 2 library calls 99748->99775 99749->99748 99750->99748 99753 6b0e5d 99752->99753 99754 6b0ef5 VirtualAlloc 99753->99754 99755 6b0ec3 99753->99755 99754->99755 99755->99705 99755->99706 99756->99712 99757->99712 99758->99711 99759->99717 99760->99723 99761->99723 99762->99723 99763->99695 99764->99723 99766 6ef683 __wsetenvp 99765->99766 99767 6ef6c2 99766->99767 99770 6ef6b8 99766->99770 99771 6ef769 99766->99771 99767->99730 99767->99735 99770->99767 99773 697a24 61 API calls 99770->99773 99771->99767 99774 697a24 61 API calls 99771->99774 99772->99736 99773->99770 99774->99771 99775->99748 99777 6f42c9 99776->99777 99778 6f42ce 99777->99778 99779 6f42dc 99777->99779 99780 6981a7 59 API calls 99778->99780 99781 6977c7 59 API calls 99779->99781 99829 6f42d7 Mailbox 99780->99829 99782 6f42e4 99781->99782 99783 6977c7 59 API calls 99782->99783 99784 6f42ec 99783->99784 99785 6977c7 59 API calls 99784->99785 99786 6f42f7 99785->99786 99787 6977c7 59 API calls 99786->99787 99788 6f42ff 99787->99788 99789 6977c7 59 API calls 99788->99789 99790 6f4307 99789->99790 99791 6977c7 59 API calls 99790->99791 99792 6f430f 99791->99792 99793 6977c7 59 API calls 99792->99793 99794 6f4317 99793->99794 99795 6977c7 59 API calls 99794->99795 99796 6f431f 99795->99796 99797 6946f9 59 API calls 99796->99797 99798 6f4336 99797->99798 99799 6946f9 59 API calls 99798->99799 99800 6f434f 99799->99800 99801 697b52 59 API calls 99800->99801 99802 6f435b 99801->99802 99803 6f436e 99802->99803 99804 697e8c 59 API calls 99802->99804 99805 697b52 59 API calls 99803->99805 99804->99803 99806 6f4377 99805->99806 99807 6f4387 99806->99807 99808 697e8c 59 API calls 99806->99808 99809 6981a7 59 API calls 99807->99809 99808->99807 99810 6f4393 99809->99810 99811 697c8e 59 API calls 99810->99811 99812 6f439f 99811->99812 99888 6f445f 59 API calls 99812->99888 99814 6f43ae 99889 6f445f 59 API calls 99814->99889 99816 6f43c1 99817 697b52 59 API calls 99816->99817 99818 6f43cb 99817->99818 99819 6f43e2 99818->99819 99820 6f43d0 99818->99820 99822 697b52 59 API calls 99819->99822 99821 697e0b 59 API calls 99820->99821 99823 6f43dd 99821->99823 99824 6f43eb 99822->99824 99827 697c8e 59 API calls 99823->99827 99825 6f4409 99824->99825 99826 697e0b 59 API calls 99824->99826 99828 697c8e 59 API calls 99825->99828 99826->99823 99827->99825 99828->99829 99829->99670 99831 6f93ec __ftell_nolock 99830->99831 99832 6b0ff6 Mailbox 59 API calls 99831->99832 99833 6f9449 99832->99833 99834 69538e 59 API calls 99833->99834 99835 6f9453 99834->99835 99836 6f91e9 GetSystemTimeAsFileTime 99835->99836 99837 6f945e 99836->99837 99838 695045 85 API calls 99837->99838 99839 6f9471 _wcscmp 99838->99839 99840 6f9495 99839->99840 99841 6f9542 99839->99841 99842 6f99be 96 API calls 99840->99842 99843 6f99be 96 API calls 99841->99843 99844 6f949a 99842->99844 99858 6f950e _wcscat 99843->99858 99848 6f954b 99844->99848 99907 6b432e 58 API calls __wsplitpath_helper 99844->99907 99846 69506b 74 API calls 99847 6f9567 99846->99847 99849 69506b 74 API calls 99847->99849 99848->99676 99851 6f9577 99849->99851 99850 6f94c3 _wcscat _wcscpy 99908 6b432e 58 API calls __wsplitpath_helper 99850->99908 99852 69506b 74 API calls 99851->99852 99854 6f9592 99852->99854 99855 69506b 74 API calls 99854->99855 99856 6f95a2 99855->99856 99857 69506b 74 API calls 99856->99857 99859 6f95bd 99857->99859 99858->99846 99858->99848 99860 69506b 74 API calls 99859->99860 99861 6f95cd 99860->99861 99862 69506b 74 API calls 99861->99862 99863 6f95dd 99862->99863 99864 69506b 74 API calls 99863->99864 99865 6f95ed 99864->99865 99890 6f9b6d GetTempPathW GetTempFileNameW 99865->99890 99867 6f95f9 99868 6b548b 115 API calls 99867->99868 99869 6f960a 99868->99869 99869->99848 99872 69506b 74 API calls 99869->99872 99883 6f96c4 99869->99883 99891 6b4a93 99869->99891 99870 6b55d6 __fcloseall 83 API calls 99871 6f96cf 99870->99871 99873 6f96e9 99871->99873 99874 6f96d5 DeleteFileW 99871->99874 99872->99869 99875 6f978f CopyFileW 99873->99875 99879 6f96f3 _wcsncpy 99873->99879 99874->99848 99876 6f97b7 DeleteFileW 99875->99876 99877 6f97a5 DeleteFileW 99875->99877 99904 6f9b2c CreateFileW 99876->99904 99877->99848 99909 6f8d90 116 API calls __fcloseall 99879->99909 99882 6f977a 99882->99876 99884 6f977e DeleteFileW 99882->99884 99883->99870 99884->99848 99885->99604 99886->99639 99887->99653 99888->99814 99889->99816 99890->99867 99892 6b4a9f __alloc_osfhnd 99891->99892 99893 6b4abd 99892->99893 99894 6b4ad5 99892->99894 99896 6b4acd __alloc_osfhnd 99892->99896 99922 6b8d68 58 API calls __getptd_noexit 99893->99922 99897 6b6e4e __lock_file 59 API calls 99894->99897 99896->99869 99899 6b4adb 99897->99899 99898 6b4ac2 99923 6b8ff6 9 API calls __filbuf 99898->99923 99910 6b493a 99899->99910 99905 6f9b68 99904->99905 99906 6f9b52 SetFileTime CloseHandle 99904->99906 99905->99848 99906->99905 99907->99850 99908->99858 99909->99882 99911 6b4949 99910->99911 99917 6b4967 99910->99917 99912 6b4957 99911->99912 99911->99917 99920 6b4981 _memmove 99911->99920 99925 6b8d68 58 API calls __getptd_noexit 99912->99925 99914 6b495c 99926 6b8ff6 9 API calls __filbuf 99914->99926 99924 6b4b0d LeaveCriticalSection LeaveCriticalSection _fseek 99917->99924 99918 6b4c6d __flush 78 API calls 99918->99920 99919 6b4916 __filbuf 58 API calls 99919->99920 99920->99917 99920->99918 99920->99919 99921 6bdac6 __write 78 API calls 99920->99921 99927 6bb05e 78 API calls 6 library calls 99920->99927 99921->99920 99922->99898 99923->99896 99924->99896 99925->99914 99926->99917 99927->99920 99929 6f3e7a 99928->99929 99930 6f46b1 FindFirstFileW 99928->99930 99929->99531 99930->99929 99931 6f46c6 FindClose 99930->99931 99931->99929 99932 6f8f97 99933 6f8faa 99932->99933 99934 6f8fa4 99932->99934 99936 6f8fbb 99933->99936 99937 6b2f95 _free 58 API calls 99933->99937 99935 6b2f95 _free 58 API calls 99934->99935 99935->99933 99938 6f8fcd 99936->99938 99939 6b2f95 _free 58 API calls 99936->99939 99937->99936 99939->99938 99940 693633 99941 69366a 99940->99941 99942 693688 99941->99942 99943 6936e7 99941->99943 99980 6936e5 99941->99980 99947 69375d PostQuitMessage 99942->99947 99948 693695 99942->99948 99945 6cd31c 99943->99945 99946 6936ed 99943->99946 99944 6936ca DefWindowProcW 99982 6936d8 99944->99982 99990 6a11d0 10 API calls Mailbox 99945->99990 99950 6936f2 99946->99950 99951 693715 SetTimer RegisterWindowMessageW 99946->99951 99947->99982 99952 6cd38f 99948->99952 99953 6936a0 99948->99953 99959 6936f9 KillTimer 99950->99959 99960 6cd2bf 99950->99960 99954 69373e CreatePopupMenu 99951->99954 99951->99982 99994 6f2a16 71 API calls _memset 99952->99994 99955 6936a8 99953->99955 99956 693767 99953->99956 99954->99982 99961 6936b3 99955->99961 99974 6cd374 99955->99974 99988 694531 64 API calls _memset 99956->99988 99958 6cd343 99991 6a11f3 341 API calls Mailbox 99958->99991 99985 6944cb Shell_NotifyIconW _memset 99959->99985 99965 6cd2f8 MoveWindow 99960->99965 99966 6cd2c4 99960->99966 99968 69374b 99961->99968 99969 6936be 99961->99969 99962 6cd3a1 99962->99944 99962->99982 99965->99982 99971 6cd2c8 99966->99971 99972 6cd2e7 SetFocus 99966->99972 99987 6945df 81 API calls _memset 99968->99987 99969->99944 99992 6944cb Shell_NotifyIconW _memset 99969->99992 99970 69375b 99970->99982 99971->99969 99976 6cd2d1 99971->99976 99972->99982 99973 69370c 99986 693114 DeleteObject DestroyWindow Mailbox 99973->99986 99974->99944 99993 6e817e 59 API calls Mailbox 99974->99993 99989 6a11d0 10 API calls Mailbox 99976->99989 99980->99944 99983 6cd368 99984 6943db 68 API calls 99983->99984 99984->99980 99985->99973 99986->99982 99987->99970 99988->99970 99989->99982 99990->99958 99991->99969 99992->99983 99993->99980 99994->99962 99995 6d0226 100004 69ade2 Mailbox 99995->100004 99997 6d0c86 100009 6e66f4 59 API calls Mailbox 99997->100009 99999 6d0c8f 100001 6d00e0 VariantClear 100001->100004 100002 69b6c1 100008 6fa0b5 89 API calls 4 library calls 100002->100008 100004->99997 100004->99999 100004->100001 100004->100002 100005 70e237 130 API calls 100004->100005 100006 699df0 59 API calls Mailbox 100004->100006 100007 6e7405 59 API calls 100004->100007 100005->100004 100006->100004 100007->100004 100008->99997 100009->99999 100010 691055 100015 692649 100010->100015 100013 6b2f80 __cinit 67 API calls 100014 691064 100013->100014 100016 6977c7 59 API calls 100015->100016 100017 6926b7 100016->100017 100022 693582 100017->100022 100020 692754 100021 69105a 100020->100021 100025 693416 59 API calls 2 library calls 100020->100025 100021->100013 100026 6935b0 100022->100026 100025->100020 100027 6935bd 100026->100027 100028 6935a1 100026->100028 100027->100028 100029 6935c4 RegOpenKeyExW 100027->100029 100028->100020 100029->100028 100030 6935de RegQueryValueExW 100029->100030 100031 6935ff 100030->100031 100032 693614 RegCloseKey 100030->100032 100031->100032 100032->100028 100033 691066 100038 69f8cf 100033->100038 100035 69106c 100036 6b2f80 __cinit 67 API calls 100035->100036 100037 691076 100036->100037 100039 69f8f0 100038->100039 100071 6b0143 100039->100071 100043 69f937 100044 6977c7 59 API calls 100043->100044 100045 69f941 100044->100045 100046 6977c7 59 API calls 100045->100046 100047 69f94b 100046->100047 100048 6977c7 59 API calls 100047->100048 100049 69f955 100048->100049 100050 6977c7 59 API calls 100049->100050 100051 69f993 100050->100051 100052 6977c7 59 API calls 100051->100052 100053 69fa5e 100052->100053 100081 6a60e7 100053->100081 100057 69fa90 100058 6977c7 59 API calls 100057->100058 100059 69fa9a 100058->100059 100109 6affde 100059->100109 100061 69fae1 100062 69faf1 GetStdHandle 100061->100062 100063 69fb3d 100062->100063 100064 6d49d5 100062->100064 100065 69fb45 OleInitialize 100063->100065 100064->100063 100066 6d49de 100064->100066 100065->100035 100116 6f6dda 64 API calls Mailbox 100066->100116 100068 6d49e5 100117 6f74a9 CreateThread 100068->100117 100070 6d49f1 CloseHandle 100070->100065 100118 6b021c 100071->100118 100074 6b021c 59 API calls 100075 6b0185 100074->100075 100076 6977c7 59 API calls 100075->100076 100077 6b0191 100076->100077 100078 697d2c 59 API calls 100077->100078 100079 69f8f6 100078->100079 100080 6b03a2 6 API calls 100079->100080 100080->100043 100082 6977c7 59 API calls 100081->100082 100083 6a60f7 100082->100083 100084 6977c7 59 API calls 100083->100084 100085 6a60ff 100084->100085 100125 6a5bfd 100085->100125 100088 6a5bfd 59 API calls 100089 6a610f 100088->100089 100090 6977c7 59 API calls 100089->100090 100091 6a611a 100090->100091 100092 6b0ff6 Mailbox 59 API calls 100091->100092 100093 69fa68 100092->100093 100094 6a6259 100093->100094 100095 6a6267 100094->100095 100096 6977c7 59 API calls 100095->100096 100097 6a6272 100096->100097 100098 6977c7 59 API calls 100097->100098 100099 6a627d 100098->100099 100100 6977c7 59 API calls 100099->100100 100101 6a6288 100100->100101 100102 6977c7 59 API calls 100101->100102 100103 6a6293 100102->100103 100104 6a5bfd 59 API calls 100103->100104 100105 6a629e 100104->100105 100106 6b0ff6 Mailbox 59 API calls 100105->100106 100107 6a62a5 RegisterWindowMessageW 100106->100107 100107->100057 100110 6affee 100109->100110 100111 6e5cc3 100109->100111 100113 6b0ff6 Mailbox 59 API calls 100110->100113 100128 6f9d71 60 API calls 100111->100128 100114 6afff6 100113->100114 100114->100061 100115 6e5cce 100116->100068 100117->100070 100129 6f748f 65 API calls 100117->100129 100119 6977c7 59 API calls 100118->100119 100120 6b0227 100119->100120 100121 6977c7 59 API calls 100120->100121 100122 6b022f 100121->100122 100123 6977c7 59 API calls 100122->100123 100124 6b017b 100123->100124 100124->100074 100126 6977c7 59 API calls 100125->100126 100127 6a5c05 100126->100127 100127->100088 100128->100115 100130 691016 100135 694ad2 100130->100135 100133 6b2f80 __cinit 67 API calls 100134 691025 100133->100134 100136 6b0ff6 Mailbox 59 API calls 100135->100136 100137 694ada 100136->100137 100138 69101b 100137->100138 100142 694a94 100137->100142 100138->100133 100143 694a9d 100142->100143 100144 694aaf 100142->100144 100145 6b2f80 __cinit 67 API calls 100143->100145 100146 694afe 100144->100146 100145->100144 100147 6977c7 59 API calls 100146->100147 100148 694b16 GetVersionExW 100147->100148 100149 697d2c 59 API calls 100148->100149 100150 694b59 100149->100150 100151 697e8c 59 API calls 100150->100151 100156 694b86 100150->100156 100152 694b7a 100151->100152 100153 697886 59 API calls 100152->100153 100153->100156 100154 694bf1 GetCurrentProcess IsWow64Process 100155 694c0a 100154->100155 100158 694c89 GetSystemInfo 100155->100158 100159 694c20 100155->100159 100156->100154 100157 6cdc8d 100156->100157 100160 694c56 100158->100160 100170 694c95 100159->100170 100160->100138 100163 694c7d GetSystemInfo 100165 694c47 100163->100165 100164 694c32 100166 694c95 2 API calls 100164->100166 100165->100160 100167 694c4d FreeLibrary 100165->100167 100168 694c3a GetNativeSystemInfo 100166->100168 100167->100160 100168->100165 100171 694c2e 100170->100171 100172 694c9e LoadLibraryA 100170->100172 100171->100163 100171->100164 100172->100171 100173 694caf GetProcAddress 100172->100173 100173->100171

            Executed Functions

            Function 00693B4C Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B7A
            • IsDebuggerPresent.KERNEL32 ref: 00693B8C
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,007562F8,007562E0,?,?), ref: 00693BFD
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
              • Part of subcall function 006A0A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C26,007562F8,?,?,?), ref: 006A0ACE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00693C81
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,007493F0,00000010), ref: 006CD4BC
            • SetCurrentDirectoryW.KERNEL32(?,007562F8,?,?,?), ref: 006CD4F4
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00745D40,007562F8,?,?,?), ref: 006CD57A
            • ShellExecuteW.SHELL32(00000000,?,?), ref: 006CD581
              • Part of subcall function 00693A58: GetSysColorBrush.USER32(0000000F), ref: 00693A62
              • Part of subcall function 00693A58: LoadCursorW.USER32(00000000,00007F00), ref: 00693A71
              • Part of subcall function 00693A58: LoadIconW.USER32(00000063), ref: 00693A88
              • Part of subcall function 00693A58: LoadIconW.USER32(000000A4), ref: 00693A9A
              • Part of subcall function 00693A58: LoadIconW.USER32(000000A2), ref: 00693AAC
              • Part of subcall function 00693A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AD2
              • Part of subcall function 00693A58: RegisterClassExW.USER32(?), ref: 00693B28
              • Part of subcall function 006939E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A15
              • Part of subcall function 006939E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A36
              • Part of subcall function 006939E7: ShowWindow.USER32(00000000,?,?), ref: 00693A4A
              • Part of subcall function 006939E7: ShowWindow.USER32(00000000,?,?), ref: 00693A53
              • Part of subcall function 006943DB: _memset.LIBCMT ref: 00694401
              • Part of subcall function 006943DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 006944A6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
            • String ID: This is a third-party compiled AutoIt script.$runas$%r
            • API String ID: 529118366-374001893
            • Opcode ID: c9d111aadfc6067830a02180b9a4d29ec0660e1cf174454deec392c0f21fabe9
            • Instruction ID: e6e3811b09d06b7770718add07cdf2e1b6a978c3c7bcd66af195e3a688b5e091
            • Opcode Fuzzy Hash: c9d111aadfc6067830a02180b9a4d29ec0660e1cf174454deec392c0f21fabe9
            • Instruction Fuzzy Hash: BC51F970904248AACF51EBB4DC05EFD7B7EBF05701F40817DF815A36A1DAB85A46CB29
            Function 00694FE9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 983 694fe9-695001 CreateStreamOnHGlobal 984 695021-695026 983->984 985 695003-69501a FindResourceExW 983->985 986 6cdd5c-6cdd6b LoadResource 985->986 987 695020 985->987 986->987 988 6cdd71-6cdd7f SizeofResource 986->988 987->984 988->987 989 6cdd85-6cdd90 LockResource 988->989 989->987 990 6cdd96-6cddb4 989->990 990->987
            APIs
            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00694EEE,?,?,00000000,00000000), ref: 00694FF9
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00694EEE,?,?,00000000,00000000), ref: 00695010
            • LoadResource.KERNEL32(?,00000000,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F), ref: 006CDD60
            • SizeofResource.KERNEL32(?,00000000,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F), ref: 006CDD75
            • LockResource.KERNEL32(Ni,?,?,00694EEE,?,?,00000000,00000000,?,?,?,?,?,?,00694F8F,00000000), ref: 006CDD88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT$Ni
            • API String ID: 3051347437-3595334624
            • Opcode ID: 1efb44215f06ee4ad8d41ecf30f3e5404798dc270e02e1def0afbb45c1f25e21
            • Instruction ID: c0232889ff79416fc621e1758d86f67550d48cbfb66bfdabcb10c43f911a8c8a
            • Opcode Fuzzy Hash: 1efb44215f06ee4ad8d41ecf30f3e5404798dc270e02e1def0afbb45c1f25e21
            • Instruction Fuzzy Hash: EE115E75240700AFDB218B69DC58FAB7BBEEBC9B11F10816CF406C66A0DB75E8018660
            Function 00694AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1047 694afe-694b5e call 6977c7 GetVersionExW call 697d2c 1052 694c69-694c6b 1047->1052 1053 694b64 1047->1053 1054 6cdb90-6cdb9c 1052->1054 1055 694b67-694b6c 1053->1055 1056 6cdb9d-6cdba1 1054->1056 1057 694c70-694c71 1055->1057 1058 694b72 1055->1058 1060 6cdba4-6cdbb0 1056->1060 1061 6cdba3 1056->1061 1059 694b73-694baa call 697e8c call 697886 1057->1059 1058->1059 1069 6cdc8d-6cdc90 1059->1069 1070 694bb0-694bb1 1059->1070 1060->1056 1063 6cdbb2-6cdbb7 1060->1063 1061->1060 1063->1055 1065 6cdbbd-6cdbc4 1063->1065 1065->1054 1067 6cdbc6 1065->1067 1071 6cdbcb-6cdbce 1067->1071 1072 6cdca9-6cdcad 1069->1072 1073 6cdc92 1069->1073 1070->1071 1074 694bb7-694bc2 1070->1074 1075 694bf1-694c08 GetCurrentProcess IsWow64Process 1071->1075 1076 6cdbd4-6cdbf2 1071->1076 1081 6cdcaf-6cdcb8 1072->1081 1082 6cdc98-6cdca1 1072->1082 1077 6cdc95 1073->1077 1078 694bc8-694bca 1074->1078 1079 6cdc13-6cdc19 1074->1079 1083 694c0a 1075->1083 1084 694c0d-694c1e 1075->1084 1076->1075 1080 6cdbf8-6cdbfe 1076->1080 1077->1082 1085 6cdc2e-6cdc3a 1078->1085 1086 694bd0-694bd3 1078->1086 1089 6cdc1b-6cdc1e 1079->1089 1090 6cdc23-6cdc29 1079->1090 1087 6cdc08-6cdc0e 1080->1087 1088 6cdc00-6cdc03 1080->1088 1081->1077 1091 6cdcba-6cdcbd 1081->1091 1082->1072 1083->1084 1092 694c89-694c93 GetSystemInfo 1084->1092 1093 694c20-694c30 call 694c95 1084->1093 1097 6cdc3c-6cdc3f 1085->1097 1098 6cdc44-6cdc4a 1085->1098 1094 694bd9-694be8 1086->1094 1095 6cdc5a-6cdc5d 1086->1095 1087->1075 1088->1075 1089->1075 1090->1075 1091->1082 1096 694c56-694c66 1092->1096 1104 694c7d-694c87 GetSystemInfo 1093->1104 1105 694c32-694c3f call 694c95 1093->1105 1100 6cdc4f-6cdc55 1094->1100 1101 694bee 1094->1101 1095->1075 1103 6cdc63-6cdc78 1095->1103 1097->1075 1098->1075 1100->1075 1101->1075 1106 6cdc7a-6cdc7d 1103->1106 1107 6cdc82-6cdc88 1103->1107 1108 694c47-694c4b 1104->1108 1112 694c41-694c45 GetNativeSystemInfo 1105->1112 1113 694c76-694c7b 1105->1113 1106->1075 1107->1075 1108->1096 1110 694c4d-694c50 FreeLibrary 1108->1110 1110->1096 1112->1108 1113->1112
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00694B2B
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            • GetCurrentProcess.KERNEL32(?,0071FAEC,00000000,00000000,?), ref: 00694BF8
            • IsWow64Process.KERNEL32(00000000), ref: 00694BFF
            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00694C45
            • FreeLibrary.KERNEL32(00000000), ref: 00694C50
            • GetSystemInfo.KERNEL32(00000000), ref: 00694C81
            • GetSystemInfo.KERNEL32(00000000), ref: 00694C8D
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
            • String ID:
            • API String ID: 1986165174-0
            • Opcode ID: 5afb69325aa436f91ffd7c0d922f7730cd1f4f74af981271783f68d5f57da540
            • Instruction ID: baf1c58bf0b442ecc410c0e884477d6aa0ed512fa1ff918a1b840ca32062a45d
            • Opcode Fuzzy Hash: 5afb69325aa436f91ffd7c0d922f7730cd1f4f74af981271783f68d5f57da540
            • Instruction Fuzzy Hash: 7091D63154A7C4DECB31DB688451AEAFFEAAF25300B448DADD0CB93F41D624E909D719
            Function 0069E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: Dtu$Dtu$Dtu$Dtu$Variable must be of type 'Object'.
            • API String ID: 0-2845289861
            • Opcode ID: 9404de94073875acfb217a339973f4f0d85a80dbbd8315371dc452fb32a64f8d
            • Instruction ID: 109a69a1ad78c8f5db55f6ad8200de41c5fc1d1fda61e28241dce8cd1c1af270
            • Opcode Fuzzy Hash: 9404de94073875acfb217a339973f4f0d85a80dbbd8315371dc452fb32a64f8d
            • Instruction Fuzzy Hash: 2AA27B74A04205CFCF24CF98C580AA9B7BBFF58304F25806AE916AB751D776ED42CB91
            Function 006F4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,006CE7C1), ref: 006F46A6
            • FindFirstFileW.KERNELBASE(?,?), ref: 006F46B7
            • FindClose.KERNEL32(00000000), ref: 006F46C7
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
            • Instruction ID: d4e4076a32fa2d9cb2a682a6e4e28a4b39f2df5c2e7328ccbb2bf8dd5804bb79
            • Opcode Fuzzy Hash: 47c5c7f36bfe3f83edfe4e84ebff3390f9584f2e1358abe3fa59c89816c14140
            • Instruction Fuzzy Hash: DAE0D8314104055B4610673CEC4D4FF775D9F06335F108715FA35C15E0EBB459508599
            Function 006A0B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0BBB
            • timeGetTime.WINMM ref: 006A0E76
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006A0FB3
            • TranslateMessage.USER32(?), ref: 006A0FC7
            • DispatchMessageW.USER32(?), ref: 006A0FD5
            • Sleep.KERNEL32(0000000A), ref: 006A0FDF
            • LockWindowUpdate.USER32(00000000,?,?), ref: 006A105A
            • DestroyWindow.USER32 ref: 006A1066
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006A1080
            • Sleep.KERNEL32(0000000A,?,?), ref: 006D52AD
            • TranslateMessage.USER32(?), ref: 006D608A
            • DispatchMessageW.USER32(?), ref: 006D6098
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 006D60AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pru$pru$pru$pru
            • API String ID: 4003667617-3117017571
            • Opcode ID: ea4690bb8b2d5cc0ade014b4863a2a35e4928e3feb78f1fa0e3f8e2fb873688c
            • Instruction ID: 8cb32180574a9bec3bdb7653c41e2e80fc0fb0a998a9b51e6633be860fe31686
            • Opcode Fuzzy Hash: ea4690bb8b2d5cc0ade014b4863a2a35e4928e3feb78f1fa0e3f8e2fb873688c
            • Instruction Fuzzy Hash: 5EB2D170A08741DFDB24DF24C884BAAB7E6BF85304F14891EE44A877A1DB75EC45CB86
            Function 006F93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 006F91E9: __time64.LIBCMT ref: 006F91F3
              • Part of subcall function 00695045: _fseek.LIBCMT ref: 0069505D
            • __wsplitpath.LIBCMT ref: 006F94BE
              • Part of subcall function 006B432E: __wsplitpath_helper.LIBCMT ref: 006B436E
            • _wcscpy.LIBCMT ref: 006F94D1
            • _wcscat.LIBCMT ref: 006F94E4
            • __wsplitpath.LIBCMT ref: 006F9509
            • _wcscat.LIBCMT ref: 006F951F
            • _wcscat.LIBCMT ref: 006F9532
              • Part of subcall function 006F922F: _memmove.LIBCMT ref: 006F9268
              • Part of subcall function 006F922F: _memmove.LIBCMT ref: 006F9277
            • _wcscmp.LIBCMT ref: 006F9479
              • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AAE
              • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AC1
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F96DC
            • _wcsncpy.LIBCMT ref: 006F974F
            • DeleteFileW.KERNEL32(?,?), ref: 006F9785
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 006F979B
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F97AC
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 006F97BE
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 1500180987-0
            • Opcode ID: 28ab89335627675f9b34431148f91616e2a5c16f17a6aaf96e1e7e19943495a9
            • Instruction ID: 1513e7f314fb2123951337199c3b1082144f3d887adf3fabc1da6491cec649c9
            • Opcode Fuzzy Hash: 28ab89335627675f9b34431148f91616e2a5c16f17a6aaf96e1e7e19943495a9
            • Instruction Fuzzy Hash: F6C11DB1D0021DAADF51DF95CC85EEEB7BEAF45300F0040AAF609E7151DB709A858F69
            Function 00693015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 72windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00693074
            • RegisterClassExW.USER32(00000030), ref: 0069309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
            • InitCommonControlsEx.COMCTL32(?), ref: 006930CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
            • LoadIconW.USER32(000000A9), ref: 006930F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 9d69c732df83d017500fb56be1860ad0807d3e59711d211db974240723b33857
            • Instruction ID: 1d5e5c2e1c9e70ac02c5c75cb7ad2fc1767030f68961a4c31378e1ca6101118f
            • Opcode Fuzzy Hash: 9d69c732df83d017500fb56be1860ad0807d3e59711d211db974240723b33857
            • Instruction Fuzzy Hash: EF3158B1841308AFDB00DFA8D889AD9BBF0FB09320F14C16EE540EB2A1D7BA5541CF94
            Function 00693041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00693074
            • RegisterClassExW.USER32(00000030), ref: 0069309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
            • InitCommonControlsEx.COMCTL32(?), ref: 006930CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
            • LoadIconW.USER32(000000A9), ref: 006930F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: c449883c98bed939662f8e97ea893abf59ea7428fa1da9804e9102fd15d949c1
            • Instruction ID: 1c06bd2a55938c9f0e6fbeb4b8e02b4f9950f23982e67985dbe16bf64039008b
            • Opcode Fuzzy Hash: c449883c98bed939662f8e97ea893abf59ea7428fa1da9804e9102fd15d949c1
            • Instruction Fuzzy Hash: 7821A0B1911318AFDB00DFA8E889ADDBBF4FB08711F50C12AF914A72A0D7B955448F99
            Function 006971EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00694864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007562F8,?,006937C0,?), ref: 00694882
              • Part of subcall function 006B074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,006972C5), ref: 006B0771
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00697308
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006CECF1
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 006CED32
            • RegCloseKey.ADVAPI32(?), ref: 006CED70
            • _wcscat.LIBCMT ref: 006CEDC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 2673923337-2727554177
            • Opcode ID: a487093e05aea09498b96fb312c5b36cf1d3be50d5532847e14a73045b8c0b95
            • Instruction ID: 88a332103ede082843c2075604dae8918eff1c6d41ac3f86c3f7dc52d6396302
            • Opcode Fuzzy Hash: a487093e05aea09498b96fb312c5b36cf1d3be50d5532847e14a73045b8c0b95
            • Instruction Fuzzy Hash: 13716C710083019AC758EF25EC819EBB7F9FF58350F40852EF445872A1EBB49989CB5A
            Function 00693633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 760 693633-693681 762 6936e1-6936e3 760->762 763 693683-693686 760->763 762->763 764 6936e5 762->764 765 693688-69368f 763->765 766 6936e7 763->766 767 6936ca-6936d2 DefWindowProcW 764->767 770 69375d-693765 PostQuitMessage 765->770 771 693695-69369a 765->771 768 6cd31c-6cd34a call 6a11d0 call 6a11f3 766->768 769 6936ed-6936f0 766->769 773 6936d8-6936de 767->773 804 6cd34f-6cd356 768->804 775 6936f2-6936f3 769->775 776 693715-69373c SetTimer RegisterWindowMessageW 769->776 774 693711-693713 770->774 777 6cd38f-6cd3a3 call 6f2a16 771->777 778 6936a0-6936a2 771->778 774->773 784 6936f9-69370c KillTimer call 6944cb call 693114 775->784 785 6cd2bf-6cd2c2 775->785 776->774 779 69373e-693749 CreatePopupMenu 776->779 777->774 796 6cd3a9 777->796 780 6936a8-6936ad 778->780 781 693767-693776 call 694531 778->781 779->774 786 6cd374-6cd37b 780->786 787 6936b3-6936b8 780->787 781->774 784->774 791 6cd2f8-6cd317 MoveWindow 785->791 792 6cd2c4-6cd2c6 785->792 786->767 802 6cd381-6cd38a call 6e817e 786->802 794 69374b-69375b call 6945df 787->794 795 6936be-6936c4 787->795 791->774 799 6cd2c8-6cd2cb 792->799 800 6cd2e7-6cd2f3 SetFocus 792->800 794->774 795->767 795->804 796->767 799->795 805 6cd2d1-6cd2e2 call 6a11d0 799->805 800->774 802->767 804->767 809 6cd35c-6cd36f call 6944cb call 6943db 804->809 805->774 809->767
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 006936D2
            • KillTimer.USER32(?,00000001), ref: 006936FC
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0069371F
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0069372A
            • CreatePopupMenu.USER32 ref: 0069373E
            • PostQuitMessage.USER32(00000000), ref: 0069375F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated$%r
            • API String ID: 129472671-4130811174
            • Opcode ID: 5f618fc245657cba1bf6d064e1a0be81148c44b7e9dde6569dac7310a5cddda4
            • Instruction ID: 2c74061e2a46a61cca3cb0b5d652533275941bdd9ed8688c9999fa9d0f772ce8
            • Opcode Fuzzy Hash: 5f618fc245657cba1bf6d064e1a0be81148c44b7e9dde6569dac7310a5cddda4
            • Instruction Fuzzy Hash: 734117B1204215BBDF145BA8DC09BF9375FE701301F54413DFA028BBE1DAA8AE05966E
            Function 00693A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00693A62
            • LoadCursorW.USER32(00000000,00007F00), ref: 00693A71
            • LoadIconW.USER32(00000063), ref: 00693A88
            • LoadIconW.USER32(000000A4), ref: 00693A9A
            • LoadIconW.USER32(000000A2), ref: 00693AAC
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00693AD2
            • RegisterClassExW.USER32(?), ref: 00693B28
              • Part of subcall function 00693041: GetSysColorBrush.USER32(0000000F), ref: 00693074
              • Part of subcall function 00693041: RegisterClassExW.USER32(00000030), ref: 0069309E
              • Part of subcall function 00693041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 006930AF
              • Part of subcall function 00693041: InitCommonControlsEx.COMCTL32(?), ref: 006930CC
              • Part of subcall function 00693041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 006930DC
              • Part of subcall function 00693041: LoadIconW.USER32(000000A9), ref: 006930F2
              • Part of subcall function 00693041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00693101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 53bba210fca57143bdc8782190a0634cb689860993e38541ab77dcd31a2a3458
            • Instruction ID: 0142612e8f5e40c97ba3044435584dc7a83af9232af922dfb8a3497d2058d4ee
            • Opcode Fuzzy Hash: 53bba210fca57143bdc8782190a0634cb689860993e38541ab77dcd31a2a3458
            • Instruction Fuzzy Hash: 86211771900308AFEB109FA8EC09BDD7BB5FB08712F40812AE504A72E0D7BA56549F98
            Function 00693778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$bu
            • API String ID: 1825951767-1794477260
            • Opcode ID: 371098f057dcc0c99b01744d5dcf6a15c75a645f16501e81adc7ba9194e71335
            • Instruction ID: 064d894480efbd16f22f152469c4b6728482703a5219824bd073a87ae7a0708f
            • Opcode Fuzzy Hash: 371098f057dcc0c99b01744d5dcf6a15c75a645f16501e81adc7ba9194e71335
            • Instruction Fuzzy Hash: 7BA15F719102299ACF54EFA4CC95EFEB77EBF14300F44012EE416A7691EF745A0ACB68
            Function 0069F8CF Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168comCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B03D3
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 006B03DB
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B03E6
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B03F1
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 006B03F9
              • Part of subcall function 006B03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 006B0401
              • Part of subcall function 006A6259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0069FA90), ref: 006A62B4
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0069FB2D
            • OleInitialize.OLE32(00000000), ref: 0069FBAA
            • CloseHandle.KERNEL32(00000000), ref: 006D49F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID: <gu$\du$%r$cu
            • API String ID: 1986988660-3505173898
            • Opcode ID: fa58a968c81186b67f2671f274f98dbc5438e661f7f85355ce548172a454b571
            • Instruction ID: 0b23fa975d0604367031606e54e7f349f751e9223b68bc2db3a4d4f181433ca9
            • Opcode Fuzzy Hash: fa58a968c81186b67f2671f274f98dbc5438e661f7f85355ce548172a454b571
            • Instruction Fuzzy Hash: F681BCB09003808FC784EF69E9406E57AE6FB98316790C67ED418C7362EBBD46458F58
            Function 012425E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 993 12425e0-124268e call 1240000 996 1242695-12426bb call 12434f0 CreateFileW 993->996 999 12426c2-12426d2 996->999 1000 12426bd 996->1000 1008 12426d4 999->1008 1009 12426d9-12426f3 VirtualAlloc 999->1009 1001 124280d-1242811 1000->1001 1002 1242853-1242856 1001->1002 1003 1242813-1242817 1001->1003 1005 1242859-1242860 1002->1005 1006 1242823-1242827 1003->1006 1007 1242819-124281c 1003->1007 1010 12428b5-12428ca 1005->1010 1011 1242862-124286d 1005->1011 1012 1242837-124283b 1006->1012 1013 1242829-1242833 1006->1013 1007->1006 1008->1001 1014 12426f5 1009->1014 1015 12426fa-1242711 ReadFile 1009->1015 1020 12428cc-12428d7 VirtualFree 1010->1020 1021 12428da-12428e2 1010->1021 1018 1242871-124287d 1011->1018 1019 124286f 1011->1019 1022 124283d-1242847 1012->1022 1023 124284b 1012->1023 1013->1012 1014->1001 1016 1242713 1015->1016 1017 1242718-1242758 VirtualAlloc 1015->1017 1016->1001 1024 124275f-124277a call 1243740 1017->1024 1025 124275a 1017->1025 1026 1242891-124289d 1018->1026 1027 124287f-124288f 1018->1027 1019->1010 1020->1021 1022->1023 1023->1002 1033 1242785-124278f 1024->1033 1025->1001 1030 124289f-12428a8 1026->1030 1031 12428aa-12428b0 1026->1031 1029 12428b3 1027->1029 1029->1005 1030->1029 1031->1029 1034 1242791-12427c0 call 1243740 1033->1034 1035 12427c2-12427d6 call 1243550 1033->1035 1034->1033 1041 12427d8 1035->1041 1042 12427da-12427de 1035->1042 1041->1001 1043 12427e0-12427e4 CloseHandle 1042->1043 1044 12427ea-12427ee 1042->1044 1043->1044 1045 12427f0-12427fb VirtualFree 1044->1045 1046 12427fe-1242807 1044->1046 1045->1046 1046->996 1046->1001
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 012426B1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 012428D7
            Memory Dump Source
            • Source File: 00000000.00000002.2059801101.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1240000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction ID: 831c5ec041f1268f5e0ea8fda0eefd6fabb8e35a0b81c6809999a7d69f65aab5
            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction Fuzzy Hash: 93A11874E10209EBEB18CFA5D855BAEBBB5FF48304F208159F601BB280D7759A41CFA4
            Function 006939E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1114 6939e7-693a57 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00693A15
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00693A36
            • ShowWindow.USER32(00000000,?,?), ref: 00693A4A
            • ShowWindow.USER32(00000000,?,?), ref: 00693A53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: cc4f46d59fc26f655d6031e27e6b5e08232dfa1f100eb7e44947fbe98c9ed627
            • Instruction ID: 4da52b6dc085c6a236437adb866ba053d36bdacb561ce25ad023710a6d975ac1
            • Opcode Fuzzy Hash: cc4f46d59fc26f655d6031e27e6b5e08232dfa1f100eb7e44947fbe98c9ed627
            • Instruction Fuzzy Hash: ADF0DA716413907EEB3117276C49EA72E7DE7C6F61F40812AF908A31B0C6ED5851DAB8
            Function 012423B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1115 12423b0-12424d5 call 1240000 call 12422a0 CreateFileW 1122 12424d7 1115->1122 1123 12424dc-12424ec 1115->1123 1124 124258c-1242591 1122->1124 1126 12424f3-124250d VirtualAlloc 1123->1126 1127 12424ee 1123->1127 1128 1242511-1242528 ReadFile 1126->1128 1129 124250f 1126->1129 1127->1124 1130 124252c-1242566 call 12422e0 call 12412a0 1128->1130 1131 124252a 1128->1131 1129->1124 1136 1242582-124258a ExitProcess 1130->1136 1137 1242568-124257d call 1242330 1130->1137 1131->1124 1136->1124 1137->1136
            APIs
              • Part of subcall function 012422A0: Sleep.KERNELBASE(000001F4), ref: 012422B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 012424CB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059801101.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1240000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 5RQ37DQCF5
            • API String ID: 2694422964-1946335759
            • Opcode ID: 0241d1407be0344f7efe922677fdb63c83abb8cf8e59d62c293aae01abd71a3d
            • Instruction ID: 51faf481588fa1d8d2a21e896f5d482911f3a79beefc8c4cef70cca1939226f7
            • Opcode Fuzzy Hash: 0241d1407be0344f7efe922677fdb63c83abb8cf8e59d62c293aae01abd71a3d
            • Instruction Fuzzy Hash: EA51B130D14249EBEF19DBA4D815BEEBB79EF48300F004199F609BB2C0D6B91B44CBA5
            Function 0069410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1139 69410d-694123 1140 694129-69413e call 697b76 1139->1140 1141 694200-694204 1139->1141 1144 6cd5dd-6cd5ec LoadStringW 1140->1144 1145 694144-694164 call 697d2c 1140->1145 1148 6cd5f7-6cd60f call 697c8e call 697143 1144->1148 1145->1148 1149 69416a-69416e 1145->1149 1158 69417e-6941fb call 6b3020 call 69463e call 6b2ffc Shell_NotifyIconW call 695a64 1148->1158 1161 6cd615-6cd633 call 697e0b call 697143 call 697e0b 1148->1161 1151 694205-69420e call 6981a7 1149->1151 1152 694174-694179 call 697c8e 1149->1152 1151->1158 1152->1158 1158->1141 1161->1158
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 006CD5EC
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            • _memset.LIBCMT ref: 0069418D
            • _wcscpy.LIBCMT ref: 006941E1
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006941F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
            • String ID: Line:
            • API String ID: 3942752672-1585850449
            • Opcode ID: e09e9ca5e47ecf65ccff0b19ba7f6bd2770d4a1c3812ed335e87b88e06be35ee
            • Instruction ID: 55f09644eb3624c53d7f3fa478de0e482b2bd8d3f892bc4caec896bb9e3b9829
            • Opcode Fuzzy Hash: e09e9ca5e47ecf65ccff0b19ba7f6bd2770d4a1c3812ed335e87b88e06be35ee
            • Instruction Fuzzy Hash: 2F31D371008304AADBA1EB60DC45FEB77EDAF44300F10851EF585935A1EFB4A649C79A
            Function 006969CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00694F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694F6F
            • _free.LIBCMT ref: 006CE68C
            • _free.LIBCMT ref: 006CE6D3
              • Part of subcall function 00696BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696D0D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 2861923089-1757145024
            • Opcode ID: ca8b7fa4eefdbe901fe8ec9c203ac53e53b50892cd501312c69015e71c0ed4f0
            • Instruction ID: dedd5e453fb8f5b75482e30de9a82e2b060e79f89c26a606becf544a73e7c228
            • Opcode Fuzzy Hash: ca8b7fa4eefdbe901fe8ec9c203ac53e53b50892cd501312c69015e71c0ed4f0
            • Instruction Fuzzy Hash: 9C917C71910219AFCF44EFA8C891EFDB7BAFF14314B14442DF816AB2A1EB319945CB54
            Function 006935B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,006935A1,SwapMouseButtons,00000004,?), ref: 006935D4
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 006935F5
            • RegCloseKey.KERNELBASE(00000000,?,?,006935A1,SwapMouseButtons,00000004,?,?,?,?,00692754), ref: 00693617
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
            • Instruction ID: 7e2d03841b87b6489c10059bfecf89c072ae1e976fc4dfe47cb995d87cb2a50a
            • Opcode Fuzzy Hash: b97db846e38984d027dcc9d5878e6b6607c873aff4fc1992a414b0bbdc62124a
            • Instruction Fuzzy Hash: 89113371610228BADF208FA8DC80AEABBAEEF04740F008469E805D7310E2719E419BA4
            Function 012412A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 01241A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01241AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01241B13
            Memory Dump Source
            • Source File: 00000000.00000002.2059801101.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1240000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction ID: 0c9041f7621820dc7c40e4efa51dbcf9fb2627b14ea4c9c02156c88ca706c2b3
            • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction Fuzzy Hash: 75621D30A24258DBEB24CFA4C841BDEB772EF58700F1091A9D20DEB390E7759E91CB59
            Function 006F97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00695045: _fseek.LIBCMT ref: 0069505D
              • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AAE
              • Part of subcall function 006F99BE: _wcscmp.LIBCMT ref: 006F9AC1
            • _free.LIBCMT ref: 006F992C
            • _free.LIBCMT ref: 006F9933
            • _free.LIBCMT ref: 006F999E
              • Part of subcall function 006B2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9C64), ref: 006B2FA9
              • Part of subcall function 006B2F95: GetLastError.KERNEL32(00000000,?,006B9C64), ref: 006B2FBB
            • _free.LIBCMT ref: 006F99A6
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction ID: 98de847fef20c4ab69d09ed63017db86c9c7cc886b7bc16a23d9306df887b93e
            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction Fuzzy Hash: 5F515FB1D04618AFDF649F64CC45BEEBBBAEF48300F0404AEB209A7241DB715A90CF58
            Function 006B493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction ID: 7b906712dce17f3541b429e6e263995836f367ab167ced940005238b76605009
            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction Fuzzy Hash: 3C41A4B16407059BDB289EA9C8809EF7BABEF80360B24816DE855C7746EF719DC18B44
            Function 00694DD0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID: AU3!P/r$EA06
            • API String ID: 4104443479-480415842
            • Opcode ID: b2fb2c206c93cdac7deeb0d3dda8232b028e44c3d653d606801a2a49bbe27207
            • Instruction ID: ac976e57409826b3d0b6ed0c32bab0e628f835dac83fbb95c36a710d6add1a92
            • Opcode Fuzzy Hash: b2fb2c206c93cdac7deeb0d3dda8232b028e44c3d653d606801a2a49bbe27207
            • Instruction Fuzzy Hash: FF416C71A045545BDF129B648851FFE7FAFAF41300F184168E8429B782DD219D8783A1
            Function 006973E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006CEE62
            • GetOpenFileNameW.COMDLG32(?), ref: 006CEEAC
              • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
              • Part of subcall function 006B09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B09F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: 5bf7124ce611fc53a7fe8213c525e79b5ac9d073abb884c8da280b25e3ec33fe
            • Instruction ID: 9a671b15120e84203755e5e55b51ac66a6eb089d1bb61dee5551d28c505d7f6d
            • Opcode Fuzzy Hash: 5bf7124ce611fc53a7fe8213c525e79b5ac9d073abb884c8da280b25e3ec33fe
            • Instruction Fuzzy Hash: 0221C670A102589BDF51DF94C845BEE7BFE9F49710F00805EE508E7281DBB85A8E8F95
            Function 006F9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 006F9B82
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 006F9B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 125aa020f4df4be0523d83c687d1dc5f2bd503699fe8256d75428ca1f98d9ee7
            • Instruction ID: 924a4a420ddc12c42f3efd317599d2e681d5d48b840d8689beb9d2db7c7c9dd5
            • Opcode Fuzzy Hash: 125aa020f4df4be0523d83c687d1dc5f2bd503699fe8256d75428ca1f98d9ee7
            • Instruction Fuzzy Hash: 3CD0177958030EABDA10AA989C0EFDA776CA704700F0082A1FA54920A1DAB855988A95
            Function 0070CDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: c2299d552405aadc0c1446f10a4b46aa60042259be9e1068040e8b51725bd428
            • Instruction ID: 41fbfd624a1d76822ece39774cba5581ce91ec3eee9c16fdde84b3d04ddf4444
            • Opcode Fuzzy Hash: c2299d552405aadc0c1446f10a4b46aa60042259be9e1068040e8b51725bd428
            • Instruction Fuzzy Hash: 88F12571608301DFCB24DF68C484A6ABBE5FF88314F148A2DF8999B291D735E945CF92
            Function 006943DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00694401
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 006944A6
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 006944C3
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconNotifyShell_$_memset
            • String ID:
            • API String ID: 1505330794-0
            • Opcode ID: 01b0f0ea08000a2e72b4c022b852d4432c31cb7e7f3ee953ce73452fec7790f0
            • Instruction ID: 90e9dd09452be8913cae0df90555d4da37786830a2dd69738861a06c224afcdd
            • Opcode Fuzzy Hash: 01b0f0ea08000a2e72b4c022b852d4432c31cb7e7f3ee953ce73452fec7790f0
            • Instruction Fuzzy Hash: C23181B05047019FDB60DF24D884BDBBBE9FB48705F00492EE59A83740DBB5A945CB96
            Function 006B594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 006B5963
              • Part of subcall function 006BA3AB: __NMSG_WRITE.LIBCMT ref: 006BA3D2
              • Part of subcall function 006BA3AB: __NMSG_WRITE.LIBCMT ref: 006BA3DC
            • __NMSG_WRITE.LIBCMT ref: 006B596A
              • Part of subcall function 006BA408: GetModuleFileNameW.KERNEL32(00000000,007543BA,00000104,?,00000001,00000000), ref: 006BA49A
              • Part of subcall function 006BA408: ___crtMessageBoxW.LIBCMT ref: 006BA548
              • Part of subcall function 006B32DF: ___crtCorExitProcess.LIBCMT ref: 006B32E5
              • Part of subcall function 006B32DF: ExitProcess.KERNEL32 ref: 006B32EE
              • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
            • RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: b2b79421039ea69c70f3c69d79a0cbd697e1928921e0db896c0e568004d94b5c
            • Instruction ID: 2e364ae7acd67e94f9371718ee57f81ae034588271ef47264c52422f612f71a2
            • Opcode Fuzzy Hash: b2b79421039ea69c70f3c69d79a0cbd697e1928921e0db896c0e568004d94b5c
            • Instruction Fuzzy Hash: 0201D2B2340B65DEE6613B64E842BEE728B9F41771F10002EF5069B2C1DAB49DC19369
            Function 006F9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,006F97D2,?,?,?,?,?,00000004), ref: 006F9B45
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,006F97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 006F9B5B
            • CloseHandle.KERNEL32(00000000,?,006F97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 006F9B62
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
            • Instruction ID: de4dd1cef078b1173171bb114769ddfee0f5219b640fd2c241e91ffacb814ff9
            • Opcode Fuzzy Hash: b4bde4490bbbc83d3af6bdfea77683cfe3052898e610f8cb928ef8f3de8501ed
            • Instruction Fuzzy Hash: 08E08632180618B7D7211B58EC09FDA7F29AB05761F10C220FB24690E0C7B56511979C
            Function 006F8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 006F8FA5
              • Part of subcall function 006B2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,006B9C64), ref: 006B2FA9
              • Part of subcall function 006B2F95: GetLastError.KERNEL32(00000000,?,006B9C64), ref: 006B2FBB
            • _free.LIBCMT ref: 006F8FB6
            • _free.LIBCMT ref: 006F8FC8
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction ID: 09a08b6ec7a4234c574c3ffbd5a510793c1e655b81fb53c1f6d7124b8669b9a5
            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction Fuzzy Hash: 05E012E161A7064ECA64A978AD54AF357EF5F48390718085DB509DB243DE24E8918228
            Function 0069AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: CALL
            • API String ID: 0-4196123274
            • Opcode ID: 653dd1f1f3a9899cea1866b2f105574ccd0bf963f016d74ba4cc1e80a8e7d746
            • Instruction ID: 989d12a49935f37f5f16539cc77827c83ed0d30a191599f87fef3aa499e4a241
            • Opcode Fuzzy Hash: 653dd1f1f3a9899cea1866b2f105574ccd0bf963f016d74ba4cc1e80a8e7d746
            • Instruction Fuzzy Hash: 24225670508341DFDB64DF54C494BAABBE6BF85300F14895DE88A8B762DB31EC85CB86
            Function 00697BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
            • Instruction ID: b64a5da022b082bc10f2eae116886e05f3bbec8171e2f42e859304b97eef7c3a
            • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
            • Instruction Fuzzy Hash: AD31B1B1714506EFCB14DF68C891EAAB3AEFF48310715862EE915CB791EB30E851CB94
            Function 0069492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00694992
              • Part of subcall function 006B35AC: __lock.LIBCMT ref: 006B35B2
              • Part of subcall function 006B35AC: DecodePointer.KERNEL32(00000001,?,006949A7,006E81BC), ref: 006B35BE
              • Part of subcall function 006B35AC: EncodePointer.KERNEL32(?,?,006949A7,006E81BC), ref: 006B35C9
              • Part of subcall function 00694A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00694A73
              • Part of subcall function 00694A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00694A88
              • Part of subcall function 00693B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00693B7A
              • Part of subcall function 00693B4C: IsDebuggerPresent.KERNEL32 ref: 00693B8C
              • Part of subcall function 00693B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,007562F8,007562E0,?,?), ref: 00693BFD
              • Part of subcall function 00693B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00693C81
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 006949D2
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 1438897964-0
            • Opcode ID: 64f9baf00aa365c4e10c05341f792a6890dcac52bbb4fdebc84d52000031f087
            • Instruction ID: 4fd41446b949a8a88cd8d962da951fc68af4d880ec91087d37756a62b1b3d5a5
            • Opcode Fuzzy Hash: 64f9baf00aa365c4e10c05341f792a6890dcac52bbb4fdebc84d52000031f087
            • Instruction Fuzzy Hash: 79119A719083119FCB00EF29EC0598AFBE9FB98711F00851EF045832B1DBB49A46CB9A
            Function 006B0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 006B594C: __FF_MSGBANNER.LIBCMT ref: 006B5963
              • Part of subcall function 006B594C: __NMSG_WRITE.LIBCMT ref: 006B596A
              • Part of subcall function 006B594C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
            • std::exception::exception.LIBCMT ref: 006B102C
            • __CxxThrowException@8.LIBCMT ref: 006B1041
              • Part of subcall function 006B87DB: RaiseException.KERNEL32(?,?,?,0074BAF8,00000000,?,?,?,?,006B1046,?,0074BAF8,?,00000001), ref: 006B8830
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: a871833cf80e81bdc702df0478373e9c0955b968f87cb976d9bf1f421d9d5b4f
            • Instruction ID: 1879ad228aa00b67ab5e0e584824c486931516deaec6e9557dd077c1f50455f7
            • Opcode Fuzzy Hash: a871833cf80e81bdc702df0478373e9c0955b968f87cb976d9bf1f421d9d5b4f
            • Instruction Fuzzy Hash: E4F0F4B564022DB6CB20BA58EC159DF7BAE9F01350F60002AF80497282EFB0CBC1C398
            Function 006B55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
            • __lock_file.LIBCMT ref: 006B561B
              • Part of subcall function 006B6E4E: __lock.LIBCMT ref: 006B6E71
            • __fclose_nolock.LIBCMT ref: 006B5626
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: 5157e1b1016794e706731eb1613589788680b717a1da820013e84c0a36fcfb92
            • Instruction ID: b25dbda1057ec606ad94e4afcc9d1cb0995e72875df290889c9321c32f36232d
            • Opcode Fuzzy Hash: 5157e1b1016794e706731eb1613589788680b717a1da820013e84c0a36fcfb92
            • Instruction Fuzzy Hash: CCF0F6F1800A009ED7606B7488027EE77971F40330F58410EA412AB1D1DF7C8982CB59
            Function 0124129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 01241A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01241AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01241B13
            Memory Dump Source
            • Source File: 00000000.00000002.2059801101.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1240000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction ID: e0d963125449114eb74ad91ec54f7f9aa932c774bf36cd774ffaa74e6f069ebc
            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction Fuzzy Hash: 6112ED24E24658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A4E77A5E91CB5A
            Function 006D00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: e50d75cca516921e529064f1ef896391ffea8ca7c3e83e99561d6618f4f4a973
            • Instruction ID: 03de59358ede6e26815afa4903c670a849d1c9ddd09dfcae9ac428943c1f983d
            • Opcode Fuzzy Hash: e50d75cca516921e529064f1ef896391ffea8ca7c3e83e99561d6618f4f4a973
            • Instruction Fuzzy Hash: 56415974908341DFDB24DF54C484B5ABBE2BF45308F1988ACE8894B762C732EC85CB96
            Function 00697CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: cebbf3096c7e79101835e48bed3cece829bbb7881f402af95731c0ee29ca182c
            • Instruction ID: 8b384185590d8c52c4dadb7be2bfa87925f601d07fc6ab8b192e58c4ed4de895
            • Opcode Fuzzy Hash: cebbf3096c7e79101835e48bed3cece829bbb7881f402af95731c0ee29ca182c
            • Instruction Fuzzy Hash: 2D210D71614609EBDF105F20E842BB97BBAFF11750F25C46EE886C55A1EB30D5E0870A
            Function 00694F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00694D13: FreeLibrary.KERNEL32(00000000,?), ref: 00694D4D
              • Part of subcall function 006B548B: __wfsopen.LIBCMT ref: 006B5496
            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694F6F
              • Part of subcall function 00694CC8: FreeLibrary.KERNEL32(00000000), ref: 00694D02
              • Part of subcall function 00694DD0: _memmove.LIBCMT ref: 00694E1A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Library$Free$Load__wfsopen_memmove
            • String ID:
            • API String ID: 1396898556-0
            • Opcode ID: b2181da951c6474a0abaccab9866e6ba163791321767497961d36f24eff9dcdb
            • Instruction ID: 4f4d3b94fea9b01c0734d7c10996d98471d6ca8acc80cdd35c4ac06a1ec0d2c6
            • Opcode Fuzzy Hash: b2181da951c6474a0abaccab9866e6ba163791321767497961d36f24eff9dcdb
            • Instruction Fuzzy Hash: 6211E73160070AAACF54AF74CC02FAE77AE9F84711F10852DF542A66C1EE759A069BA4
            Function 006D01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: dd7e7112e5ebfb988dc3efe0c26f8914793f3e57433ad2c8e7aa532586d78ccd
            • Instruction ID: 258bd9216835c32f623674adbbc988fafefd64d9e37d0721a1108253866eeaef
            • Opcode Fuzzy Hash: dd7e7112e5ebfb988dc3efe0c26f8914793f3e57433ad2c8e7aa532586d78ccd
            • Instruction Fuzzy Hash: F92155B4908341DFCB24DF54C444B5ABBE6BF89304F04896CE88A4BB61C731F885DB96
            Function 006B4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 006B4AD6
              • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: 67d6ef83ed616a88a6aed935c7a831e38fab6f96dc3a03383af96b1d5a86fa7c
            • Instruction ID: a41d2cdf1aeacf835e877493a6cadfd04b03919c923d8a5f2c36f60e61cde31e
            • Opcode Fuzzy Hash: 67d6ef83ed616a88a6aed935c7a831e38fab6f96dc3a03383af96b1d5a86fa7c
            • Instruction Fuzzy Hash: E5F081B19402099BDFA1AF74CC067DE3666AF00325F044518B4149B1D2DF788A91DB59
            Function 00694FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694FDE
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 16202be0aa6a7d0237c099ad0febfff3b3bf426b98d0d14e56751e78a08c21c5
            • Instruction ID: 756699c473c3169581888f707511cb0d605e9a223b9d45d6e911ab71ce328e70
            • Opcode Fuzzy Hash: 16202be0aa6a7d0237c099ad0febfff3b3bf426b98d0d14e56751e78a08c21c5
            • Instruction Fuzzy Hash: 3AF03071105712CFCF349F64D494C92BBEABF4432A3208A3EE5D782A10CB319842DF40
            Function 006B09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 006B09F4
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LongNamePath_memmove
            • String ID:
            • API String ID: 2514874351-0
            • Opcode ID: f6a8547c981c8070f286f748cbd7f7cda44bc92ab27d0e45f7361366263e88ef
            • Instruction ID: a03a9de10cfe440a789eb61853f77c19f84c6c09f6902312c646366d621bb61d
            • Opcode Fuzzy Hash: f6a8547c981c8070f286f748cbd7f7cda44bc92ab27d0e45f7361366263e88ef
            • Instruction Fuzzy Hash: 26E0CD3690422857C720D65C9C05FFA77EDDF89790F0441B9FC0CD7245D9759C818694
            Function 006B548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wfsopen
            • String ID:
            • API String ID: 197181222-0
            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction ID: f7795be6b48d50d3c4c5000de8e954dfa829c5b448764dac2e862d079d37d1c3
            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction Fuzzy Hash: A8B092B684020C77DE422E82EC02B993B5A9B40778F808020FB0C18162A673A6A09689
            Function 006B0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 39f46ed3662f9aa03dfb28eebf9b531f0b02e583680418cba6b529820d22c2d0
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: B33195B1A00105DFE718DF58D4809AAFBA6FF59310B648AA5E409CF755DB31EDC2CB90
            Function 012422A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 012422B1
            Memory Dump Source
            • Source File: 00000000.00000002.2059801101.0000000001240000.00000040.00001000.00020000.00000000.sdmp, Offset: 01240000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_1240000_Salary_Receipt.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 972db5da63458a2b9e02f62a8d88a0aab6133191ccb007edb6d91356ec9624af
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 44E0E67494010EDFDB00EFB5D94969E7FB4EF04301F100161FD01D2281D6309D508A72

            Non-executed Functions

            Function 0071CDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0071CE50
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CE91
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0071CED6
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071CF00
            • SendMessageW.USER32 ref: 0071CF29
            • _wcsncpy.LIBCMT ref: 0071CFA1
            • GetKeyState.USER32(00000011), ref: 0071CFC2
            • GetKeyState.USER32(00000009), ref: 0071CFCF
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0071CFE5
            • GetKeyState.USER32(00000010), ref: 0071CFEF
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0071D018
            • SendMessageW.USER32 ref: 0071D03F
            • SendMessageW.USER32(?,00001030,?,0071B602), ref: 0071D145
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0071D15B
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0071D16E
            • SetCapture.USER32(?), ref: 0071D177
            • ClientToScreen.USER32(?,?), ref: 0071D1DC
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0071D1E9
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0071D203
            • ReleaseCapture.USER32 ref: 0071D20E
            • GetCursorPos.USER32(?), ref: 0071D248
            • ScreenToClient.USER32(?,?), ref: 0071D255
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D2B1
            • SendMessageW.USER32 ref: 0071D2DF
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D31C
            • SendMessageW.USER32 ref: 0071D34B
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0071D36C
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0071D37B
            • GetCursorPos.USER32(?), ref: 0071D39B
            • ScreenToClient.USER32(?,?), ref: 0071D3A8
            • GetParent.USER32(?), ref: 0071D3C8
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 0071D431
            • SendMessageW.USER32 ref: 0071D462
            • ClientToScreen.USER32(?,?), ref: 0071D4C0
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0071D4F0
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 0071D51A
            • SendMessageW.USER32 ref: 0071D53D
            • ClientToScreen.USER32(?,?), ref: 0071D58F
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0071D5C3
              • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
            • GetWindowLongW.USER32(?,000000F0), ref: 0071D65F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F$pru
            • API String ID: 3977979337-1757834283
            • Opcode ID: db530cdfa1664be9a4746830553ac781756bfe70fdcd442ed92498b2011c03e3
            • Instruction ID: 0b3f3bd46255c524ab4cf43aa59dfab1ef70ec73971618ee68c6f8c635fac186
            • Opcode Fuzzy Hash: db530cdfa1664be9a4746830553ac781756bfe70fdcd442ed92498b2011c03e3
            • Instruction Fuzzy Hash: 7A428B30244341AFCB21CF6CC844AEABBE6FF48314F14461DF6958B2E0C779A894CB96
            Function 0071804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0071873F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: 7e8b037d8522092cf1155e4af5129275c326d20c300df24c71a2f30ee22ece8a
            • Instruction ID: 0663cabf886bae5c31ee17057de3923a9d5b763dc4611f23d5ff06d3abe24673
            • Opcode Fuzzy Hash: 7e8b037d8522092cf1155e4af5129275c326d20c300df24c71a2f30ee22ece8a
            • Instruction Fuzzy Hash: 6312D171500208ABEB658F6CDC49FEE7BB9EF45310F248129F915EA2E1DF788981CB15
            Function 006A710E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5093COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: 0wt$DEFINE$Oaj$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
            • API String ID: 1357608183-2205864362
            • Opcode ID: 75021460f783c9530a60ff08c3cf8c7ebf746ec5977c9732c6be2522bc6c30b2
            • Instruction ID: 51448f88183cef9867b48a790b62ab14ee4e0f69856570e3b4551f64c6093d41
            • Opcode Fuzzy Hash: 75021460f783c9530a60ff08c3cf8c7ebf746ec5977c9732c6be2522bc6c30b2
            • Instruction Fuzzy Hash: 89939071A013569FDB24DF69C8957EDB7B2FF48310F25816AE945AB380E7709E82CB40
            Function 00694A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,?), ref: 00694A3D
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006CDA8E
            • IsIconic.USER32(?), ref: 006CDA97
            • ShowWindow.USER32(?,00000009), ref: 006CDAA4
            • SetForegroundWindow.USER32(?), ref: 006CDAAE
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006CDAC4
            • GetCurrentThreadId.KERNEL32 ref: 006CDACB
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 006CDAD7
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CDAE8
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 006CDAF0
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 006CDAF8
            • SetForegroundWindow.USER32(?), ref: 006CDAFB
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB10
            • keybd_event.USER32(00000012,00000000), ref: 006CDB1B
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB25
            • keybd_event.USER32(00000012,00000000), ref: 006CDB2A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB33
            • keybd_event.USER32(00000012,00000000), ref: 006CDB38
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006CDB42
            • keybd_event.USER32(00000012,00000000), ref: 006CDB47
            • SetForegroundWindow.USER32(?), ref: 006CDB4A
            • AttachThreadInput.USER32(?,?,00000000), ref: 006CDB71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: d6024270380d9d290307c3f1ddc3f8dd93ac5e9dee4ca4a71ecbe8ac7ea70fc1
            • Instruction ID: 79f45ff366acbe7acf21e97d704d479da88300c0e3d4e8d97e7193f05ffbdf50
            • Opcode Fuzzy Hash: d6024270380d9d290307c3f1ddc3f8dd93ac5e9dee4ca4a71ecbe8ac7ea70fc1
            • Instruction Fuzzy Hash: 7531A871A40318BFEB206FA59C49FBF7E6DEB44B50F11803AFA04E61D1C6B45D11ABA4
            Function 006E8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
              • Part of subcall function 006E8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
              • Part of subcall function 006E8CC3: GetLastError.KERNEL32 ref: 006E8D47
            • _memset.LIBCMT ref: 006E889B
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 006E88ED
            • CloseHandle.KERNEL32(?), ref: 006E88FE
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 006E8915
            • GetProcessWindowStation.USER32 ref: 006E892E
            • SetProcessWindowStation.USER32(00000000), ref: 006E8938
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 006E8952
              • Part of subcall function 006E8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8851), ref: 006E8728
              • Part of subcall function 006E8713: CloseHandle.KERNEL32(?,?,006E8851), ref: 006E873A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: dfa6a7ce0721536854ae80be9bf065187e4b254108174f3b858c71d5993afee4
            • Instruction ID: 759bcce660c1c98f465c7ee51a8797927f993feadd66c216162428f5e9ced200
            • Opcode Fuzzy Hash: dfa6a7ce0721536854ae80be9bf065187e4b254108174f3b858c71d5993afee4
            • Instruction Fuzzy Hash: 9D816F71902389AFDF11DFA9CC44AEE7B7AEF04304F14812AF914B72A1DB358A149B64
            Function 0070425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(0071F910), ref: 00704284
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00704292
            • GetClipboardData.USER32(0000000D), ref: 0070429A
            • CloseClipboard.USER32 ref: 007042A6
            • GlobalLock.KERNEL32(00000000), ref: 007042C2
            • CloseClipboard.USER32 ref: 007042CC
            • GlobalUnlock.KERNEL32(00000000), ref: 007042E1
            • IsClipboardFormatAvailable.USER32(00000001), ref: 007042EE
            • GetClipboardData.USER32(00000001), ref: 007042F6
            • GlobalLock.KERNEL32(00000000), ref: 00704303
            • GlobalUnlock.KERNEL32(00000000), ref: 00704337
            • CloseClipboard.USER32 ref: 00704447
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: 55a9221914be63e6fc48b36f4d29a83759165f1a3ef2657d4d9dd7b9d4d36c63
            • Instruction ID: c4a1f0807394e9a0e6b7b5c262e9c8ca31eb3ece576df1eaa1301273d6e2124d
            • Opcode Fuzzy Hash: 55a9221914be63e6fc48b36f4d29a83759165f1a3ef2657d4d9dd7b9d4d36c63
            • Instruction Fuzzy Hash: 4B518175204301ABD711EF68DC85FAE77A8BF84B10F00862DF656D21E1DF78D9048B6A
            Function 006FC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 006FC9F8
            • FindClose.KERNEL32(00000000), ref: 006FCA4C
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FCA71
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 006FCA88
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 006FCAAF
            • __swprintf.LIBCMT ref: 006FCAFB
            • __swprintf.LIBCMT ref: 006FCB3E
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
            • __swprintf.LIBCMT ref: 006FCB92
              • Part of subcall function 006B38D8: __woutput_l.LIBCMT ref: 006B3931
            • __swprintf.LIBCMT ref: 006FCBE0
              • Part of subcall function 006B38D8: __flsbuf.LIBCMT ref: 006B3953
              • Part of subcall function 006B38D8: __flsbuf.LIBCMT ref: 006B396B
            • __swprintf.LIBCMT ref: 006FCC2F
            • __swprintf.LIBCMT ref: 006FCC7E
            • __swprintf.LIBCMT ref: 006FCCCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 3953360268-2428617273
            • Opcode ID: b4d5af5c1f3cdd2d459988ee536d43bdaaf7ed7010d934273f49eba38e65a8cb
            • Instruction ID: 6a5729d13863ed35329edea7f4bb304fa2a3035a2ce5a04dc32e99e4144b8cfa
            • Opcode Fuzzy Hash: b4d5af5c1f3cdd2d459988ee536d43bdaaf7ed7010d934273f49eba38e65a8cb
            • Instruction Fuzzy Hash: D6A13EB1518304ABCB40EB68C985DAFB7EDFF94700F40492DF586D3591EA34EA09CB66
            Function 006FF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006FF221
            • _wcscmp.LIBCMT ref: 006FF236
            • _wcscmp.LIBCMT ref: 006FF24D
            • GetFileAttributesW.KERNEL32(?), ref: 006FF25F
            • SetFileAttributesW.KERNEL32(?,?), ref: 006FF279
            • FindNextFileW.KERNEL32(00000000,?), ref: 006FF291
            • FindClose.KERNEL32(00000000), ref: 006FF29C
            • FindFirstFileW.KERNEL32(*.*,?), ref: 006FF2B8
            • _wcscmp.LIBCMT ref: 006FF2DF
            • _wcscmp.LIBCMT ref: 006FF2F6
            • SetCurrentDirectoryW.KERNEL32(?), ref: 006FF308
            • SetCurrentDirectoryW.KERNEL32(0074A5A0), ref: 006FF326
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF330
            • FindClose.KERNEL32(00000000), ref: 006FF33D
            • FindClose.KERNEL32(00000000), ref: 006FF34F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: be71b2b7b5e638aa7316a0acc219bff103eea94c1397031aaac8a72a88e6e06e
            • Instruction ID: 2cd6c1ee3004d60d69798a09d7b29cb65ce070f20834eb407e064843589d3894
            • Opcode Fuzzy Hash: be71b2b7b5e638aa7316a0acc219bff103eea94c1397031aaac8a72a88e6e06e
            • Instruction Fuzzy Hash: F631E87660021D6ADB10DFB4DC49AEE73ADAF08360F108176E914E31D0EB74DA85CB58
            Function 00710AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710BDE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,0071F910,00000000,?,00000000,?,?), ref: 00710C4C
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00710C94
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00710D1D
            • RegCloseKey.ADVAPI32(?), ref: 0071103D
            • RegCloseKey.ADVAPI32(00000000), ref: 0071104A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: 6389ec750dd8a1b81a21c93f21c91dccd3dfe0bfd359cefde89e218996563afc
            • Instruction ID: de1c042d9b94a8e19ae25a4fdbbac4086ff116abd4695759f6a6b35d07d98091
            • Opcode Fuzzy Hash: 6389ec750dd8a1b81a21c93f21c91dccd3dfe0bfd359cefde89e218996563afc
            • Instruction Fuzzy Hash: F502B3752046119FCB54EF18C881E6AB7EAFF88710F04845DF98A9B7A1CB34EC81CB95
            Function 006FF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,75918FB0,?,00000000), ref: 006FF37E
            • _wcscmp.LIBCMT ref: 006FF393
            • _wcscmp.LIBCMT ref: 006FF3AA
              • Part of subcall function 006F45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 006F45DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 006FF3D9
            • FindClose.KERNEL32(00000000), ref: 006FF3E4
            • FindFirstFileW.KERNEL32(*.*,?), ref: 006FF400
            • _wcscmp.LIBCMT ref: 006FF427
            • _wcscmp.LIBCMT ref: 006FF43E
            • SetCurrentDirectoryW.KERNEL32(?), ref: 006FF450
            • SetCurrentDirectoryW.KERNEL32(0074A5A0), ref: 006FF46E
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006FF478
            • FindClose.KERNEL32(00000000), ref: 006FF485
            • FindClose.KERNEL32(00000000), ref: 006FF497
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: 3d0c1c9b0f827c352de593b0675a8e5c08f5942e859cfc03e57688c49556b00c
            • Instruction ID: 5a0b7764a5e8b3239d93964d8129f68f64025a5ddd6296a4c7d7d30a155e2d4d
            • Opcode Fuzzy Hash: 3d0c1c9b0f827c352de593b0675a8e5c08f5942e859cfc03e57688c49556b00c
            • Instruction Fuzzy Hash: F531E77260521D6BDB109B78EC88AEE77AE9F09320F104175E910E32E1DB74DE84CA98
            Function 006E81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
              • Part of subcall function 006E874A: GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
              • Part of subcall function 006E874A: GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
              • Part of subcall function 006E874A: HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
              • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
              • Part of subcall function 006E87E7: GetProcessHeap.KERNEL32(00000008,006E8240,00000000,00000000,?,006E8240,?), ref: 006E87F3
              • Part of subcall function 006E87E7: HeapAlloc.KERNEL32(00000000,?,006E8240,?), ref: 006E87FA
              • Part of subcall function 006E87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006E8240,?), ref: 006E880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E825B
            • _memset.LIBCMT ref: 006E8270
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E828F
            • GetLengthSid.ADVAPI32(?), ref: 006E82A0
            • GetAce.ADVAPI32(?,00000000,?), ref: 006E82DD
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E82F9
            • GetLengthSid.ADVAPI32(?), ref: 006E8316
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006E8325
            • HeapAlloc.KERNEL32(00000000), ref: 006E832C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E834D
            • CopySid.ADVAPI32(00000000), ref: 006E8354
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E8385
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E83AB
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E83BF
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
            • Instruction ID: b247469240b8b6f4c0682eca05df05664e94d08d9bc67ad43bfec5faac61bdf9
            • Opcode Fuzzy Hash: 4d9f96ef544a9944823b02a6bd31e225b48503c3bf15859c49b37ee5960dd442
            • Instruction Fuzzy Hash: 90616D71901259EFDF00DFA5DC44AEEBBBAFF04700F148169F819AB291DB359A05CB64
            Function 006A6843 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$Oaj$PJs$UCP)$UTF)$UTF16)
            • API String ID: 0-3081091665
            • Opcode ID: 2435cf620dca98504671356765a891283638d24433be0670453901ccc70a43e5
            • Instruction ID: ec6b9825bc8de4128a93ff497837bd8dd1d08aadc367f1f98e4cd32b3d89d24e
            • Opcode Fuzzy Hash: 2435cf620dca98504671356765a891283638d24433be0670453901ccc70a43e5
            • Instruction Fuzzy Hash: 17727C71E013199BDB24DF59C8907EEB7B6EF49710F14816AE849AB380EB349D81DF90
            Function 00710665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710737
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 007107D6
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0071086E
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00710AAD
            • RegCloseKey.ADVAPI32(00000000), ref: 00710ABA
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: 9bc7173bb62cf24211d6cd4579a789fc3c4de4fb777973eeade05a58554a11c3
            • Instruction ID: 53b4ebe77de6a8b45e15c337996e74599a7f2c857e21d4944a684d70be890f80
            • Opcode Fuzzy Hash: 9bc7173bb62cf24211d6cd4579a789fc3c4de4fb777973eeade05a58554a11c3
            • Instruction Fuzzy Hash: C9E15E71204300AFCB54DF28C891E6ABBE9EF89714B04C56DF44ADB2A1DB74ED81CB95
            Function 006F0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 006F0241
            • GetAsyncKeyState.USER32(000000A0), ref: 006F02C2
            • GetKeyState.USER32(000000A0), ref: 006F02DD
            • GetAsyncKeyState.USER32(000000A1), ref: 006F02F7
            • GetKeyState.USER32(000000A1), ref: 006F030C
            • GetAsyncKeyState.USER32(00000011), ref: 006F0324
            • GetKeyState.USER32(00000011), ref: 006F0336
            • GetAsyncKeyState.USER32(00000012), ref: 006F034E
            • GetKeyState.USER32(00000012), ref: 006F0360
            • GetAsyncKeyState.USER32(0000005B), ref: 006F0378
            • GetKeyState.USER32(0000005B), ref: 006F038A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: 86343024c0a7391012dd956dbae1bc1ca0fd851c81d8b13f15d5cf5aef45615b
            • Instruction ID: da7029e0145f02caa3f2a7d3fa1d62f29647d81acdb0dcb8650660c56b7f96d3
            • Opcode Fuzzy Hash: 86343024c0a7391012dd956dbae1bc1ca0fd851c81d8b13f15d5cf5aef45615b
            • Instruction Fuzzy Hash: DF4188355047CF6EFF319A6488083F5BEA26F12344F58809EDBC6463C3EB955AD487A2
            Function 00704458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 59a9768b66144cc2166af5fcf0ee2405df32bc3e3d7cd7a4c222ae02c7ddd9a8
            • Instruction ID: 8b82c56934b917624239e5a72ec7f7d6469cf5acc3baa3fb3c65422aa9915f87
            • Opcode Fuzzy Hash: 59a9768b66144cc2166af5fcf0ee2405df32bc3e3d7cd7a4c222ae02c7ddd9a8
            • Instruction Fuzzy Hash: B0216D752012109FDB10AF69EC49BAD77A9EF14721F14C02AF94ADB2E1CB78AD01CB5C
            Function 006F3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
              • Part of subcall function 006F4CD3: GetFileAttributesW.KERNEL32(?,006F3947), ref: 006F4CD4
            • FindFirstFileW.KERNEL32(?,?), ref: 006F3ADF
            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 006F3B87
            • MoveFileW.KERNEL32(?,?), ref: 006F3B9A
            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 006F3BB7
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 006F3BD9
            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 006F3BF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 4002782344-1173974218
            • Opcode ID: d53ca383a52f2ca2fb392cd4748710ffa4f142b72066962d482c283db32cbec9
            • Instruction ID: 5ce252ed7cef3cd95c6cf3fd39b90b5f5fc1eafcd86143194e0fcb6f417052a8
            • Opcode Fuzzy Hash: d53ca383a52f2ca2fb392cd4748710ffa4f142b72066962d482c283db32cbec9
            • Instruction Fuzzy Hash: D551813180525DAACF45EBE4CD929FDB77AAF14300F244169E40277291EF306F09CBA4
            Function 006A4140 Relevance: 13.4, APIs: 1, Strings: 6, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$Oaj$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-2582381147
            • Opcode ID: 7e6eb0a3c6f1fac35ae0710e6ef871dfc9e9504b483e13360b448fd3042708ac
            • Instruction ID: 071253ce9d6301100e2ee15963ea26fd593aa603176431fb582701565fd348c6
            • Opcode Fuzzy Hash: 7e6eb0a3c6f1fac35ae0710e6ef871dfc9e9504b483e13360b448fd3042708ac
            • Instruction Fuzzy Hash: 5EA27E70E0421A8BDF24DF58C9907EDB7B2BF96314F1481AAD815A7380EBB49E81CF51
            Function 006FF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 006FF6AB
            • Sleep.KERNEL32(0000000A), ref: 006FF6DB
            • _wcscmp.LIBCMT ref: 006FF6EF
            • _wcscmp.LIBCMT ref: 006FF70A
            • FindNextFileW.KERNEL32(?,?), ref: 006FF7A8
            • FindClose.KERNEL32(00000000), ref: 006FF7BE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
            • String ID: *.*
            • API String ID: 713712311-438819550
            • Opcode ID: 88703d32290e0eed315686806d7406860c7c57062ee5735ee3fa1c442884ca69
            • Instruction ID: 4e93b458b20abb8116713a3d3ed3616226bcac1fddd76d2565ff8eb1020bfbdb
            • Opcode Fuzzy Hash: 88703d32290e0eed315686806d7406860c7c57062ee5735ee3fa1c442884ca69
            • Instruction Fuzzy Hash: DE41B37190420EAFCF51EF64DC85AEEBBB9FF05310F14456AE915A32A1EB309E44CB94
            Function 006A58C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 639a83d9fc34d71b8cb5bd56817fadd9fb515774db62055ab7574fddc441d2cb
            • Instruction ID: 3497f1cf01eab63215264b0361ec5e5a6c6f64a2c880cbb9f27795b51eb45ceb
            • Opcode Fuzzy Hash: 639a83d9fc34d71b8cb5bd56817fadd9fb515774db62055ab7574fddc441d2cb
            • Instruction Fuzzy Hash: 56129A70A00609EFDF14EFA5D981AEEB7BAFF49300F108169E806E7251EB35AD51CB54
            Function 006A5680 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
              • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
            • _memmove.LIBCMT ref: 006E062F
            • _memmove.LIBCMT ref: 006E0744
            • _memmove.LIBCMT ref: 006E07EB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID: yZj
            • API String ID: 1300846289-1230157653
            • Opcode ID: b59d1af9a9e7a31e11ce4afac4ba0f386f42849546edc1a177d6ff62de3af887
            • Instruction ID: 99e9da9086d6cc5cb4730f77e5654f63947d7d7af3adb4b73f6dd1e089d3acd0
            • Opcode Fuzzy Hash: b59d1af9a9e7a31e11ce4afac4ba0f386f42849546edc1a177d6ff62de3af887
            • Instruction Fuzzy Hash: 7C02EFB0A01209DFDF04EF65D981AAEBBB6EF45300F1480A9E806DB355EB34DD91CB95
            Function 006F545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
              • Part of subcall function 006E8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
              • Part of subcall function 006E8CC3: GetLastError.KERNEL32 ref: 006E8D47
            • ExitWindowsEx.USER32(?,00000000), ref: 006F549B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 3194a206b811e2f1e302e1b761adb24d51e9a6e1ef2f519cad937c6ef2b23698
            • Instruction ID: 49c7e03e652fbdd4eb5c63ee59959d46b5f4f04a09746ff6042b51e5b8326cc8
            • Opcode Fuzzy Hash: 3194a206b811e2f1e302e1b761adb24d51e9a6e1ef2f519cad937c6ef2b23698
            • Instruction Fuzzy Hash: 6C014731655F196EE7286678DC4ABFA72DAEB05743F204034FF0BD21D3DA540C818194
            Function 006A3190 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 587COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID: Oaj
            • API String ID: 674341424-1426506063
            • Opcode ID: 721c80520a14209526558a786b84af5d563b97eab5a86bd18628cd85f4b97983
            • Instruction ID: 29b534a42be0d61ce1cf418194ebfaf83ad6e54c8a5cb42e18681bed7bd1bf6d
            • Opcode Fuzzy Hash: 721c80520a14209526558a786b84af5d563b97eab5a86bd18628cd85f4b97983
            • Instruction Fuzzy Hash: 62229C719083519FCB64EF18C881BAEB7E6AF85300F14491DF89697391EB31EE05CB96
            Function 00706596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 007065EF
            • WSAGetLastError.WSOCK32(00000000), ref: 007065FE
            • bind.WSOCK32(00000000,?,00000010), ref: 0070661A
            • listen.WSOCK32(00000000,00000005), ref: 00706629
            • WSAGetLastError.WSOCK32(00000000), ref: 00706643
            • closesocket.WSOCK32(00000000,00000000), ref: 00706657
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: a8357d2eff28d7aef7a459a7d29b320253fa7a49f18f328b629e1b422f2ee467
            • Instruction ID: fee3730acd94984ea70c347be21fb9342a18efa6252cc4d71a57090934e537e6
            • Opcode Fuzzy Hash: a8357d2eff28d7aef7a459a7d29b320253fa7a49f18f328b629e1b422f2ee467
            • Instruction Fuzzy Hash: F7219E30600200DFCB10EF68CC55A6EB7E9EF45320F14826DF956A73D1CB74AD118B69
            Function 00691287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 006919FA
            • GetSysColor.USER32(0000000F), ref: 00691A4E
            • SetBkColor.GDI32(?,00000000), ref: 00691A61
              • Part of subcall function 00691290: DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ColorProc$LongWindow
            • String ID:
            • API String ID: 3744519093-0
            • Opcode ID: adc1fc12ca2b961b42242041246e06344397862e51567b87914be644cd9fa6cc
            • Instruction ID: cfb0ee84d2155a4652009364c3cbf6eb1bcbe94ebde611da66a961d7c382a23a
            • Opcode Fuzzy Hash: adc1fc12ca2b961b42242041246e06344397862e51567b87914be644cd9fa6cc
            • Instruction Fuzzy Hash: 41A13870105546BAEF28AB294C5AEFF359FDB43341F34411EF402DEAD1CE289D4292B9
            Function 00706A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00706AB1
            • WSAGetLastError.WSOCK32(00000000), ref: 00706ADA
            • bind.WSOCK32(00000000,?,00000010), ref: 00706B13
            • WSAGetLastError.WSOCK32(00000000), ref: 00706B20
            • closesocket.WSOCK32(00000000,00000000), ref: 00706B34
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 99427753-0
            • Opcode ID: 83e3ae0899743d37d1a10e937efada769dbe552cd8b54890fd5071bae6166c4d
            • Instruction ID: 9a864a6c2bff600e8285049089bf9a11430d1e72f0fb69345f29c9fa1b47e50a
            • Opcode Fuzzy Hash: 83e3ae0899743d37d1a10e937efada769dbe552cd8b54890fd5071bae6166c4d
            • Instruction Fuzzy Hash: 8C41B175B00210AFEF50AF28DC96F6E77EADB04720F04C15CF91AAB2D2CA749D0187A5
            Function 007155FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: 8feb15d6f9c6957df4cf2b09881ef0c6ea3a44b33c554b39b5816c202041bced
            • Instruction ID: b6fc3edd82f75c78893642491fda53b9e3f46b460ae8926f75ca7529299b831f
            • Opcode Fuzzy Hash: 8feb15d6f9c6957df4cf2b09881ef0c6ea3a44b33c554b39b5816c202041bced
            • Instruction Fuzzy Hash: FF11C831700A109FDB151F2EDC44AAF779DEF94B61B40802DF406D72C1CB38D9418AE9
            Function 006FC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 006FC69D
            • CoCreateInstance.OLE32(00722D6C,00000000,00000001,00722BDC,?), ref: 006FC6B5
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
            • CoUninitialize.OLE32 ref: 006FC922
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_memmove
            • String ID: .lnk
            • API String ID: 2683427295-24824748
            • Opcode ID: a60ed6d944417dbe3287303862ad37ca2066bf9a905175c77519c34d6315fac3
            • Instruction ID: fe7a96145180507f0167ce160b844ee2b6845dbdd2ba9c612cae4998aea1956e
            • Opcode Fuzzy Hash: a60ed6d944417dbe3287303862ad37ca2066bf9a905175c77519c34d6315fac3
            • Instruction Fuzzy Hash: 4CA12971108305AFD740EF58C881EABB7EDEF94714F00492CF156971A2EB70EA49CB66
            Function 0070C304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,006D1D88,?), ref: 0070C312
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0070C324
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: 5e616ee490dbc9c6ef599db285cb1b937d3c203fa457feb65f07d0e2ec592658
            • Instruction ID: 698f322903682863e61dd4d806f874f0fbef23ae557813e3fab3c5df3d1c8af9
            • Opcode Fuzzy Hash: 5e616ee490dbc9c6ef599db285cb1b937d3c203fa457feb65f07d0e2ec592658
            • Instruction Fuzzy Hash: A9E0ECB4610713DFDB214F29D804A96B6D4EB08755B80C639E895D22A0E77CD880DB61
            Function 0070F121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 0070F151
            • Process32FirstW.KERNEL32(00000000,?), ref: 0070F15F
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
            • Process32NextW.KERNEL32(00000000,?), ref: 0070F21F
            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 0070F22E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
            • String ID:
            • API String ID: 2576544623-0
            • Opcode ID: 1a2ebc7bef80e747dee8939d30c5e25713393914680d9cf6e5ce17858e5d9ae8
            • Instruction ID: 95d33708f787fbc9e96b24abe861455184efc1fa84eb12391f399f75b20fad7e
            • Opcode Fuzzy Hash: 1a2ebc7bef80e747dee8939d30c5e25713393914680d9cf6e5ce17858e5d9ae8
            • Instruction Fuzzy Hash: 3D518C71504300AFD760EF24DC85A6BBBE9FF94710F10492DF596972A1EB30A908CB96
            Function 006EEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006EEB19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 9573dd4e83675a19daf7dd6711a93ce9b6978810a9735b19498e88c6482e998b
            • Instruction ID: c8b7c9eea671c93ebb4fe1bea59fa25150ed3f6362c9ef19752a22f897dd6336
            • Opcode Fuzzy Hash: 9573dd4e83675a19daf7dd6711a93ce9b6978810a9735b19498e88c6482e998b
            • Instruction Fuzzy Hash: 31324774A017459FD728CF19C481AAAB7F1FF48320B15C56EE89ACB3A1E771E981CB44
            Function 007025E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00701AFE,00000000), ref: 007026D5
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 0070270C
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: 940a4740432e37dd1303d1f2d660b751d45fa7a3ad9225f5c2451465b25dc78a
            • Instruction ID: a543c53d2c003a8c5fe43d86b600ce6295448cfc27abfaa0a412f8ebb018112d
            • Opcode Fuzzy Hash: 940a4740432e37dd1303d1f2d660b751d45fa7a3ad9225f5c2451465b25dc78a
            • Instruction Fuzzy Hash: C941C772500209FFEB20DA54DC89EBBB7FCEB40714F10416EF605A65C2DA7A9D829754
            Function 006FB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 006FB5AE
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 006FB608
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 006FB655
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 024545b31f37fdc0ec996d8f4d95ccd8eab52f089699f4a0c6a63f2d975857e8
            • Instruction ID: 99c48c345f9f435c47dd7708459b969162b4937ae82a2b1b043da82ee6ad6e0a
            • Opcode Fuzzy Hash: 024545b31f37fdc0ec996d8f4d95ccd8eab52f089699f4a0c6a63f2d975857e8
            • Instruction Fuzzy Hash: 4C216035A00618EFCB00EF69D880AEDBBB9FF49310F1480ADE905EB351DB319916CB59
            Function 006E8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
              • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 006E8D0D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 006E8D3A
            • GetLastError.KERNEL32 ref: 006E8D47
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: 5d3be2c98227775f429df97dd69bdf259ee286173291d57a5407a41658073446
            • Instruction ID: de931cde6ea11790d73c5af4925b2d4ad337bfe0d5c1ec2b59d49d4f7dc88e3c
            • Opcode Fuzzy Hash: 5d3be2c98227775f429df97dd69bdf259ee286173291d57a5407a41658073446
            • Instruction Fuzzy Hash: D111BFB1515308AFE728EF58DC85DABB7BDEF04710B20C52EF85A83241EB30AC408B24
            Function 006F4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006F404B
            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 006F4088
            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 006F4091
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: f94ed36e837a78b94730d23dde83d06bf9ddd3ab9be835f383e8e36f14003a7e
            • Instruction ID: 6aaea6423fea910671f730ee20ca754a5f895c57b0cfa215f9c93d30506a7e0c
            • Opcode Fuzzy Hash: f94ed36e837a78b94730d23dde83d06bf9ddd3ab9be835f383e8e36f14003a7e
            • Instruction Fuzzy Hash: FC113CB1904228BEE7109BECDC45FFFBBBCEB08750F104656FA04E7291DAB8594587A1
            Function 006F4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 006F4C2C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 006F4C43
            • FreeSid.ADVAPI32(?), ref: 006F4C53
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
            • Instruction ID: 45e30f0c6408251edb5937f638af8b89b3259cb791a7b060165e684ca1aa0e68
            • Opcode Fuzzy Hash: 2292f11ee986aba09917d42defcf006bd40d0e9ca550cc2811ca00aea5f1b766
            • Instruction Fuzzy Hash: CAF03C75A1120CBBDB04DFE49C89AEEB7B8EB08211F008469E601E2191D6745A048B54
            Function 006F8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 006F8B25
              • Part of subcall function 006B543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,006F91F8,00000000,?,?,?,?,006F93A9,00000000,?), ref: 006B5443
              • Part of subcall function 006B543A: __aulldiv.LIBCMT ref: 006B5463
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID: 0uu
            • API String ID: 2893107130-2836214914
            • Opcode ID: 4895cecf4bd7252d2d1cbd3dbbba192cb39449720e96550da2f4b74ac749dba2
            • Instruction ID: 0c34bc01d94a746e917e9b309f8cbed11b45bdb7b555c09b7d3c6c89b148bdc5
            • Opcode Fuzzy Hash: 4895cecf4bd7252d2d1cbd3dbbba192cb39449720e96550da2f4b74ac749dba2
            • Instruction Fuzzy Hash: 2621E472635614CFC729CF25D841AA2B3E2EBA4311B288E6CD1E5CB2D0CA74BD45CB94
            Function 0069E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 05eff313e0453d420aebeb53e3125decc142c38200d8dc950c12edfbf37c61e1
            • Instruction ID: b007a017badbe3f417ca035b85d45acf02736aaeb68bc1f01ebaa8f9cb77f254
            • Opcode Fuzzy Hash: 05eff313e0453d420aebeb53e3125decc142c38200d8dc950c12edfbf37c61e1
            • Instruction Fuzzy Hash: 56229C74A00215DFDF24DF58C480ABEBBFAFF04300F14856AE856AB751E736A985CB91
            Function 006FC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 006FC966
            • FindClose.KERNEL32(00000000), ref: 006FC996
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 02765e3c37cb4e9d3f57d4ec265a71051284aa3ee902048aa13ff82247e43efa
            • Instruction ID: 154a53ac6e637ede61df61571d0e174225d1717e354fdb554f116bd3c999421e
            • Opcode Fuzzy Hash: 02765e3c37cb4e9d3f57d4ec265a71051284aa3ee902048aa13ff82247e43efa
            • Instruction Fuzzy Hash: 69118E326006049FDB10EF29C845A6AF7EAFF84320F00C51EF9A9D7291DB74AC01CB95
            Function 006FA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0070977D,?,0071FB84,?), ref: 006FA302
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0070977D,?,0071FB84,?), ref: 006FA314
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: 00c1c45a00112845c702682e19634e490b27b7cd02358515ef0bd8f8e258e3d9
            • Instruction ID: 17e7b5e8e1be91b7b98d8e94348f849f7d88ed9b95baad8b5cfdd53c595fb9a9
            • Opcode Fuzzy Hash: 00c1c45a00112845c702682e19634e490b27b7cd02358515ef0bd8f8e258e3d9
            • Instruction Fuzzy Hash: BFF0823554422DABDB10AFA4CC49FFA776EFF09761F00C169F919D7181D6309940CBA5
            Function 006E8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,006E8851), ref: 006E8728
            • CloseHandle.KERNEL32(?,?,006E8851), ref: 006E873A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 71d0fa183cff42922425a109f3243479a68e52d720784735324f374ed548d529
            • Instruction ID: b4fa269763f19cc8a095acf1eba0c0a743314dbd2df35c08b3528f5a5a64f45d
            • Opcode Fuzzy Hash: 71d0fa183cff42922425a109f3243479a68e52d720784735324f374ed548d529
            • Instruction Fuzzy Hash: 9DE0B676010650EEEB652B65ED09DB77BAAEB04350724C92DF49A84470DB62ACD0DB14
            Function 006BA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,006B8F97,?,?,?,00000001), ref: 006BA39A
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 006BA3A3
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
            • Instruction ID: 4c89e8386ef48c08879af788833d57eb997205edbe68495228d50cdb18ea6403
            • Opcode Fuzzy Hash: 0d4102ae7e0c4e66400206550c11ad2850cd6f30ab7042fdfda8bd6487b359e6
            • Instruction Fuzzy Hash: 1BB09231054208EBCA002B99EC09BC83F68FB44BA2F40C020F61D840A0CB6654508A99
            Function 006BF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
            • Instruction ID: 2749e26546b9c9519dfb906bc32afff67ed73ac4102c40411bb23b4930970667
            • Opcode Fuzzy Hash: 5969569ff40a09d5d127e25e4e74944bbdd44b077d757d6f0c5031db352075b0
            • Instruction Fuzzy Hash: A63237A2D29F414DD7275638DD32376A689AFB73C4F14D737E819B5AA6DB28C4C34200
            Function 006C267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
            • Instruction ID: 42ffcbf7e92c9742e469e49aecdc4890a660ae68e1670c130f4a2b28c63d0bd1
            • Opcode Fuzzy Hash: f325296d28f4ee0653ce4c757f7304058be59d26c47fb0cf5b165bf76a0dfbbd
            • Instruction Fuzzy Hash: 2FB10020D2AF414ED723A6398831336BB5CAFBB6D5F51D71BFC2670D22EB2585834145
            Function 007041FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00704218
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: d4f0f653be03cd218742a8304dffd61bdd59bfc1abba61453ccc43fda0fbc235
            • Instruction ID: fc053adaa1dd4c6ce32801615dc7f9ff142d77158b909136cc5b761a428d6211
            • Opcode Fuzzy Hash: d4f0f653be03cd218742a8304dffd61bdd59bfc1abba61453ccc43fda0fbc235
            • Instruction Fuzzy Hash: 53E01A712402149FCB10AF5AD844A9AB7EDAFA4760F00802AF949C77A2DA74E8418BA4
            Function 006F4EF5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 006F4F18
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 57268c214e17b1f68691566021ceb32437684ef5dc8d3ec572256ff0418acc7f
            • Instruction ID: f17b75871d79feb14ca204bc0528440dc3e02724e5a2a7c6f1c7efacc46cea75
            • Opcode Fuzzy Hash: 57268c214e17b1f68691566021ceb32437684ef5dc8d3ec572256ff0418acc7f
            • Instruction Fuzzy Hash: F4D09EF516560D79FD184B24AC1FFB7110BF3C0791F94A989730A95EC1DCE56851A039
            Function 006E8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,006E88D1), ref: 006E8CB3
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
            • Instruction ID: cc71d78a571d8e6110c9bf680d00c43c933df90cb4d464d4768eb32df7ad6651
            • Opcode Fuzzy Hash: 9059458491c237d9ca12df0cc668a381c984fd4fcf4dfafa6eb6412243109fcc
            • Instruction Fuzzy Hash: 68D09E3226450EABEF019EA8DD05EEE3B69EB04B01F40C511FE15D51A1C775D935AB60
            Function 006D2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 006D2242
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: f4585b15eb33ac35868f28c82ad222371338fbc54bd97d21784b69a0315cc2b2
            • Instruction ID: e16b013f2e4ae7a3837007018aad2f5c48ffdb4782a4ef53f8601ec60f8d153c
            • Opcode Fuzzy Hash: f4585b15eb33ac35868f28c82ad222371338fbc54bd97d21784b69a0315cc2b2
            • Instruction Fuzzy Hash: DAC04CF1C00109DBDB05DB90D988DFE77BCAB08304F108156E141F2140D7B49B448A71
            Function 006BA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 006BA36A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
            • Instruction ID: 63a041da0162bfc313d8ef5c2c202dfcb5437c006ab3692812d989ebbc0eec62
            • Opcode Fuzzy Hash: 6830744d266f9515a043f14290ff4e7ee6e576fe1e4ca19b1ed2e5249884f2e3
            • Instruction Fuzzy Hash: 31A0113000020CAB8A002B8AEC08888BFACEA002A0B00C020F80C80022CB32A8208A88
            Function 006A8A0E Relevance: .6, Instructions: 608COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70f0524884e2d66e23010b1ba4c72321e1ee71a5c5c7c0bb82d0ab978bfdc379
            • Instruction ID: da737a78ae5964c8ffc129bd0c48053709852e28d027c7c18ca75fd46de82b4e
            • Opcode Fuzzy Hash: 70f0524884e2d66e23010b1ba4c72321e1ee71a5c5c7c0bb82d0ab978bfdc379
            • Instruction Fuzzy Hash: E4222970502755CFDF28AB19C4946BD77A3EB03318F64846AD8478B392DB34AE92CF61
            Function 006B2405 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 730b3c49caaba78eed49d18fe56e4b6f98e60f299f2a8146841dd494096e51d2
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: 29C194B22050531ADB2D4639D4340FEBBE25AA37B135A076DE4B2CF6C5EF20D5A4D720
            Function 006B283A Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: 98486735e504d5b035531dd02fc072ca376ae7e00e0c8365c3f1f20d66e9c35d
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: 14C1B4B220519309DF6D463A84340FEBBE25AA37B135A076DE4B2DF6D4EF20D5A4D720
            Function 00707B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00707B70
            • DeleteObject.GDI32(00000000), ref: 00707B82
            • DestroyWindow.USER32 ref: 00707B90
            • GetDesktopWindow.USER32 ref: 00707BAA
            • GetWindowRect.USER32(00000000), ref: 00707BB1
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 00707CF2
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 00707D02
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707D4A
            • GetClientRect.USER32(00000000,?), ref: 00707D56
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00707D90
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707DB2
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707DC5
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707DD0
            • GlobalLock.KERNEL32(00000000), ref: 00707DD9
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707DE8
            • GlobalUnlock.KERNEL32(00000000), ref: 00707DF1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707DF8
            • GlobalFree.KERNEL32(00000000), ref: 00707E03
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707E15
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00722CAC,00000000), ref: 00707E2B
            • GlobalFree.KERNEL32(00000000), ref: 00707E3B
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 00707E61
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 00707E80
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00707EA2
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0070808F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: 6a6e04ef59abcdc87a55c5f791b8487d8f795c4f3d13f1fb776bd603b67143ae
            • Instruction ID: 2aa92691c89d8c6d86f8e5227a92727613ea51a16af0f9bd8e37a96a570f1c4b
            • Opcode Fuzzy Hash: 6a6e04ef59abcdc87a55c5f791b8487d8f795c4f3d13f1fb776bd603b67143ae
            • Instruction Fuzzy Hash: 70026F71900205EFDF14DF68CC89EAE7BB9FB48314F148158F905AB2A1DB78AD01CB64
            Function 007137F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,0071F910), ref: 007138AF
            • IsWindowVisible.USER32(?), ref: 007138D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpperVisibleWindow
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 4105515805-45149045
            • Opcode ID: a2ebcbd2cae9b119228ff29e9d2451b455cc0649a55be22421c91097994555ab
            • Instruction ID: 09a62fb5d23ffd414fa2286f5a5cb2dd84d5f11a8f01d709548cc8aeba942410
            • Opcode Fuzzy Hash: a2ebcbd2cae9b119228ff29e9d2451b455cc0649a55be22421c91097994555ab
            • Instruction Fuzzy Hash: 44D19770204305DBCB54EF29C451AEE7BA6AF54344F10846CF8865B3E2DB39EE86CB95
            Function 0071A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 0071A89F
            • GetSysColorBrush.USER32(0000000F), ref: 0071A8D0
            • GetSysColor.USER32(0000000F), ref: 0071A8DC
            • SetBkColor.GDI32(?,000000FF), ref: 0071A8F6
            • SelectObject.GDI32(?,?), ref: 0071A905
            • InflateRect.USER32(?,000000FF,000000FF), ref: 0071A930
            • GetSysColor.USER32(00000010), ref: 0071A938
            • CreateSolidBrush.GDI32(00000000), ref: 0071A93F
            • FrameRect.USER32(?,?,00000000), ref: 0071A94E
            • DeleteObject.GDI32(00000000), ref: 0071A955
            • InflateRect.USER32(?,000000FE,000000FE), ref: 0071A9A0
            • FillRect.USER32(?,?,?), ref: 0071A9D2
            • GetWindowLongW.USER32(?,000000F0), ref: 0071A9FD
              • Part of subcall function 0071AB60: GetSysColor.USER32(00000012), ref: 0071AB99
              • Part of subcall function 0071AB60: SetTextColor.GDI32(?,?), ref: 0071AB9D
              • Part of subcall function 0071AB60: GetSysColorBrush.USER32(0000000F), ref: 0071ABB3
              • Part of subcall function 0071AB60: GetSysColor.USER32(0000000F), ref: 0071ABBE
              • Part of subcall function 0071AB60: GetSysColor.USER32(00000011), ref: 0071ABDB
              • Part of subcall function 0071AB60: CreatePen.GDI32(00000000,00000001,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 0071ABE9
              • Part of subcall function 0071AB60: SelectObject.GDI32(?,00000000), ref: 0071ABFA
              • Part of subcall function 0071AB60: SetBkColor.GDI32(?,00000000), ref: 0071AC03
              • Part of subcall function 0071AB60: SelectObject.GDI32(?,?), ref: 0071AC10
              • Part of subcall function 0071AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0071AC2F
              • Part of subcall function 0071AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071AC46
              • Part of subcall function 0071AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0071AC5B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 31dce26175d705cd0004509f035ec8fd96431926b38687c44752bef05cbb4da1
            • Instruction ID: d37cb8f8c63d595241bbe969daef1817ced4b4729bc3fe4f5b34ac5b6fcff67a
            • Opcode Fuzzy Hash: 31dce26175d705cd0004509f035ec8fd96431926b38687c44752bef05cbb4da1
            • Instruction Fuzzy Hash: AEA18071009305FFD7119F68DC08A9B7BAAFF88321F108A29F966D61E1D738D984CB56
            Function 00692C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?), ref: 00692CA2
            • DeleteObject.GDI32(00000000), ref: 00692CE8
            • DeleteObject.GDI32(00000000), ref: 00692CF3
            • DestroyIcon.USER32(00000000,?,?,?), ref: 00692CFE
            • DestroyWindow.USER32(00000000,?,?,?), ref: 00692D09
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 006CC68B
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 006CC6C4
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 006CCAED
              • Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A
            • SendMessageW.USER32(?,00001053), ref: 006CCB2A
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 006CCB41
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CCB57
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 006CCB62
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: d4e8242d7b7f50f4e7c23ce116d3c4660d22d788ef803efbec5aece3f2c8b4a6
            • Instruction ID: 27218b815b7193820ad795b36591a3bfa35c64ed9b9ed3d51f7e0f24a10a3d8a
            • Opcode Fuzzy Hash: d4e8242d7b7f50f4e7c23ce116d3c4660d22d788ef803efbec5aece3f2c8b4a6
            • Instruction Fuzzy Hash: 2A127C30600602EFDB54DF28C899BB9BBA6FF45320F54856DE499DB662C731E842CB91
            Function 0071AB60 Relevance: 47.5, APIs: 26, Strings: 1, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 0071AB99
            • SetTextColor.GDI32(?,?), ref: 0071AB9D
            • GetSysColorBrush.USER32(0000000F), ref: 0071ABB3
            • GetSysColor.USER32(0000000F), ref: 0071ABBE
            • CreateSolidBrush.GDI32(?), ref: 0071ABC3
            • GetSysColor.USER32(00000011), ref: 0071ABDB
            • CreatePen.GDI32(00000000,00000001,_______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{), ref: 0071ABE9
            • SelectObject.GDI32(?,00000000), ref: 0071ABFA
            • SetBkColor.GDI32(?,00000000), ref: 0071AC03
            • SelectObject.GDI32(?,?), ref: 0071AC10
            • InflateRect.USER32(?,000000FF,000000FF), ref: 0071AC2F
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0071AC46
            • GetWindowLongW.USER32(00000000,000000F0), ref: 0071AC5B
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0071ACA7
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0071ACCE
            • InflateRect.USER32(?,000000FD,000000FD), ref: 0071ACEC
            • DrawFocusRect.USER32(?,?), ref: 0071ACF7
            • GetSysColor.USER32(00000011), ref: 0071AD05
            • SetTextColor.GDI32(?,00000000), ref: 0071AD0D
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0071AD21
            • SelectObject.GDI32(?,0071A869), ref: 0071AD38
            • DeleteObject.GDI32(?), ref: 0071AD43
            • SelectObject.GDI32(?,?), ref: 0071AD49
            • DeleteObject.GDI32(?), ref: 0071AD4E
            • SetTextColor.GDI32(?,?), ref: 0071AD54
            • SetBkColor.GDI32(?,?), ref: 0071AD5E
            Strings
            • _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{, xrefs: 0071ABDF, 0071ABE4
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID: _______________________________________________________________________________________________________________________________abccccccccdeefghijklmnopqrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstuvwxrstyzzzzzzzzzzzzzzzz{{{{
            • API String ID: 1996641542-3308908821
            • Opcode ID: 4515ef1c7ca123d7a64084294003c4bcfc8996d8116c3e96821b7f892652fa3d
            • Instruction ID: 25652c77fbaa60b0bc5760b541af6d867b216c378fd88ca3876f56fbbad7850a
            • Opcode Fuzzy Hash: 4515ef1c7ca123d7a64084294003c4bcfc8996d8116c3e96821b7f892652fa3d
            • Instruction Fuzzy Hash: CF612DB1901218FFDB119FA8DC49EEE7B7AEB08320F10C125F915AB2E1D7799940DB94
            Function 007077BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 007077F1
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 007078B0
            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 007078EE
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00707900
            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00707946
            • GetClientRect.USER32(00000000,?), ref: 00707952
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00707996
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 007079A5
            • GetStockObject.GDI32(00000011), ref: 007079B5
            • SelectObject.GDI32(00000000,00000000), ref: 007079B9
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 007079C9
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 007079D2
            • DeleteDC.GDI32(00000000), ref: 007079DB
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00707A07
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00707A1E
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00707A59
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00707A6D
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00707A7E
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00707AAE
            • GetStockObject.GDI32(00000011), ref: 00707AB9
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00707AC4
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00707ACE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 1cd028f51df3a3a6803039a405f2f8f74a54366d3b5ec797420a07067e067d1c
            • Instruction ID: 84fcb38703a9e48d9d70368584f559c88d08ed0a3669396abcd6d99b24dc138a
            • Opcode Fuzzy Hash: 1cd028f51df3a3a6803039a405f2f8f74a54366d3b5ec797420a07067e067d1c
            • Instruction Fuzzy Hash: 97A16271A40215BFEB14DB68DC4AFEE7BB9EB44711F008118FA15A71E0D7B8AD40CB68
            Function 006FAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 006FAF89
            • GetDriveTypeW.KERNEL32(?,0071FAC0,?,\\.\,0071F910), ref: 006FB066
            • SetErrorMode.KERNEL32(00000000,0071FAC0,?,\\.\,0071F910), ref: 006FB1C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 12d5d18a2186b403b7a3523d7eb5381b540c0438f3a915599929524e64ab9eae
            • Instruction ID: 9ad5df335fb600d6909f962f4d6a40786b626177b452169d6383b97d1b89d8ed
            • Opcode Fuzzy Hash: 12d5d18a2186b403b7a3523d7eb5381b540c0438f3a915599929524e64ab9eae
            • Instruction Fuzzy Hash: 6851B1706C430DFBCB10EB14C992DBD73B7AB147417209019E60AAB390CB799D42DB56
            Function 00696A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: ed9f2b83542acb962540a9a283e7edbf0500cd957aed4b0a5f9feee3ad8d1c67
            • Instruction ID: 6ea282da8858b4fc851c5025c3640d86739d00d7f8abe3d7f71f942b7e564764
            • Opcode Fuzzy Hash: ed9f2b83542acb962540a9a283e7edbf0500cd957aed4b0a5f9feee3ad8d1c67
            • Instruction Fuzzy Hash: 418109F1600315BACF61AA64CC92FFE776FEF11300F144029F945AA6C6EB61DA91C3A5
            Function 00718C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00718D34
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718D45
            • CharNextW.USER32(0000014E), ref: 00718D74
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00718DB5
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00718DCB
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00718DDC
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00718DF9
            • SetWindowTextW.USER32(?,0000014E), ref: 00718E45
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00718E5B
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00718E8C
            • _memset.LIBCMT ref: 00718EB1
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00718EFA
            • _memset.LIBCMT ref: 00718F59
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00718F83
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00718FDB
            • SendMessageW.USER32(?,0000133D,?,?), ref: 00719088
            • InvalidateRect.USER32(?,00000000,00000001), ref: 007190AA
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 007190F4
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00719121
            • DrawMenuBar.USER32(?), ref: 00719130
            • SetWindowTextW.USER32(?,0000014E), ref: 00719158
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: 64f76fff830d9e9b1fc8e27b6eb24874835850d7f400884eb342805a2acc1d23
            • Instruction ID: afaa40fdfd61f504eb24011725988af7a46595d024019542d77e1107b017132a
            • Opcode Fuzzy Hash: 64f76fff830d9e9b1fc8e27b6eb24874835850d7f400884eb342805a2acc1d23
            • Instruction Fuzzy Hash: BFE1A270900209ABDF60DF68DC84EEE7BB9EF09710F008159FA159A2D0DB788AC5DF65
            Function 00714B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00714C51
            • GetDesktopWindow.USER32 ref: 00714C66
            • GetWindowRect.USER32(00000000), ref: 00714C6D
            • GetWindowLongW.USER32(?,000000F0), ref: 00714CCF
            • DestroyWindow.USER32(?), ref: 00714CFB
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00714D24
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00714D42
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00714D68
            • SendMessageW.USER32(?,00000421,?,?), ref: 00714D7D
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00714D90
            • IsWindowVisible.USER32(?), ref: 00714DB0
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00714DCB
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00714DDF
            • GetWindowRect.USER32(?,?), ref: 00714DF7
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00714E1D
            • GetMonitorInfoW.USER32(00000000,?), ref: 00714E37
            • CopyRect.USER32(?,?), ref: 00714E4E
            • SendMessageW.USER32(?,00000412,00000000), ref: 00714EB9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 3255e33ed484559a3f89dbdcaac323d099e2d945159ee8b07305f8b401e6626e
            • Instruction ID: 346fac13b1c166bd07900917a1310099658fedc4cb54c797146b71eff2e9a704
            • Opcode Fuzzy Hash: 3255e33ed484559a3f89dbdcaac323d099e2d945159ee8b07305f8b401e6626e
            • Instruction Fuzzy Hash: 25B1AC71608340AFDB44DF68C849BAABBE5FF88710F00891CF5899B2A1D775EC44CBA5
            Function 006F46D6 Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
            Download Yara Rule
            APIs
            • GetFileVersionInfoSizeW.VERSION(?,?), ref: 006F46E8
            • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 006F470E
            • _wcscpy.LIBCMT ref: 006F473C
            • _wcscmp.LIBCMT ref: 006F4747
            • _wcscat.LIBCMT ref: 006F475D
            • _wcsstr.LIBCMT ref: 006F4768
            • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 006F4784
            • _wcscat.LIBCMT ref: 006F47CD
            • _wcscat.LIBCMT ref: 006F47D4
            • _wcsncpy.LIBCMT ref: 006F47FF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
            • API String ID: 699586101-1459072770
            • Opcode ID: eab412e4a4d7491ad3c01c9d691210f7ba3560f5ed5071de1085076ea0a2e2c4
            • Instruction ID: f9d8fc937fac71fa51d97a728af8301078870aade39a72ffca8cd2f5572fb5b3
            • Opcode Fuzzy Hash: eab412e4a4d7491ad3c01c9d691210f7ba3560f5ed5071de1085076ea0a2e2c4
            • Instruction Fuzzy Hash: 7F4117B16402057AE710BB648C46EFF77AEDF42710F00416DF904E62C2EF78DA8197A9
            Function 006927D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928BC
            • GetSystemMetrics.USER32(00000007), ref: 006928C4
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 006928EF
            • GetSystemMetrics.USER32(00000008), ref: 006928F7
            • GetSystemMetrics.USER32(00000004), ref: 0069291C
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00692939
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00692949
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0069297C
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00692990
            • GetClientRect.USER32(00000000,000000FF), ref: 006929AE
            • GetStockObject.GDI32(00000011), ref: 006929CA
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 006929D5
              • Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
              • Part of subcall function 00692344: ScreenToClient.USER32(007567B0,?), ref: 00692374
              • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
              • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7
            • SetTimer.USER32(00000000,00000000,00000028,00691256), ref: 006929FC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 8c5846162eaa081afb0b2f09a35d2af9e237b9494680535558a3b96b8f6c7810
            • Instruction ID: 9c8082148b6db8e299c0319db1f575c58368616e05849c4b59757091073a0c4d
            • Opcode Fuzzy Hash: 8c5846162eaa081afb0b2f09a35d2af9e237b9494680535558a3b96b8f6c7810
            • Instruction Fuzzy Hash: 86B15E7160020AAFDF14DFA8DC55BED7BBAFB08315F108129FA19A72E0DB74A851CB54
            Function 00714069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 007140F6
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007141B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: ac818c4af1e50849401d9b95c193e6ecdb273095b3069d725a7a9a373f37245a
            • Instruction ID: 24879689870d17a439caa83e60032183f78b1215aecafa1b117e7af7487ec17b
            • Opcode Fuzzy Hash: ac818c4af1e50849401d9b95c193e6ecdb273095b3069d725a7a9a373f37245a
            • Instruction Fuzzy Hash: 95A194702143019FCB54EF28C851AAAB7A6BF44314F14896CF8A69B7D2DB34EC85CB55
            Function 007052F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F89), ref: 00705309
            • LoadCursorW.USER32(00000000,00007F8A), ref: 00705314
            • LoadCursorW.USER32(00000000,00007F00), ref: 0070531F
            • LoadCursorW.USER32(00000000,00007F03), ref: 0070532A
            • LoadCursorW.USER32(00000000,00007F8B), ref: 00705335
            • LoadCursorW.USER32(00000000,00007F01), ref: 00705340
            • LoadCursorW.USER32(00000000,00007F81), ref: 0070534B
            • LoadCursorW.USER32(00000000,00007F88), ref: 00705356
            • LoadCursorW.USER32(00000000,00007F80), ref: 00705361
            • LoadCursorW.USER32(00000000,00007F86), ref: 0070536C
            • LoadCursorW.USER32(00000000,00007F83), ref: 00705377
            • LoadCursorW.USER32(00000000,00007F85), ref: 00705382
            • LoadCursorW.USER32(00000000,00007F82), ref: 0070538D
            • LoadCursorW.USER32(00000000,00007F84), ref: 00705398
            • LoadCursorW.USER32(00000000,00007F04), ref: 007053A3
            • LoadCursorW.USER32(00000000,00007F02), ref: 007053AE
            • GetCursorInfo.USER32(?), ref: 007053BE
            • GetLastError.KERNEL32(00000001,00000000), ref: 007053E9
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Cursor$Load$ErrorInfoLast
            • String ID:
            • API String ID: 3215588206-0
            • Opcode ID: a76bcffefebcfecd1697a5a907c29908e6378cd475d7c24a228f83ca65eb633a
            • Instruction ID: 45a49ae12b5482cf63d8e58d39386a29f915ea3fb6e915511a50a57d3ed5eacc
            • Opcode Fuzzy Hash: a76bcffefebcfecd1697a5a907c29908e6378cd475d7c24a228f83ca65eb633a
            • Instruction Fuzzy Hash: 1D415270E04319AADB109FBA8C499AFFEF8EF51B50B10452FF509E72D0DAB894018E65
            Function 006EAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 006EAAA5
            • __swprintf.LIBCMT ref: 006EAB46
            • _wcscmp.LIBCMT ref: 006EAB59
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 006EABAE
            • _wcscmp.LIBCMT ref: 006EABEA
            • GetClassNameW.USER32(?,?,00000400), ref: 006EAC21
            • GetDlgCtrlID.USER32(?), ref: 006EAC73
            • GetWindowRect.USER32(?,?), ref: 006EACA9
            • GetParent.USER32(?), ref: 006EACC7
            • ScreenToClient.USER32(00000000), ref: 006EACCE
            • GetClassNameW.USER32(?,?,00000100), ref: 006EAD48
            • _wcscmp.LIBCMT ref: 006EAD5C
            • GetWindowTextW.USER32(?,?,00000400), ref: 006EAD82
            • _wcscmp.LIBCMT ref: 006EAD96
              • Part of subcall function 006B386C: _iswctype.LIBCMT ref: 006B3874
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
            • String ID: %s%u
            • API String ID: 3744389584-679674701
            • Opcode ID: d5932cca46065428f25e6589819a0f3f859a7e2459641939e95d02c188e88989
            • Instruction ID: c1f21cb962b910728fd75d5776ad60a63985f0bcec390429a01e95c09265a26a
            • Opcode Fuzzy Hash: d5932cca46065428f25e6589819a0f3f859a7e2459641939e95d02c188e88989
            • Instruction Fuzzy Hash: F0A1BF71205386AFD714DFA5C884BEAB7EAFF04355F10862DF99982290DB30F945CB92
            Function 006EB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 006EB3DB
            • _wcscmp.LIBCMT ref: 006EB3EC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 006EB414
            • CharUpperBuffW.USER32(?,00000000), ref: 006EB431
            • _wcscmp.LIBCMT ref: 006EB44F
            • _wcsstr.LIBCMT ref: 006EB460
            • GetClassNameW.USER32(00000018,?,00000400), ref: 006EB498
            • _wcscmp.LIBCMT ref: 006EB4A8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 006EB4CF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 006EB518
            • _wcscmp.LIBCMT ref: 006EB528
            • GetClassNameW.USER32(00000010,?,00000400), ref: 006EB550
            • GetWindowRect.USER32(00000004,?), ref: 006EB5B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: 3b8b8897e9c42aa2fbf2d5e82abc2c67a1e5a9d02d7618a8959d00257f2850fd
            • Instruction ID: 93df8c1801e0b8c5cd826ca868d13635fef527eec6576ac13504b3830df50861
            • Opcode Fuzzy Hash: 3b8b8897e9c42aa2fbf2d5e82abc2c67a1e5a9d02d7618a8959d00257f2850fd
            • Instruction Fuzzy Hash: AE81DC710093859BDB00DF16C885FEB7BEAEF44314F049469FD898A2A6DB34DD49CBA1
            Function 0071C8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • DragQueryPoint.SHELL32(?,?), ref: 0071C917
              • Part of subcall function 0071ADF1: ClientToScreen.USER32(?,?), ref: 0071AE1A
              • Part of subcall function 0071ADF1: GetWindowRect.USER32(?,?), ref: 0071AE90
              • Part of subcall function 0071ADF1: PtInRect.USER32(?,?,0071C304), ref: 0071AEA0
            • SendMessageW.USER32(?,000000B0,?,?), ref: 0071C980
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0071C98B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0071C9AE
            • _wcscat.LIBCMT ref: 0071C9DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0071C9F5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 0071CA0E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 0071CA25
            • SendMessageW.USER32(?,000000B1,?,?), ref: 0071CA47
            • DragFinish.SHELL32(?), ref: 0071CA4E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0071CB41
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pru
            • API String ID: 169749273-4085695995
            • Opcode ID: 1c9c2f7c52becb39034883a5676ec7275fe8ae0a30ff0dbeb189ff90e977398d
            • Instruction ID: db47437a1c7ef583f35926b76516f961648f54fb8fc53a153f9de8817d420e23
            • Opcode Fuzzy Hash: 1c9c2f7c52becb39034883a5676ec7275fe8ae0a30ff0dbeb189ff90e977398d
            • Instruction Fuzzy Hash: 34616C71108301AFC701DF68DC89D9FBBE9EF89710F00492DF591971A1DB749A49CB5A
            Function 006EB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: b922e685d8cfa8ccc46348cffcbc5c78c42c67dc8ec4af626265a775f05d5a20
            • Instruction ID: 5646bb5f415eedd766fb8197096fd751369d8bcf389d3a3b328020140fe803d0
            • Opcode Fuzzy Hash: b922e685d8cfa8ccc46348cffcbc5c78c42c67dc8ec4af626265a775f05d5a20
            • Instruction Fuzzy Hash: FB31ABB0A45345AADF51FA61CD43EFF77AA9F20750F600028B601725E2EF656F08C69A
            Function 006EC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 006EC4D4
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 006EC4E6
            • SetWindowTextW.USER32(?,?), ref: 006EC4FD
            • GetDlgItem.USER32(?,000003EA), ref: 006EC512
            • SetWindowTextW.USER32(00000000,?), ref: 006EC518
            • GetDlgItem.USER32(?,000003E9), ref: 006EC528
            • SetWindowTextW.USER32(00000000,?), ref: 006EC52E
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 006EC54F
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 006EC569
            • GetWindowRect.USER32(?,?), ref: 006EC572
            • SetWindowTextW.USER32(?,?), ref: 006EC5DD
            • GetDesktopWindow.USER32 ref: 006EC5E3
            • GetWindowRect.USER32(00000000), ref: 006EC5EA
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 006EC636
            • GetClientRect.USER32(?,?), ref: 006EC643
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 006EC668
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 006EC693
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: d52d453a1377952d192702cfd08e0e3d235f1f52d82ff9a5497c3ed171040d71
            • Instruction ID: 5eeb33b0a499483e05a2e65a1b3bf4a393c29fc462b8b3008b2407a2e566b532
            • Opcode Fuzzy Hash: d52d453a1377952d192702cfd08e0e3d235f1f52d82ff9a5497c3ed171040d71
            • Instruction Fuzzy Hash: 48518E31900709AFDB20DFA9DD85BAEBBF6FF04715F008528E686A26A0C774A915CB44
            Function 0071A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0071A4C8
            • DestroyWindow.USER32(?,?), ref: 0071A542
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0071A5BC
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0071A5DE
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A5F1
            • DestroyWindow.USER32(00000000), ref: 0071A613
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00690000,00000000), ref: 0071A64A
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0071A663
            • GetDesktopWindow.USER32 ref: 0071A67C
            • GetWindowRect.USER32(00000000), ref: 0071A683
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0071A69B
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0071A6B3
              • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
            • String ID: 0$tooltips_class32
            • API String ID: 1297703922-3619404913
            • Opcode ID: 34e8b531ee459f84cdd3ff4a9687fd20fee6f6835b85c24da0d64a04367e5b2e
            • Instruction ID: 2c56a7cb67c439dd9bb38a7f8cdf8e8c0073db47b0d7c509e6625a306732128a
            • Opcode Fuzzy Hash: 34e8b531ee459f84cdd3ff4a9687fd20fee6f6835b85c24da0d64a04367e5b2e
            • Instruction Fuzzy Hash: 7371A171240305AFD720DF28CC45FAA7BE6FB88305F48852DF985872A0D779E946CB56
            Function 00714619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 007146AB
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 007146F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 7dc2e5c038cbe5be7bb673a108f0268233cc9b13e8bf78ccdcf855f8b796c63a
            • Instruction ID: e32b1081c513149846e5f3004647a514a53f63cc0ea0bc6e3a7e95c671db0a27
            • Opcode Fuzzy Hash: 7dc2e5c038cbe5be7bb673a108f0268233cc9b13e8bf78ccdcf855f8b796c63a
            • Instruction Fuzzy Hash: 79917F742043019FCF54EF28C451AAEB7A6AF54314F14846CF8965B7E2CB38ED8ACB95
            Function 0071BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0071BB6E
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00719431), ref: 0071BBCA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071BC03
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0071BC46
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0071BC7D
            • FreeLibrary.KERNEL32(?), ref: 0071BC89
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0071BC99
            • DestroyIcon.USER32(?,?,?,?,?,00719431), ref: 0071BCA8
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0071BCC5
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0071BCD1
              • Part of subcall function 006B313D: __wcsicmp_l.LIBCMT ref: 006B31C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: a218642eaf4845ed76fc5e0529e9d273709e00430070bf1c630996f3ca2be888
            • Instruction ID: cfaffd941a43bca8babcc7677dcc27953b76563ac74d4b7101032a8b6141117c
            • Opcode Fuzzy Hash: a218642eaf4845ed76fc5e0529e9d273709e00430070bf1c630996f3ca2be888
            • Instruction Fuzzy Hash: C761A0B1600619BAEB24DF69CC85FFE77ACFB08710F108219F915D61D0DB789990DBA0
            Function 006FA0B5 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 156COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,0071FB78), ref: 006FA0FC
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
            • LoadStringW.USER32(?,?,00000FFF,?), ref: 006FA11E
            • __swprintf.LIBCMT ref: 006FA177
            • __swprintf.LIBCMT ref: 006FA190
            • _wprintf.LIBCMT ref: 006FA246
            • _wprintf.LIBCMT ref: 006FA264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf$_memmove
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR$%r
            • API String ID: 311963372-3687378605
            • Opcode ID: aef4ce07fe9874f35c425010ed51ccdd8210262d7ea54eee2368ef3c5a544701
            • Instruction ID: ad43053e72bc830bdae87d7bf89304c546a81e48bf1c1b82285a3f6dc19415a6
            • Opcode Fuzzy Hash: aef4ce07fe9874f35c425010ed51ccdd8210262d7ea54eee2368ef3c5a544701
            • Instruction Fuzzy Hash: 4851BFB2904209BBCF55EBE0CD82EEEB77AAF04300F144169F505721A1EB356F48DB69
            Function 006FA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • CharLowerBuffW.USER32(?,?), ref: 006FA636
            • GetDriveTypeW.KERNEL32 ref: 006FA683
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA6CB
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA702
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006FA730
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 2698844021-4113822522
            • Opcode ID: 9b13e7ee06e87e70bf297dd527018e97c982b0dad924954a06fda92064592da3
            • Instruction ID: fe2991006d135a7366c6812f835a4c33d68d4e9327baf68273b16832b6cf9736
            • Opcode Fuzzy Hash: 9b13e7ee06e87e70bf297dd527018e97c982b0dad924954a06fda92064592da3
            • Instruction Fuzzy Hash: 63515FB51143059FCB40EF14C88186AB7FAFF84718F04896CF89A576A1DB35EE0ACB56
            Function 006FA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 006FA47A
            • __swprintf.LIBCMT ref: 006FA49C
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 006FA4D9
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 006FA4FE
            • _memset.LIBCMT ref: 006FA51D
            • _wcsncpy.LIBCMT ref: 006FA559
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 006FA58E
            • CloseHandle.KERNEL32(00000000), ref: 006FA599
            • RemoveDirectoryW.KERNEL32(?), ref: 006FA5A2
            • CloseHandle.KERNEL32(00000000), ref: 006FA5AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: fd51ff696b1445ff6ddeffff9b7234993a8b46ce2c3edc247f9d991878ff16ed
            • Instruction ID: c92034bc6b9f856eac8fd9b0348c8340d2877f594daacd11039482cecd1011ec
            • Opcode Fuzzy Hash: fd51ff696b1445ff6ddeffff9b7234993a8b46ce2c3edc247f9d991878ff16ed
            • Instruction Fuzzy Hash: A83191B1500119AADB21DFA4DC48FFB77BDEF88701F1081BAF608D6160E67496448B29
            Function 006FDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 006FDC7B
            • _wcscat.LIBCMT ref: 006FDC93
            • _wcscat.LIBCMT ref: 006FDCA5
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006FDCBA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 006FDCCE
            • GetFileAttributesW.KERNEL32(?), ref: 006FDCE6
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 006FDD00
            • SetCurrentDirectoryW.KERNEL32(?), ref: 006FDD12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 54e490afdbb89d5d62789d9a9dffb690bd053750fc6c9cd2bd2a0ce14821bdac
            • Instruction ID: 2bd8018be41b81706e963b8d505ab59a143b2e0267387b5d1d9fd002fb56ab4a
            • Opcode Fuzzy Hash: 54e490afdbb89d5d62789d9a9dffb690bd053750fc6c9cd2bd2a0ce14821bdac
            • Instruction Fuzzy Hash: 7281A2B15042099FCB60EF64C8459BEB7EBBF89350F19882EF989C7350E630E945CB52
            Function 0071C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0071C4EC
            • GetFocus.USER32 ref: 0071C4FC
            • GetDlgCtrlID.USER32(00000000), ref: 0071C507
            • _memset.LIBCMT ref: 0071C632
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0071C65D
            • GetMenuItemCount.USER32(?), ref: 0071C67D
            • GetMenuItemID.USER32(?,00000000), ref: 0071C690
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0071C6C4
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0071C70C
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0071C744
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0071C779
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: 011bd37f5d2d81db8fe73d33aad59b64f8fe89f1784803d0858f4d688d597990
            • Instruction ID: f220f5fc7d1396b6a053a0b79ea23040d8282a5c5b95cc6abb747fde24d151a2
            • Opcode Fuzzy Hash: 011bd37f5d2d81db8fe73d33aad59b64f8fe89f1784803d0858f4d688d597990
            • Instruction Fuzzy Hash: 6981BD70248301AFD711CF58C885AEBBBE9FB88314F10492DF995972D1D778E985CBA2
            Function 006E83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
              • Part of subcall function 006E874A: GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
              • Part of subcall function 006E874A: GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
              • Part of subcall function 006E874A: HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
              • Part of subcall function 006E874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
              • Part of subcall function 006E87E7: GetProcessHeap.KERNEL32(00000008,006E8240,00000000,00000000,?,006E8240,?), ref: 006E87F3
              • Part of subcall function 006E87E7: HeapAlloc.KERNEL32(00000000,?,006E8240,?), ref: 006E87FA
              • Part of subcall function 006E87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,006E8240,?), ref: 006E880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 006E8458
            • _memset.LIBCMT ref: 006E846D
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 006E848C
            • GetLengthSid.ADVAPI32(?), ref: 006E849D
            • GetAce.ADVAPI32(?,00000000,?), ref: 006E84DA
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 006E84F6
            • GetLengthSid.ADVAPI32(?), ref: 006E8513
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 006E8522
            • HeapAlloc.KERNEL32(00000000), ref: 006E8529
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 006E854A
            • CopySid.ADVAPI32(00000000), ref: 006E8551
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 006E8582
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 006E85A8
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 006E85BC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: db54e465e76a3f01fe674ae6802f7ce63aa4435b0ec6c17bbb77f24d2121416e
            • Instruction ID: 0b17c7a5704bfc327aa0c36641ff5c49dbf46fa074a1a2ba48b162cccbc92f9e
            • Opcode Fuzzy Hash: db54e465e76a3f01fe674ae6802f7ce63aa4435b0ec6c17bbb77f24d2121416e
            • Instruction Fuzzy Hash: 07613971901249AFDF00DFA5DC45AEEBBBAFF04300F148269F819AB291DB359A05CF64
            Function 0070762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 007076A2
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 007076AE
            • CreateCompatibleDC.GDI32(?), ref: 007076BA
            • SelectObject.GDI32(00000000,?), ref: 007076C7
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 0070771B
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00707757
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 0070777B
            • SelectObject.GDI32(00000006,?), ref: 00707783
            • DeleteObject.GDI32(?), ref: 0070778C
            • DeleteDC.GDI32(00000006), ref: 00707793
            • ReleaseDC.USER32(00000000,?), ref: 0070779E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 1578f70f4e0127d3b052fc3e17f28178783c80a3d9fbf19ac3b41dcee5d72021
            • Instruction ID: 61813494ceb71530d52039c5f9749c0bb1660b65554d7953f5ceecf4499364fc
            • Opcode Fuzzy Hash: 1578f70f4e0127d3b052fc3e17f28178783c80a3d9fbf19ac3b41dcee5d72021
            • Instruction Fuzzy Hash: C0513875904209EFCB15CFA8CC84EAEBBF9EF48310F14C52DF94AA7291D635A940CB64
            Function 00696BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006B0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00696C6C,?,00008000), ref: 006B0BB7
              • Part of subcall function 006948AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,006948A1,?,?,006937C0,?), ref: 006948CE
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00696D0D
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00696E5A
              • Part of subcall function 006959CD: _wcscpy.LIBCMT ref: 00695A05
              • Part of subcall function 006B387D: _iswctype.LIBCMT ref: 006B3885
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 537147316-1018226102
            • Opcode ID: 2cb75980e186e4c247bde10ba537a9becb7b69630afceaa0cd58b9478d4e7590
            • Instruction ID: 87f0ef3829b4bb2e2e50c251f582dc48869d4bbd469637986867cd4ab7540bd0
            • Opcode Fuzzy Hash: 2cb75980e186e4c247bde10ba537a9becb7b69630afceaa0cd58b9478d4e7590
            • Instruction Fuzzy Hash: B9029B701083419FCB64EF24C881AAFBBEAEF98314F14491DF48A976A1DB31D949CB46
            Function 006945DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006945F9
            • GetMenuItemCount.USER32(00756890), ref: 006CD7CD
            • GetMenuItemCount.USER32(00756890), ref: 006CD87D
            • GetCursorPos.USER32(?), ref: 006CD8C1
            • SetForegroundWindow.USER32(00000000), ref: 006CD8CA
            • TrackPopupMenuEx.USER32(00756890,00000000,?,00000000,00000000,00000000), ref: 006CD8DD
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 006CD8E9
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 2751501086-0
            • Opcode ID: 59d637d31a5c26f9fe2ff1c4a3aa949df286c724b083d1be37ba6342ae5a7f01
            • Instruction ID: 02e1f0a9b961ff5fbbb59c5e866d76f76332405cfc3ecb2b155d435d9d48ac2a
            • Opcode Fuzzy Hash: 59d637d31a5c26f9fe2ff1c4a3aa949df286c724b083d1be37ba6342ae5a7f01
            • Instruction Fuzzy Hash: 1D71D670601205BFEB219F14DC45FFABF6AFF05364F10422AF514A62D1CBB55861DBA4
            Function 00708BC0 Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00708BEC
            • CoInitialize.OLE32(00000000), ref: 00708C19
            • CoUninitialize.OLE32 ref: 00708C23
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00708D23
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00708E50
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00722C0C), ref: 00708E84
            • CoGetObject.OLE32(?,00000000,00722C0C,?), ref: 00708EA7
            • SetErrorMode.KERNEL32(00000000), ref: 00708EBA
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00708F3A
            • VariantClear.OLEAUT32(?), ref: 00708F4A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID: ,,r
            • API String ID: 2395222682-1227627816
            • Opcode ID: ee784f2870b85f42270fd8b350a7ccb5468d93b304aeacbe2e6e1f117db717f8
            • Instruction ID: a3f58be70a6e33a7616a531978f75dedc7d244f7b46aae4065fa18e43f1fbf76
            • Opcode Fuzzy Hash: ee784f2870b85f42270fd8b350a7ccb5468d93b304aeacbe2e6e1f117db717f8
            • Instruction Fuzzy Hash: 7EC123B1208305EFD740DF68C88496BB7E9BF88748F004A6DF5899B291DB75ED05CB62
            Function 007110A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: 96a988453326c40ae821e428337fb430065e73ca1ad43545c06470272b051079
            • Instruction ID: 304b2e5dfd845bd8cd9bff889bb009adf02dc8ff55b1d729926310ce3bc317b9
            • Opcode Fuzzy Hash: 96a988453326c40ae821e428337fb430065e73ca1ad43545c06470272b051079
            • Instruction Fuzzy Hash: 2B41507021024E9BDF10EF98DC91AEB3725BF15300F908468ED915B2D1D778ED9ACB54
            Function 006F5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
              • Part of subcall function 00697A84: _memmove.LIBCMT ref: 00697B0D
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 006F55D2
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 006F55E8
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 006F55F9
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 006F560B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 006F561C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: SendString$_memmove
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2279737902-1007645807
            • Opcode ID: 5ac81ac0b7534df902b5986a6fde0c0981507b2d72d95f4b0ad46feeb0c49412
            • Instruction ID: 932ced228a12ec322f48e3a472b7e9923801b6d70bcbd0f9abcc3bf47bda6432
            • Opcode Fuzzy Hash: 5ac81ac0b7534df902b5986a6fde0c0981507b2d72d95f4b0ad46feeb0c49412
            • Instruction Fuzzy Hash: E41194715A016D79DB20BB65CC4ADFF7B7DEF91F00F400469B511A20E1EF641D05C5A5
            Function 006F48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 208665112-3771769585
            • Opcode ID: 1992868632ac972988e12afcea94b996e5d27041d918cea3a3e68290c95c6d38
            • Instruction ID: 84f9b9565ef38b8349c611e9e0e80f107d62eab85158879a0509ce1b5fbaec46
            • Opcode Fuzzy Hash: 1992868632ac972988e12afcea94b996e5d27041d918cea3a3e68290c95c6d38
            • Instruction Fuzzy Hash: E111D571A08119AFCB20EB289C06EEB77AD9F01720F048179F60596191EFB49AC18765
            Function 006F5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 006F521C
              • Part of subcall function 006B0719: timeGetTime.WINMM(?,75A8B400,006A0FF9), ref: 006B071D
            • Sleep.KERNEL32(0000000A), ref: 006F5248
            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 006F526C
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 006F528E
            • SetActiveWindow.USER32 ref: 006F52AD
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 006F52BB
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 006F52DA
            • Sleep.KERNEL32(000000FA), ref: 006F52E5
            • IsWindow.USER32 ref: 006F52F1
            • EndDialog.USER32(00000000), ref: 006F5302
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: a5adf3b2afa178f1961c55e227899d31b7a651ff9a654fc4e50bd993d47d75a6
            • Instruction ID: 1816aa94389e7c4427a59fd576a64fd8c83fd400524f5ffe87079aa017a29c7b
            • Opcode Fuzzy Hash: a5adf3b2afa178f1961c55e227899d31b7a651ff9a654fc4e50bd993d47d75a6
            • Instruction Fuzzy Hash: 53219571204708AFE7015B28FC89AF53B6BFB44347F00D528F302812B1EBA95D50D669
            Function 006FD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • CoInitialize.OLE32(00000000), ref: 006FD855
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006FD8E8
            • SHGetDesktopFolder.SHELL32(?), ref: 006FD8FC
            • CoCreateInstance.OLE32(00722D7C,00000000,00000001,0074A89C,?), ref: 006FD948
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006FD9B7
            • CoTaskMemFree.OLE32(?,?), ref: 006FDA0F
            • _memset.LIBCMT ref: 006FDA4C
            • SHBrowseForFolderW.SHELL32(?), ref: 006FDA88
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006FDAAB
            • CoTaskMemFree.OLE32(00000000), ref: 006FDAB2
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006FDAE9
            • CoUninitialize.OLE32(00000001,00000000), ref: 006FDAEB
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: f320a3f02ec4f3609e18e129e13e3fa07269dba2afc5cae0c2311f84336efbe5
            • Instruction ID: aae7ad7e9b27e8ca490bfec04a8fcf29c389083385b7e63a06a92079c3839de4
            • Opcode Fuzzy Hash: f320a3f02ec4f3609e18e129e13e3fa07269dba2afc5cae0c2311f84336efbe5
            • Instruction Fuzzy Hash: 92B10F75A00109AFDB44DFA9C885DAEBBFAFF48314B0484A9F909EB251DB30ED41CB54
            Function 006F052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 006F05A7
            • SetKeyboardState.USER32(?), ref: 006F0612
            • GetAsyncKeyState.USER32(000000A0), ref: 006F0632
            • GetKeyState.USER32(000000A0), ref: 006F0649
            • GetAsyncKeyState.USER32(000000A1), ref: 006F0678
            • GetKeyState.USER32(000000A1), ref: 006F0689
            • GetAsyncKeyState.USER32(00000011), ref: 006F06B5
            • GetKeyState.USER32(00000011), ref: 006F06C3
            • GetAsyncKeyState.USER32(00000012), ref: 006F06EC
            • GetKeyState.USER32(00000012), ref: 006F06FA
            • GetAsyncKeyState.USER32(0000005B), ref: 006F0723
            • GetKeyState.USER32(0000005B), ref: 006F0731
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
            • Instruction ID: aba8f35879f6ccf38d3ec61b5b49f6ec17f2e463133f5359056c2a2f9e7a2b0f
            • Opcode Fuzzy Hash: a3c03796e2caf18652dab14e2ecf41ddf03409109f92bbd6b349df1a00585df3
            • Instruction Fuzzy Hash: E851FD60A0478C59FF34DBA085547FABFB69F02380F08859DD7C25A2C3DAA49A4CCF55
            Function 006EC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 006EC746
            • GetWindowRect.USER32(00000000,?), ref: 006EC758
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 006EC7B6
            • GetDlgItem.USER32(?,00000002), ref: 006EC7C1
            • GetWindowRect.USER32(00000000,?), ref: 006EC7D3
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 006EC827
            • GetDlgItem.USER32(?,000003E9), ref: 006EC835
            • GetWindowRect.USER32(00000000,?), ref: 006EC846
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 006EC889
            • GetDlgItem.USER32(?,000003EA), ref: 006EC897
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 006EC8B4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 006EC8C1
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
            • Instruction ID: 70e99869d0ca81e6e7b7b9749fc50e3a146e063d0d57339542e7d9fff4980683
            • Opcode Fuzzy Hash: fc018c03024da631007c06adea59d6b031a73864599245e404b87bdd24644443
            • Instruction Fuzzy Hash: F7513B71B00205AFDB18CFADDD99AAEBBBAEB88310F14C12DF516D62E0D7709D008B14
            Function 0069201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00691B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00692036,?,00000000,?,?,?,?,006916CB,00000000,?), ref: 00691B9A
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 006920D3
            • KillTimer.USER32(-00000001,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 0069216E
            • DestroyAcceleratorTable.USER32(00000000), ref: 006CBEF6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF27
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF3E
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,006916CB,00000000,?,?,00691AE2,?,?), ref: 006CBF5A
            • DeleteObject.GDI32(00000000), ref: 006CBF6C
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 273186414bffd3e6e7a7de6d2cfa545587551d860df5c25f8ac12df3cf6bb9b0
            • Instruction ID: 4531bcfa4f56d0b42e935a221a96fc2bb0f60a73a9661ddb789f13bde54bc11b
            • Opcode Fuzzy Hash: 273186414bffd3e6e7a7de6d2cfa545587551d860df5c25f8ac12df3cf6bb9b0
            • Instruction Fuzzy Hash: CF617730100712EFCB259F18DD59BAAB7F6FB44312F50852CE55287AA0C7B9A891DF98
            Function 006921A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006925DB: GetWindowLongW.USER32(?,000000EB), ref: 006925EC
            • GetSysColor.USER32(0000000F), ref: 006921D3
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 00befb0916ee10b367ec8b92c6e9e90317273c51f77086aaaec705de626dcf23
            • Instruction ID: 6c043703a3069a47baf9b96505c2e7e4412e4962853cdb3685493b34b2a6d917
            • Opcode Fuzzy Hash: 00befb0916ee10b367ec8b92c6e9e90317273c51f77086aaaec705de626dcf23
            • Instruction Fuzzy Hash: 4B41D231004105BBDF255F28EC98BF93B6BEB06331F288265FD658A6E2C7358D42DB21
            Function 006FAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,0071F910), ref: 006FAB76
            • GetDriveTypeW.KERNEL32(00000061,0074A620,00000061), ref: 006FAC40
            • _wcscpy.LIBCMT ref: 006FAC6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: c4d9606ecb18a896b356023a72c4e6f2f68f8895ab4ee303a90abcb8c44e4c60
            • Instruction ID: 072e0815c277c80b97cae04453001083e4e350f95b7595fff329acff165a6fae
            • Opcode Fuzzy Hash: c4d9606ecb18a896b356023a72c4e6f2f68f8895ab4ee303a90abcb8c44e4c60
            • Instruction Fuzzy Hash: 0651CFB01583059BC750EF58C881ABFB7ABEF80300F14882DF59A576A2DB319D4ACB57
            Function 0071C27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
              • Part of subcall function 00692344: GetCursorPos.USER32(?), ref: 00692357
              • Part of subcall function 00692344: ScreenToClient.USER32(007567B0,?), ref: 00692374
              • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000001), ref: 00692399
              • Part of subcall function 00692344: GetAsyncKeyState.USER32(00000002), ref: 006923A7
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0071C2E4
            • ImageList_EndDrag.COMCTL32 ref: 0071C2EA
            • ReleaseCapture.USER32 ref: 0071C2F0
            • SetWindowTextW.USER32(?,00000000), ref: 0071C39A
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0071C3AD
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0071C48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pru$pru
            • API String ID: 1924731296-3743244019
            • Opcode ID: bccafdb522cf47c53f47b7cf2400e3adeb5f969af301f8cf97a5de572299d377
            • Instruction ID: 662cbb15ecc84bee89b5a0ce34108f9f4ceee9f972ffee6ddbe556510fb4ff84
            • Opcode Fuzzy Hash: bccafdb522cf47c53f47b7cf2400e3adeb5f969af301f8cf97a5de572299d377
            • Instruction Fuzzy Hash: 7651A370208344AFDB04DF18CC56FAA7BE5FB88311F04852DF9558B2E1DB79A984CB56
            Function 00699997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID: %.15g$0x%p$False$True
            • API String ID: 421087845-2263619337
            • Opcode ID: 696d121a5df9d4bef2e990a77d0494cb0035b938a5121dcb50f1c1217c6274e2
            • Instruction ID: 098825c509f9a18f1991bac7bffe227c5873113059527347eb13eda0c27f118f
            • Opcode Fuzzy Hash: 696d121a5df9d4bef2e990a77d0494cb0035b938a5121dcb50f1c1217c6274e2
            • Instruction Fuzzy Hash: 4A41E4B1604205AFEF24AF7CD842FBA77EFEB04300F24446EE549D7291EA719942CB21
            Function 007173C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 007173D9
            • CreateMenu.USER32 ref: 007173F4
            • SetMenu.USER32(?,00000000), ref: 00717403
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00717490
            • IsMenu.USER32(?), ref: 007174A6
            • CreatePopupMenu.USER32 ref: 007174B0
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 007174DD
            • DrawMenuBar.USER32 ref: 007174E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0$F
            • API String ID: 176399719-3044882817
            • Opcode ID: b0dfcb79e077460b672bc9503e3d6e343bba0139e08e2787470ac4154cc04800
            • Instruction ID: 448b7e932611ade45d4922e36dda1b5f7e0c512ccbb746056d471ef9a5493cf9
            • Opcode Fuzzy Hash: b0dfcb79e077460b672bc9503e3d6e343bba0139e08e2787470ac4154cc04800
            • Instruction Fuzzy Hash: 86415874A00245EFDB14DF68D884EDABBFAFF49310F148029ED55973A0D739A960CB94
            Function 0071772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 007177CD
            • CreateCompatibleDC.GDI32(00000000), ref: 007177D4
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 007177E7
            • SelectObject.GDI32(00000000,00000000), ref: 007177EF
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 007177FA
            • DeleteDC.GDI32(00000000), ref: 00717803
            • GetWindowLongW.USER32(?,000000EC), ref: 0071780D
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00717821
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0071782D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 2323d8a338cb204d327e89ce75df15406ad0d1e1e6cc757f9c193e8de5ea12b2
            • Instruction ID: 9790a317536074295ec4a0ac15aa8979892c1087fc8d425f9c622ba230fe4535
            • Opcode Fuzzy Hash: 2323d8a338cb204d327e89ce75df15406ad0d1e1e6cc757f9c193e8de5ea12b2
            • Instruction Fuzzy Hash: F8316C31105219BBDF159FA8DC09FDA3B79EF09721F118224FA15A61E0C739D861DBA8
            Function 006B7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006B707B
              • Part of subcall function 006B8D68: __getptd_noexit.LIBCMT ref: 006B8D68
            • __gmtime64_s.LIBCMT ref: 006B7114
            • __gmtime64_s.LIBCMT ref: 006B714A
            • __gmtime64_s.LIBCMT ref: 006B7167
            • __allrem.LIBCMT ref: 006B71BD
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B71D9
            • __allrem.LIBCMT ref: 006B71F0
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B720E
            • __allrem.LIBCMT ref: 006B7225
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006B7243
            • __invoke_watson.LIBCMT ref: 006B72B4
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction ID: 3fb368e48253ce19883de08d2e633aa0aa079eda2af269bc1c731919869c0ec2
            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction Fuzzy Hash: 4D71B8F1A04716ABD714AE79CC41BEAB3BAEF94324F14422EF514E7381E770DA808794
            Function 006F2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006F2A31
            • GetMenuItemInfoW.USER32(00756890,000000FF,00000000,00000030), ref: 006F2A92
            • SetMenuItemInfoW.USER32(00756890,00000004,00000000,00000030), ref: 006F2AC8
            • Sleep.KERNEL32(000001F4), ref: 006F2ADA
            • GetMenuItemCount.USER32(?), ref: 006F2B1E
            • GetMenuItemID.USER32(?,00000000), ref: 006F2B3A
            • GetMenuItemID.USER32(?,-00000001), ref: 006F2B64
            • GetMenuItemID.USER32(?,?), ref: 006F2BA9
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 006F2BEF
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2C03
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2C24
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 1c70e53bdca3c9193144dd2234207e2fdb84f8286256dce70d52792e72ba496e
            • Instruction ID: 4ff6fe0d0f0cf69fce10c3093fb83c3a88d5e6a237f35e03a482186255b2b79f
            • Opcode Fuzzy Hash: 1c70e53bdca3c9193144dd2234207e2fdb84f8286256dce70d52792e72ba496e
            • Instruction Fuzzy Hash: 8261AFB090024EAFDB21CF64C8A8DFE7BBAFB01308F144459EA41A7291D735AD55DF21
            Function 00717192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00717214
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00717217
            • GetWindowLongW.USER32(?,000000F0), ref: 0071723B
            • _memset.LIBCMT ref: 0071724C
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0071725E
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 007172D6
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: b113f049a9bd1eb9930011f4b9292499f71f012f69057fc1b04d170c8781190b
            • Instruction ID: 91c5a1011f8aa6406ba57fffc2e1eb217a5ffc07055ba04c4295493043a24021
            • Opcode Fuzzy Hash: b113f049a9bd1eb9930011f4b9292499f71f012f69057fc1b04d170c8781190b
            • Instruction Fuzzy Hash: C0618A71A00248AFDB10DFA8CC81EEE77F9EB09710F104159FA14A72E1C778AE85DB60
            Function 006E710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 006E7135
            • SafeArrayAllocData.OLEAUT32(?), ref: 006E718E
            • VariantInit.OLEAUT32(?), ref: 006E71A0
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 006E71C0
            • VariantCopy.OLEAUT32(?,?), ref: 006E7213
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 006E7227
            • VariantClear.OLEAUT32(?), ref: 006E723C
            • SafeArrayDestroyData.OLEAUT32(?), ref: 006E7249
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E7252
            • VariantClear.OLEAUT32(?), ref: 006E7264
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 006E726F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 462767fa1dbecab26f7837f4bbb592aa0522a7da17bc852369c7914be33e96db
            • Instruction ID: c944421db154992343b5175bafedee21b987ed7d6b524ee0f5a9f1a90ae2bfb8
            • Opcode Fuzzy Hash: 462767fa1dbecab26f7837f4bbb592aa0522a7da17bc852369c7914be33e96db
            • Instruction Fuzzy Hash: 4A415135904259AFCF00DFA9DC449EEBBB9FF08354F00C069F915A7261DB34AA45CB94
            Function 007086D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • CoInitialize.OLE32 ref: 00708718
            • CoUninitialize.OLE32 ref: 00708723
            • CoCreateInstance.OLE32(?,00000000,00000017,00722BEC,?), ref: 00708783
            • IIDFromString.OLE32(?,?), ref: 007087F6
            • VariantInit.OLEAUT32(?), ref: 00708890
            • VariantClear.OLEAUT32(?), ref: 007088F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: 1b6a4d56debc0b1a4089ffe3b75449abda2dad63e73e420fd98babe62faef538
            • Instruction ID: 72d7dcebd113f22007c55816c835aa2a8984a3fd622ee46d2722c1f2cd1171e0
            • Opcode Fuzzy Hash: 1b6a4d56debc0b1a4089ffe3b75449abda2dad63e73e420fd98babe62faef538
            • Instruction Fuzzy Hash: 9B616970608701EFD750DF64C888B6ABBE8AF48714F148A1DF9859B2D1CB78E944CB97
            Function 00705A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00705AA6
            • inet_addr.WSOCK32(?,?,?), ref: 00705AEB
            • gethostbyname.WSOCK32(?), ref: 00705AF7
            • IcmpCreateFile.IPHLPAPI ref: 00705B05
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00705B75
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00705B8B
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00705C00
            • WSACleanup.WSOCK32 ref: 00705C06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 8c2a702872d8b3e6b993673888b9cd723c5467d909242f1583e189bdca8a68a6
            • Instruction ID: 68a8f9c823e0156e4d008ae36f838717ea2cde1ab48618633c8d56d1551264cd
            • Opcode Fuzzy Hash: 8c2a702872d8b3e6b993673888b9cd723c5467d909242f1583e189bdca8a68a6
            • Instruction Fuzzy Hash: F2516B71604700EFDB119F28CC45B6ABBE5EB44710F148A29F956DB2E1DB78E8008F59
            Function 006FB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 006FB73B
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 006FB7B1
            • GetLastError.KERNEL32 ref: 006FB7BB
            • SetErrorMode.KERNEL32(00000000,READY), ref: 006FB828
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 1dcba59df83dd1ded05d4ab1d78db2fc69fbcc498198df384a8ad3a604ee95ef
            • Instruction ID: c069e1003da32aded34d96e729d404af95c0fe2a89590622de172fbdfe9376e2
            • Opcode Fuzzy Hash: 1dcba59df83dd1ded05d4ab1d78db2fc69fbcc498198df384a8ad3a604ee95ef
            • Instruction Fuzzy Hash: A6319275A4020DAFDB00FF68C885AFEBBBAEF84740F148029E616D7291DB759942C751
            Function 006E9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 006E94F6
            • GetDlgCtrlID.USER32 ref: 006E9501
            • GetParent.USER32 ref: 006E951D
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9520
            • GetDlgCtrlID.USER32(?), ref: 006E9529
            • GetParent.USER32(?), ref: 006E9545
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9548
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: c057b42b68efba2a648565f1d64239ce50cbe81b7cee01407e6a611a42437764
            • Instruction ID: ecc2175719b152feef2b38dd003ce7c10d836ec2b5dad4c48527e8823c2a1825
            • Opcode Fuzzy Hash: c057b42b68efba2a648565f1d64239ce50cbe81b7cee01407e6a611a42437764
            • Instruction Fuzzy Hash: B321F470901304BBCF01AB65CC85DFEBB7AEF45310F108119F922972E1DB795919DB24
            Function 006E955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 006E95DF
            • GetDlgCtrlID.USER32 ref: 006E95EA
            • GetParent.USER32 ref: 006E9606
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 006E9609
            • GetDlgCtrlID.USER32(?), ref: 006E9612
            • GetParent.USER32(?), ref: 006E962E
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 006E9631
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: cd2fe146cfcc3b7fe77138798f8ef8a628185da8f079124a6d1caba3a3867091
            • Instruction ID: 498894e64ac4e851df1d70b413a2d571350520c51ed1cff6d22426aea92af9a2
            • Opcode Fuzzy Hash: cd2fe146cfcc3b7fe77138798f8ef8a628185da8f079124a6d1caba3a3867091
            • Instruction Fuzzy Hash: D721B374901344BBDF01EB65CC85EFEBB7AEF48300F10805AF921972E1DB7999199B24
            Function 006E9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 006E9651
            • GetClassNameW.USER32(00000000,?,00000100), ref: 006E9666
            • _wcscmp.LIBCMT ref: 006E9678
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 006E96F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: 746f38c45cf6dd5d4645fa70104bbc84b255a063823644c8377bea56b6b1e1e5
            • Instruction ID: ed9328d20297e38e2fd7ec1c93b41d400ba2203a05c5dd0c8e797e3017ab7375
            • Opcode Fuzzy Hash: 746f38c45cf6dd5d4645fa70104bbc84b255a063823644c8377bea56b6b1e1e5
            • Instruction Fuzzy Hash: 1B112CB6249357BAFB112626DC07DE7B79E8F04360F30402BFA00A51D1FF9559514A6C
            Function 006F4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 006F419D
            • __swprintf.LIBCMT ref: 006F41AA
              • Part of subcall function 006B38D8: __woutput_l.LIBCMT ref: 006B3931
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 006F41D4
            • LoadResource.KERNEL32(?,00000000), ref: 006F41E0
            • LockResource.KERNEL32(00000000), ref: 006F41ED
            • FindResourceW.KERNEL32(?,?,00000003), ref: 006F420D
            • LoadResource.KERNEL32(?,00000000), ref: 006F421F
            • SizeofResource.KERNEL32(?,00000000), ref: 006F422E
            • LockResource.KERNEL32(?), ref: 006F423A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006F429B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: f622cfab551e4742ffd5ee181e7d78275006e09220b889588bce65e5512b1247
            • Instruction ID: 8673a0d7a7d81c4a387a9fccbf71008a358d400253ac19e677bd72510bffdfff
            • Opcode Fuzzy Hash: f622cfab551e4742ffd5ee181e7d78275006e09220b889588bce65e5512b1247
            • Instruction Fuzzy Hash: 96317EB160521AABDB119F64EC44AFF7BAAFF08301F008535FA05D2650EB74DA61CBA4
            Function 006F16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 006F1700
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F1714
            • GetWindowThreadProcessId.USER32(00000000), ref: 006F171B
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F172A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 006F173C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F1755
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006F0778,?,00000001), ref: 006F1767
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17AC
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17C1
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,006F0778,?,00000001), ref: 006F17CC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: 4bac9a40ceb4371e8c5f9de824b3dbd24aa74a389eef22ce4481c593f27caa47
            • Instruction ID: fe8d83015db0a08a0ffec26f687d6eaa32e84cb385a82adb399863cd0af2d3cd
            • Opcode Fuzzy Hash: 4bac9a40ceb4371e8c5f9de824b3dbd24aa74a389eef22ce4481c593f27caa47
            • Instruction Fuzzy Hash: 6B319F75600308EBDB15EF14EC84BF977BAAB16792F10C015FA099A3E0D7B89D41CB54
            Function 00709428 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: ,,r$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-2506191893
            • Opcode ID: a93bc1aae0ca54b84016430597d2f8fef348d4ed5bb8fc8c82683ba30cd20295
            • Instruction ID: 8e3e67663b39227ba2be49ba288c6c9ad985ee5e14e8515bb03da06ec83a84a1
            • Opcode Fuzzy Hash: a93bc1aae0ca54b84016430597d2f8fef348d4ed5bb8fc8c82683ba30cd20295
            • Instruction Fuzzy Hash: 6F918C71A00219EBDF24DFA5CC44FAEB7B8EF45310F108259F615AB282D7789941CBA4
            Function 006EA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,006EAA64), ref: 006EA9A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: c494039843d7ea1383c3be7b43f1629f8ce447d0ef61a37b93f2f1cd4630398d
            • Instruction ID: 54681b0401b3f2d4c27ece616c5bb3cebd71563352d84f11314ed0124e6f3827
            • Opcode Fuzzy Hash: c494039843d7ea1383c3be7b43f1629f8ce447d0ef61a37b93f2f1cd4630398d
            • Instruction Fuzzy Hash: 5891C770601346ABDF48DFA1C481BEAFB76BF04300F51812DD58AA7242DF30799ACB95
            Function 00692E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00692EAE
              • Part of subcall function 00691DB3: GetClientRect.USER32(?,?), ref: 00691DDC
              • Part of subcall function 00691DB3: GetWindowRect.USER32(?,?), ref: 00691E1D
              • Part of subcall function 00691DB3: ScreenToClient.USER32(?,?), ref: 00691E45
            • GetDC.USER32 ref: 006CCF82
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 006CCF95
            • SelectObject.GDI32(00000000,00000000), ref: 006CCFA3
            • SelectObject.GDI32(00000000,00000000), ref: 006CCFB8
            • ReleaseDC.USER32(?,00000000), ref: 006CCFC0
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 006CD04B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 989a1713afc2602fbb17c8c573c774dd64b255d1941428db0ebc1d9893f3fcee
            • Instruction ID: 108d4668f243b762d85bdb9d92fb0a533dd187a2b8fa8262759df0c120bcfe77
            • Opcode Fuzzy Hash: 989a1713afc2602fbb17c8c573c774dd64b255d1941428db0ebc1d9893f3fcee
            • Instruction Fuzzy Hash: A6719D30500205EFCF218F68C895EFA7BBBFF49364F14826EED555A2A6D7318842DB60
            Function 00708F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0071F910), ref: 0070903D
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0071F910), ref: 00709071
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 007091EB
            • SysFreeString.OLEAUT32(?), ref: 00709215
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: 80927e7df350a64bb7fd71a534390146c2835fd0a8b6a1e60a5a13c307c0c9a2
            • Instruction ID: 03b75446a028d98d5ed5df7ca7472a24c4d7fc5da4945f182b97c10a19ccb02b
            • Opcode Fuzzy Hash: 80927e7df350a64bb7fd71a534390146c2835fd0a8b6a1e60a5a13c307c0c9a2
            • Instruction Fuzzy Hash: D1F10971A00209EFDF04DF94C888EAEB7B9FF49314F108559FA15AB291DB35AE45CB50
            Function 0070F9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0070F9C9
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070FB5C
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0070FB80
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070FBC0
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0070FBE2
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0070FD5E
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 0070FD90
            • CloseHandle.KERNEL32(?), ref: 0070FDBF
            • CloseHandle.KERNEL32(?), ref: 0070FE36
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: 08b50689ca74adae172cb63437700761858c034fff10dc9b9c13cff06a0f29bd
            • Instruction ID: 70bad4b3686520ce1d6df72169c8c24ea7f2dab72a17176a3e0747fd64bdbe3d
            • Opcode Fuzzy Hash: 08b50689ca74adae172cb63437700761858c034fff10dc9b9c13cff06a0f29bd
            • Instruction Fuzzy Hash: F7E1D271204301DFCB64EF24C891A6ABBE6BF85314F14856DF8998B6E2CB35EC41CB56
            Function 006F4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F38D3,?), ref: 006F48C7
              • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F38D3,?), ref: 006F48E0
              • Part of subcall function 006F4CD3: GetFileAttributesW.KERNEL32(?,006F3947), ref: 006F4CD4
            • lstrcmpiW.KERNEL32(?,?), ref: 006F4FE2
            • _wcscmp.LIBCMT ref: 006F4FFC
            • MoveFileW.KERNEL32(?,?), ref: 006F5017
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: 1ddfeac077567fcf691254b0cfc02b2da19fb9ec2c0e4aa4e69da9051df3443a
            • Instruction ID: c49d7263566db8703dc9698bc3c5e2dce37c62b6fdb753f02e2925bc3afb1333
            • Opcode Fuzzy Hash: 1ddfeac077567fcf691254b0cfc02b2da19fb9ec2c0e4aa4e69da9051df3443a
            • Instruction Fuzzy Hash: E15177B20087855BC764DB54CC859EFB3EDAF85340F00492EF299D3191EF74E589876A
            Function 007188B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0071896E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: ad078a5cbe2ea77d4e065e39b4a9e934e898bcd172bec22ef832cd70e17c4895
            • Instruction ID: 0960b8d89b892f5f3a97100f836ae0c31adb6348fd0fd57041732fadbc180fd3
            • Opcode Fuzzy Hash: ad078a5cbe2ea77d4e065e39b4a9e934e898bcd172bec22ef832cd70e17c4895
            • Instruction Fuzzy Hash: FD518230500204BBDFA09F2CCC89BE97B65AF05354F608116F515E66E1DF79EAC0DB86
            Function 00692B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 006CC547
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 006CC569
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 006CC581
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 006CC59F
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 006CC5C0
            • DestroyIcon.USER32(00000000), ref: 006CC5CF
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 006CC5EC
            • DestroyIcon.USER32(?), ref: 006CC5FB
              • Part of subcall function 0071A71E: DeleteObject.GDI32(00000000), ref: 0071A757
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
            • String ID:
            • API String ID: 2819616528-0
            • Opcode ID: f139bcff02c370cb32fa22645b6b07c4a5b5d3f22aa18bf0d964ccb9bd443859
            • Instruction ID: 15a66c40c2fc8e9385f7c005718d608b6b9d6c4e01444062f36a83ad77a97c48
            • Opcode Fuzzy Hash: f139bcff02c370cb32fa22645b6b07c4a5b5d3f22aa18bf0d964ccb9bd443859
            • Instruction Fuzzy Hash: CC51577460020AAFDF20DF28CC55FAA37EAEB58324F508528F906976A0DB74E991DB54
            Function 006E9B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006EAE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EAE77
              • Part of subcall function 006EAE57: GetCurrentThreadId.KERNEL32 ref: 006EAE7E
              • Part of subcall function 006EAE57: AttachThreadInput.USER32(00000000,?,006E9B65,?,00000001), ref: 006EAE85
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9B70
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 006E9B8D
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 006E9B90
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9B99
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 006E9BB7
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E9BBA
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 006E9BC3
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 006E9BDA
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 006E9BDD
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 8d6f19470673af8337659a9846c39c76162fd90fac26a5ca9102cd15f0e1ccf1
            • Instruction ID: 1a73a2d8f61c00057cf4926d43ac8d763a2a3d154abefdac08cd551da6bd6ccf
            • Opcode Fuzzy Hash: 8d6f19470673af8337659a9846c39c76162fd90fac26a5ca9102cd15f0e1ccf1
            • Instruction Fuzzy Hash: 6D11E571550618BEF6106B65DC49FAA3B1DEF4C751F108429F254AB0E0C9F26C10EAA8
            Function 006E8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E0C
            • HeapAlloc.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E13
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,006E8A84,00000B00,?,?), ref: 006E8E28
            • GetCurrentProcess.KERNEL32(?,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E30
            • DuplicateHandle.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E33
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,006E8A84,00000B00,?,?), ref: 006E8E43
            • GetCurrentProcess.KERNEL32(006E8A84,00000000,?,006E8A84,00000B00,?,?), ref: 006E8E4B
            • DuplicateHandle.KERNEL32(00000000,?,006E8A84,00000B00,?,?), ref: 006E8E4E
            • CreateThread.KERNEL32(00000000,00000000,006E8E74,00000000,00000000,00000000), ref: 006E8E68
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 56f5ce3d648e29cb66186a16302adae4ff5f033c966216973c4f1fde37b3459b
            • Instruction ID: c433cc73187ff11f0e1d04562aab9c79d37e891d263620a7bc86c7c45ff8a4f8
            • Opcode Fuzzy Hash: 56f5ce3d648e29cb66186a16302adae4ff5f033c966216973c4f1fde37b3459b
            • Instruction Fuzzy Hash: B701ACB5240348FFE610AB69DC49F9B3B6DEB89711F01C521FA05DB1D1CA759C009A24
            Function 00709A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?,?,006E799D), ref: 006E766F
              • Part of subcall function 006E7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E768A
              • Part of subcall function 006E7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E7698
              • Part of subcall function 006E7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?), ref: 006E76A8
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 00709B1B
            • _memset.LIBCMT ref: 00709B28
            • _memset.LIBCMT ref: 00709C6B
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 00709C97
            • CoTaskMemFree.OLE32(?), ref: 00709CA2
            Strings
            • NULL Pointer assignment, xrefs: 00709CF0
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: b2737a935a1717d7a9a3abf81843afa02aba4ed0fe31374cb16d79659c5d90d0
            • Instruction ID: a008327ab66c5b18f4033ba5c0a1fe820b81fb7a4129fe90dad1d1ae3d2c81a7
            • Opcode Fuzzy Hash: b2737a935a1717d7a9a3abf81843afa02aba4ed0fe31374cb16d79659c5d90d0
            • Instruction Fuzzy Hash: 05914971D00229EBDF10DFA5DC80ADEBBB9EF08310F208159F519A7291DB359A44CFA4
            Function 00716FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00717093
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 007170A7
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 007170C1
            • _wcscat.LIBCMT ref: 0071711C
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00717133
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00717161
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: b175a793f7fab53b33c10a145f79330845448aa1ad896008fe25142cddfc3fa5
            • Instruction ID: f56c33c4b4e7c96ac5d50a3c05b1739dec8635213e98517ccb09b0d04d4ea8ba
            • Opcode Fuzzy Hash: b175a793f7fab53b33c10a145f79330845448aa1ad896008fe25142cddfc3fa5
            • Instruction Fuzzy Hash: 6741AF70A04308AFEB259F68CC85BEA77B9EF08350F10452AF944A71D2D67A9DC4CB64
            Function 0070EC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006F3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 006F3EB6
              • Part of subcall function 006F3E91: Process32FirstW.KERNEL32(00000000,?), ref: 006F3EC4
              • Part of subcall function 006F3E91: CloseHandle.KERNEL32(00000000), ref: 006F3F8E
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070ECB8
            • GetLastError.KERNEL32 ref: 0070ECCB
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0070ECFA
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 0070ED77
            • GetLastError.KERNEL32(00000000), ref: 0070ED82
            • CloseHandle.KERNEL32(00000000), ref: 0070EDB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 687bf375dc98c751077f591d36f64ad53c2e3e3bfa76aa95028a043841657667
            • Instruction ID: b87fe9a441dc68ecabeedfb15e6440c9146e28792a8977febbec41ff828a97f5
            • Opcode Fuzzy Hash: 687bf375dc98c751077f591d36f64ad53c2e3e3bfa76aa95028a043841657667
            • Instruction Fuzzy Hash: 6E41AC713042009FDB14EF28CC95F6EB7A6EF50714F08846DF9469B2D2DB79A804CB9A
            Function 006F3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 006F32C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 2c073a48d4e1e258ef51275f1a619303aafc9d3f93b596089daa6b582918d692
            • Instruction ID: 0db803288b130474f762f77d012428a255e9868936332241b3855e540b5e0e0c
            • Opcode Fuzzy Hash: 2c073a48d4e1e258ef51275f1a619303aafc9d3f93b596089daa6b582918d692
            • Instruction Fuzzy Hash: E811EB7134836EBBA7115A58DC42CFAB39DEF19374F10002AF600563C1D7B55B8146A9
            Function 006F4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 006F454E
            • LoadStringW.USER32(00000000), ref: 006F4555
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 006F456B
            • LoadStringW.USER32(00000000), ref: 006F4572
            • _wprintf.LIBCMT ref: 006F4598
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 006F45B6
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 006F4593
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: 4b054a6c1cc90707ec1eb615a322b4c3a28bde0e3af14b4708fc2b58461df2ca
            • Instruction ID: 7a27e4661ba331fffa4508f65516ad67c4754099f8e08ead37dcfff0370cc0de
            • Opcode Fuzzy Hash: 4b054a6c1cc90707ec1eb615a322b4c3a28bde0e3af14b4708fc2b58461df2ca
            • Instruction Fuzzy Hash: 83014FF290020CBFE750E7A49D89EF7776CDB08301F4085A6FB49D2191EA789E858B74
            Function 0071D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • GetSystemMetrics.USER32(0000000F), ref: 0071D78A
            • GetSystemMetrics.USER32(0000000F), ref: 0071D7AA
            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0071D9E5
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0071DA03
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0071DA24
            • ShowWindow.USER32(00000003,00000000), ref: 0071DA43
            • InvalidateRect.USER32(?,00000000,00000001), ref: 0071DA68
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 0071DA8B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
            • String ID:
            • API String ID: 1211466189-0
            • Opcode ID: 43350ffa0be0cc6826dae4b8b57f21a4485e85ed0e88b4626258b01bcf17b64e
            • Instruction ID: c142a97ccd502ceeee9bc8964e2b76b8aa62acee642fc7a45aae7370890ad2d3
            • Opcode Fuzzy Hash: 43350ffa0be0cc6826dae4b8b57f21a4485e85ed0e88b4626258b01bcf17b64e
            • Instruction Fuzzy Hash: 87B15771600225ABDF28CF6DC9897E97BB2FF44711F08C169ED489A295D738AD90CF90
            Function 00692A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 00692ACF
            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000,000000FF), ref: 00692B17
            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 006CC46A
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,006CC417,00000004,00000000,00000000,00000000), ref: 006CC4D6
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 1f2dbbaf327d3864ad1d6c90225304acab987433cb3cee4f759704fa5b0f316b
            • Instruction ID: d96d53e843bf3dc48db80168042c143253a4f596bbd7a6f1aaec96c5646b43ec
            • Opcode Fuzzy Hash: 1f2dbbaf327d3864ad1d6c90225304acab987433cb3cee4f759704fa5b0f316b
            • Instruction Fuzzy Hash: 6041FB32608681BACF398B2C8CBCBFA7BDBEB55314F54C41DE04B46EA1C675A846D714
            Function 006F7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 006F737F
              • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
              • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 006F73B6
            • EnterCriticalSection.KERNEL32(?), ref: 006F73D2
            • _memmove.LIBCMT ref: 006F7420
            • _memmove.LIBCMT ref: 006F743D
            • LeaveCriticalSection.KERNEL32(?), ref: 006F744C
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006F7461
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7480
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 256516436-0
            • Opcode ID: 79ac94c53906dc5126e8991e2b67efde8258bbbb54697e78875ef37abee9c71c
            • Instruction ID: c519dd08c6a08bbc05f6ca8555fb0863fe1962b75f5f4719ab7c0f18eb01e125
            • Opcode Fuzzy Hash: 79ac94c53906dc5126e8991e2b67efde8258bbbb54697e78875ef37abee9c71c
            • Instruction Fuzzy Hash: A931B271900109EBDF10EF58DC85AEF7BB9FF45310B1481A9FD04AB286DB309A50CBA8
            Function 00716442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 0071645A
            • GetDC.USER32(00000000), ref: 00716462
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0071646D
            • ReleaseDC.USER32(00000000,00000000), ref: 00716479
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 007164B5
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 007164C6
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00719299,?,?,000000FF,00000000,?,000000FF,?), ref: 00716500
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00716520
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 9e8e0a9a40312240073101de2a81793e716a48cdc23550106004ec9fbbb4a519
            • Instruction ID: 338811e5795eeb472b40ae44da38a8420f21f722f67ce222199d31025734bc98
            • Opcode Fuzzy Hash: 9e8e0a9a40312240073101de2a81793e716a48cdc23550106004ec9fbbb4a519
            • Instruction Fuzzy Hash: 80316D72201214BFEB118F58DC4AFEA3FAAEF09761F048065FE089A1D1D6799851CB74
            Function 006EC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: c8ccc19926849e301383da79feeef370825d7497a73a2476860e1153c1edb89a
            • Instruction ID: 04fbe7c9a3581ce9357f49e477ac275297649b7dc3048dc8e35f527f57b49ccb
            • Opcode Fuzzy Hash: c8ccc19926849e301383da79feeef370825d7497a73a2476860e1153c1edb89a
            • Instruction Fuzzy Hash: 5C21F5F1702355BBDA50A6229C52FEF239FAF513B4B440024FD059A383F716DE5382A9
            Function 006FED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
              • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
            • _wcstok.LIBCMT ref: 006FEEFF
            • _wcscpy.LIBCMT ref: 006FEF8E
            • _memset.LIBCMT ref: 006FEFC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: ab6fa5d9affab01e2c062d0c8e5fd3a24cb5afb6455fdce38a2423bce5ea7df5
            • Instruction ID: c406997ec0e88ad39cc02dd61b9b5ca443b38a3f8b1b0c9fd924a5afd558b156
            • Opcode Fuzzy Hash: ab6fa5d9affab01e2c062d0c8e5fd3a24cb5afb6455fdce38a2423bce5ea7df5
            • Instruction Fuzzy Hash: 49C18271508300DFCB64EF28C881AAAB7E6BF84314F04496DF599976A2DB30ED45CB96
            Function 00706E17 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
            Download Yara Rule
            APIs
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00706F14
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00706F35
            • WSAGetLastError.WSOCK32(00000000), ref: 00706F48
            • htons.WSOCK32(?,?,?,00000000,?), ref: 00706FFE
            • inet_ntoa.WSOCK32(?), ref: 00706FBB
              • Part of subcall function 006EAE14: _strlen.LIBCMT ref: 006EAE1E
              • Part of subcall function 006EAE14: _memmove.LIBCMT ref: 006EAE40
            • _strlen.LIBCMT ref: 00707058
            • _memmove.LIBCMT ref: 007070C1
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
            • String ID:
            • API String ID: 3619996494-0
            • Opcode ID: e28a61e426da6494595720f108a13eb5d70657e0f62a71c8305fdfe45cea398d
            • Instruction ID: 5df2b8cf6fd85b2e410be12912c487ec41a298e7cc335ce15eb8e5028d4cac9e
            • Opcode Fuzzy Hash: e28a61e426da6494595720f108a13eb5d70657e0f62a71c8305fdfe45cea398d
            • Instruction Fuzzy Hash: 9D81E171508300EFDB54EB28CC91E6BB3EEAF84714F108A1CF5559B2E2DA75AD00C7A6
            Function 00691424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 5f653b509693a2cb5d0fa496382eebd522f91e22c8092777ae7b750619e0765d
            • Instruction ID: ac794b07603972e4012d72f6f11cb21b155afdd3c2534215c848c3b3de8f6b8f
            • Opcode Fuzzy Hash: 5f653b509693a2cb5d0fa496382eebd522f91e22c8092777ae7b750619e0765d
            • Instruction Fuzzy Hash: 40715D7090050AEFCF049F58CC45EFEBBBAFF8A314F248159F915AA251C734AA51CB64
            Function 0071B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(01315E20), ref: 0071B6A5
            • IsWindowEnabled.USER32(01315E20), ref: 0071B6B1
            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0071B795
            • SendMessageW.USER32(01315E20,000000B0,?,?), ref: 0071B7CC
            • IsDlgButtonChecked.USER32(?,?), ref: 0071B809
            • GetWindowLongW.USER32(01315E20,000000EC), ref: 0071B82B
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0071B843
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
            • String ID:
            • API String ID: 4072528602-0
            • Opcode ID: 91db5240ff38b74b67b22eda0c9ac17ca08472528153cfe91d45360ba45b6ad0
            • Instruction ID: 3504cb5b2ee3b14527eea1f4f81368f40221b2b985462f896403f7d4af093bbc
            • Opcode Fuzzy Hash: 91db5240ff38b74b67b22eda0c9ac17ca08472528153cfe91d45360ba45b6ad0
            • Instruction Fuzzy Hash: D7718C34600304EFDB209F68C8D5FEA7BB9EF59300F1484AAE955972E1C739AD81CB54
            Function 0070F732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0070F75C
            • _memset.LIBCMT ref: 0070F825
            • ShellExecuteExW.SHELL32(?), ref: 0070F86A
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
              • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
            • GetProcessId.KERNEL32(00000000), ref: 0070F8E1
            • CloseHandle.KERNEL32(00000000), ref: 0070F910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 3522835683-2766056989
            • Opcode ID: f97d0ae84bad85750bdacd3c70b190550d55668ccf591bd212cf33a7a0a1c0fc
            • Instruction ID: 9cb5af9e2cbd2181e770cd49c246974ab15c4615e53dff60534c2d3a7b49ee1f
            • Opcode Fuzzy Hash: f97d0ae84bad85750bdacd3c70b190550d55668ccf591bd212cf33a7a0a1c0fc
            • Instruction Fuzzy Hash: 7A61AF75A00619DFCF14EF58C4809AEBBFAFF48310B14856DE846AB791CB34AD41CB98
            Function 006F145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 006F149C
            • GetKeyboardState.USER32(?), ref: 006F14B1
            • SetKeyboardState.USER32(?), ref: 006F1512
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 006F1540
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 006F155F
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 006F15A5
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 006F15C8
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
            • Instruction ID: 89fc63289efdde26ce056dfada3e92be6765fa857819410581e56f236ba50988
            • Opcode Fuzzy Hash: 70c4a29a2f075291bd33db9735724482b3a8b0e6b0eeef1d0e116180a5dafa2d
            • Instruction Fuzzy Hash: 5D5104A06043D9BEFB3246348C05BFA7EEB6B47344F08848DE2D58E9C2C298DC84D750
            Function 006F1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 006F12B5
            • GetKeyboardState.USER32(?), ref: 006F12CA
            • SetKeyboardState.USER32(?), ref: 006F132B
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 006F1357
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 006F1374
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 006F13B8
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 006F13D9
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
            • Instruction ID: a356d94d058e409f5c41224bfe00b85976c432ace7070bb7c0d9ab5f98fd464f
            • Opcode Fuzzy Hash: 9b7023d97f5f1f56f40d211dc7954ddf2b953f56f03394eba0720a143997c112
            • Instruction Fuzzy Hash: D25104A15047D9BDFB3287248C45BFABFAB6F07380F088489E2D84E9C2D395AC94D754
            Function 006F589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 1f2b662333d539172f4b4d327fa8ec9c6fa797687c47ff913866181d50943ff2
            • Instruction ID: 6adb2b261d9b678becbddbfeadc389b704b1ebe96095d90278683fd9c639eaa7
            • Opcode Fuzzy Hash: 1f2b662333d539172f4b4d327fa8ec9c6fa797687c47ff913866181d50943ff2
            • Instruction Fuzzy Hash: 8D41D8A5C2012876CB51EBB4CC869DF73AAAF04310F50856AF619E3222FB34D755C7AD
            Function 006EDA5D Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006EDAC5
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006EDAFB
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006EDB0C
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 006EDB8E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: ,,r$DllGetClassObject
            • API String ID: 753597075-4218317632
            • Opcode ID: d2d7d97046c93406e509bc50a2bd709294dd1e6d388d2c058c04ef7479e18d07
            • Instruction ID: 28e644f695e66440a38319526ae36674e1449976cfc1f15a9fbc8c919ed10753
            • Opcode Fuzzy Hash: d2d7d97046c93406e509bc50a2bd709294dd1e6d388d2c058c04ef7479e18d07
            • Instruction Fuzzy Hash: 1E41C3B1602348EFDB05CF16C884A9A7BBAEF44350F1181ADED059F245E7B0DD40CBA0
            Function 006F38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,006F38D3,?), ref: 006F48C7
              • Part of subcall function 006F48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,006F38D3,?), ref: 006F48E0
            • lstrcmpiW.KERNEL32(?,?), ref: 006F38F3
            • _wcscmp.LIBCMT ref: 006F390F
            • MoveFileW.KERNEL32(?,?), ref: 006F3927
            • _wcscat.LIBCMT ref: 006F396F
            • SHFileOperationW.SHELL32(?), ref: 006F39DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
            • String ID: \*.*
            • API String ID: 1377345388-1173974218
            • Opcode ID: dac6eee3d2512d94bab7d1f7f6f0ab440dc0d04cc18f6fc691c2f03eafb92372
            • Instruction ID: 63e562258fb067e4815ca59b7122c5cf6c704a93e41eb7ed7e055af3d30edd8a
            • Opcode Fuzzy Hash: dac6eee3d2512d94bab7d1f7f6f0ab440dc0d04cc18f6fc691c2f03eafb92372
            • Instruction Fuzzy Hash: F14193B150C3489EC791EF64C4419EFB7EDAF89340F00192EF599C3251EA74D689C756
            Function 00717500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00717519
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 007175C0
            • IsMenu.USER32(?), ref: 007175D8
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00717620
            • DrawMenuBar.USER32 ref: 00717633
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert_memset
            • String ID: 0
            • API String ID: 3866635326-4108050209
            • Opcode ID: a136389ae80ce08ee70018eee1347b2ec397de48bd274aa7cc731cf66c076010
            • Instruction ID: 4d5f54d97c2f785ba934b89b032cf0be93b532df86619cb1051c6749c360c0d5
            • Opcode Fuzzy Hash: a136389ae80ce08ee70018eee1347b2ec397de48bd274aa7cc731cf66c076010
            • Instruction Fuzzy Hash: 99412775A04609EFDB24DF58D884EDABBF9FF18350F048129E95997290D738AD90CFA0
            Function 0071122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0071125C
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00711286
            • FreeLibrary.KERNEL32(00000000), ref: 0071133D
              • Part of subcall function 0071122D: RegCloseKey.ADVAPI32(?), ref: 007112A3
              • Part of subcall function 0071122D: FreeLibrary.KERNEL32(?), ref: 007112F5
              • Part of subcall function 0071122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00711318
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 007112E0
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: 94a30314a0c9ca7a0e2fd6c4ddd3ae1cc10e9f5ab11b38b293773106433e874b
            • Instruction ID: 79444ae885b37763cde2d9409ac8c9576218aebb464771fe91549e2fe46b2ebe
            • Opcode Fuzzy Hash: 94a30314a0c9ca7a0e2fd6c4ddd3ae1cc10e9f5ab11b38b293773106433e874b
            • Instruction Fuzzy Hash: 09314D71A01119FFDB14DB98DC89AFEB7BCEF08300F404169E611E6181EA789E859BA4
            Function 0071653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0071655B
            • GetWindowLongW.USER32(01315E20,000000F0), ref: 0071658E
            • GetWindowLongW.USER32(01315E20,000000F0), ref: 007165C3
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 007165F5
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0071661F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00716630
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0071664A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 033b0919577c2555b7bf27774bc965ecde2a1315329cd715574d6efabf21e61d
            • Instruction ID: e3e785c92807cce78868dfa980aed81addbe565167df63d1d8e74d33227bc22a
            • Opcode Fuzzy Hash: 033b0919577c2555b7bf27774bc965ecde2a1315329cd715574d6efabf21e61d
            • Instruction Fuzzy Hash: E631F230604250AFDB20CF1CDC85F953BE2FB4A751F1982A8F5118B2F6CB6AE890DB55
            Function 00706486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 007080A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 007064D9
            • WSAGetLastError.WSOCK32(00000000), ref: 007064E8
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706521
            • connect.WSOCK32(00000000,?,00000010), ref: 0070652A
            • WSAGetLastError.WSOCK32 ref: 00706534
            • closesocket.WSOCK32(00000000), ref: 0070655D
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00706576
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
            • String ID:
            • API String ID: 910771015-0
            • Opcode ID: 0b580cbc25450f3821a2b7678d6cc257b02371a7cd8b9e88514fc3c4c26cdece
            • Instruction ID: c03b59d139dff177c98d063b3e90185be6dfbd879ca8d521ce1012e990b28228
            • Opcode Fuzzy Hash: 0b580cbc25450f3821a2b7678d6cc257b02371a7cd8b9e88514fc3c4c26cdece
            • Instruction Fuzzy Hash: A1319031600218EFDB109F28CC95BBE7BEDEB44724F04812DF909972D1CB78A915CA65
            Function 006EE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EE0FA
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006EE120
            • SysAllocString.OLEAUT32(00000000), ref: 006EE123
            • SysAllocString.OLEAUT32 ref: 006EE144
            • SysFreeString.OLEAUT32 ref: 006EE14D
            • StringFromGUID2.OLE32(?,?,00000028), ref: 006EE167
            • SysAllocString.OLEAUT32(?), ref: 006EE175
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 6e19f1f916659e328382473997be695e83ffc68ce319b92595517a750154948d
            • Instruction ID: 0a3b5d0839f658ada92f88bb7244fb175fccd1a16b847fc940bfe92a060f9fce
            • Opcode Fuzzy Hash: 6e19f1f916659e328382473997be695e83ffc68ce319b92595517a750154948d
            • Instruction Fuzzy Hash: B221A435205248AFAB10DFADDC88DEB77EDEB09760B10C125F914CB2A0DA75DC818B64
            Function 006EFB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: ab2b94e33438f5aa96582c4eb474a8d4edc7bf8e37fbb0b7e431b73bdd75a7ca
            • Instruction ID: 6f34beb6a40ea1329a93c129f0f367be3de911442106b5b749ebc4a863f3dcea
            • Opcode Fuzzy Hash: ab2b94e33438f5aa96582c4eb474a8d4edc7bf8e37fbb0b7e431b73bdd75a7ca
            • Instruction Fuzzy Hash: 582128B22063A567D230B726DC12EE7739BEF65740F344439F88586282EB51A982D399
            Function 0071783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
              • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
              • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 007178A1
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 007178AE
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 007178B9
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 007178C8
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 007178D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 532cec08cb5918b3d60a5be98ac60ec28d8c8ca355683a139312f7e9a5d6d36c
            • Instruction ID: 3e47220b21c561c0e290cb9f82c2de2a87dbbea5642833a2a6872a05137c8807
            • Opcode Fuzzy Hash: 532cec08cb5918b3d60a5be98ac60ec28d8c8ca355683a139312f7e9a5d6d36c
            • Instruction Fuzzy Hash: C011C4B2150219BFEF159F64CC85EE77F6DEF08768F018115FA04A60A0CB769C61DBA4
            Function 006B41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,006B4292,?), ref: 006B41E3
            • GetProcAddress.KERNEL32(00000000), ref: 006B41EA
            • EncodePointer.KERNEL32(00000000), ref: 006B41F6
            • DecodePointer.KERNEL32(00000001,006B4292,?), ref: 006B4213
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 3489934621-340411864
            • Opcode ID: eab76d9dee8a76eb053d13d9dc02ee00c0406d36a998679c6429ac03d0f2228c
            • Instruction ID: 2ef69bc579e12e2b6d2180af9f49bec6d25690772c16129b388fc488a9ce0764
            • Opcode Fuzzy Hash: eab76d9dee8a76eb053d13d9dc02ee00c0406d36a998679c6429ac03d0f2228c
            • Instruction Fuzzy Hash: EAE0E5B4690B44AAEF605BB9EC09BD43AA6B720B0BF50C424F421D61E1DAFD40D19B08
            Function 006B429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,006B41B8), ref: 006B42B8
            • GetProcAddress.KERNEL32(00000000), ref: 006B42BF
            • EncodePointer.KERNEL32(00000000), ref: 006B42CA
            • DecodePointer.KERNEL32(006B41B8), ref: 006B42E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 3489934621-2819208100
            • Opcode ID: 1e3626e2d0cd4d049c64fdd582ad9a3e44b3573e7c129195029e25254ece816a
            • Instruction ID: a453a8a7c749f461f2311eb9bfe20eb3a5def3218a375e24d5e6df3d86613790
            • Opcode Fuzzy Hash: 1e3626e2d0cd4d049c64fdd582ad9a3e44b3573e7c129195029e25254ece816a
            • Instruction Fuzzy Hash: EEE09AB8691714ABDA109B74EC09BC43EA5B724746F50C028F411D11E1CBBC8590AB1C
            Function 006F675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
            • Instruction ID: cec4e567a2ae2a61c1441fa11a60ef07dceab5836c44ad963511e1789a876917
            • Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
            • Instruction Fuzzy Hash: 1E61AD3050025EABDF51EF64CC92EFE37AAAF05308F04451DFA5A5B292DB349D41CBA8
            Function 0071046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710548
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00710588
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 007105AB
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 007105D4
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00710617
            • RegCloseKey.ADVAPI32(00000000), ref: 00710624
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
            • String ID:
            • API String ID: 4046560759-0
            • Opcode ID: 7af7d34f9b02f44b0889f0bd9c8555e3d35b66fab8e036326ddf3c25baf45240
            • Instruction ID: 7d812cd1e42c2a8c9d9ca06a6f74b149137b895c075faf5e667860b8e186997d
            • Opcode Fuzzy Hash: 7af7d34f9b02f44b0889f0bd9c8555e3d35b66fab8e036326ddf3c25baf45240
            • Instruction Fuzzy Hash: F9514C31108340AFCB14EF68C885EAABBEAFF88314F04491DF545971A1DB75E994CB96
            Function 00715A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00715A82
            • GetMenuItemCount.USER32(00000000), ref: 00715AB9
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00715AE1
            • GetMenuItemID.USER32(?,?), ref: 00715B50
            • GetSubMenu.USER32(?,?), ref: 00715B5E
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00715BAF
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 80c7cd5e835ff93718db8657017086cde6e141642bb8663d5e535225aa824454
            • Instruction ID: 1236f3fe6b34f6dd77681fa26458a4e7036de5de8a61eb738bfd800f10c566f8
            • Opcode Fuzzy Hash: 80c7cd5e835ff93718db8657017086cde6e141642bb8663d5e535225aa824454
            • Instruction Fuzzy Hash: 5D517275A00615EFCF15EF68C845AEEBBB5EF48310F108469E916B7391CB34AE818B94
            Function 006EF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 006EF3F7
            • VariantClear.OLEAUT32(00000013), ref: 006EF469
            • VariantClear.OLEAUT32(00000000), ref: 006EF4C4
            • _memmove.LIBCMT ref: 006EF4EE
            • VariantClear.OLEAUT32(?), ref: 006EF53B
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 006EF569
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType_memmove
            • String ID:
            • API String ID: 1101466143-0
            • Opcode ID: 35a92d3691741e665c8a5f873c970049502679bc06ce12f3b02767bfdbee7aa3
            • Instruction ID: 1b254e7506e7e9ab16ac57d91f515ca4aca6812f4b6fbd7848e4c3d844469a73
            • Opcode Fuzzy Hash: 35a92d3691741e665c8a5f873c970049502679bc06ce12f3b02767bfdbee7aa3
            • Instruction Fuzzy Hash: 135188B5A00249EFCB10CF58D884AAAB7F9FF5C314B158169ED49DB351D730E912CBA0
            Function 006F26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006F2747
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 006F2792
            • IsMenu.USER32(00000000), ref: 006F27B2
            • CreatePopupMenu.USER32 ref: 006F27E6
            • GetMenuItemCount.USER32(000000FF), ref: 006F2844
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 006F2875
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
            • Instruction ID: 7b3f09d5cfd59009c9fc5a64edec321f0044b32293d6bbc1621d203ce57f7a53
            • Opcode Fuzzy Hash: 4103d84ac72fc3d1e6af1ac6312c107999183f3de39c490c9441d12480c005cb
            • Instruction Fuzzy Hash: BC519E70A0124BEBDF24CF68C898AFEBBF6AF45354F108169E6259B2D0D7709948CF51
            Function 00691765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0069179A
            • GetWindowRect.USER32(?,?), ref: 006917FE
            • ScreenToClient.USER32(?,?), ref: 0069181B
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0069182C
            • EndPaint.USER32(?,?), ref: 00691876
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectScreenViewport
            • String ID:
            • API String ID: 1827037458-0
            • Opcode ID: 2f6c22b8f90a69823ec4f08adf359c8cbd4ee46aa8e4de3ee24de52c663edec1
            • Instruction ID: 542bb7577ff3f5f3930bbc1599e09a9892dcf022b7b84b097cf229a81d71792e
            • Opcode Fuzzy Hash: 2f6c22b8f90a69823ec4f08adf359c8cbd4ee46aa8e4de3ee24de52c663edec1
            • Instruction Fuzzy Hash: CC41E270100302AFDB10DF68CC84FF63BF9EB4A724F248628F9948B2A1C775A845DB61
            Function 0071B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(007567B0,00000000,01315E20,?,?,007567B0,?,0071B862,?,?), ref: 0071B9CC
            • EnableWindow.USER32(00000000,00000000), ref: 0071B9F0
            • ShowWindow.USER32(007567B0,00000000,01315E20,?,?,007567B0,?,0071B862,?,?), ref: 0071BA50
            • ShowWindow.USER32(00000000,00000004,?,0071B862,?,?), ref: 0071BA62
            • EnableWindow.USER32(00000000,00000001), ref: 0071BA86
            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0071BAA9
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
            • Instruction ID: e143173fe4a018d5a4e53587b4445f4add5fe03b8a849e85cc165700358e19f1
            • Opcode Fuzzy Hash: 403933c3fb8a3753a623bbdef988f7c02a745896c90ee42e4789a499c621cd92
            • Instruction Fuzzy Hash: 87412F34600641EFDB25CF2CC499BD57BE1BF05315F1881A9FA488F6E2C735A886CB51
            Function 007073B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,00705134,?,?,00000000,00000001), ref: 007073BF
              • Part of subcall function 00703C94: GetWindowRect.USER32(?,?), ref: 00703CA7
            • GetDesktopWindow.USER32 ref: 007073E9
            • GetWindowRect.USER32(00000000), ref: 007073F0
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00707422
              • Part of subcall function 006F54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F555E
            • GetCursorPos.USER32(?), ref: 0070744E
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007074AC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: c918fa58f99a9ad569f9c07dbb04521374e4718ad3fa008276be0908fb6e3d4c
            • Instruction ID: fb675996f303876c015398e18d3e8e63ed4fad9f8857f0f0bf90534c8749c401
            • Opcode Fuzzy Hash: c918fa58f99a9ad569f9c07dbb04521374e4718ad3fa008276be0908fb6e3d4c
            • Instruction Fuzzy Hash: 7631F232508345ABD724DF18C849E9BBBEAFF88304F004A19F589971D1C634E908CB96
            Function 006E8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E8608
              • Part of subcall function 006E85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E8612
              • Part of subcall function 006E85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E8621
              • Part of subcall function 006E85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E8628
              • Part of subcall function 006E85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E863E
            • GetLengthSid.ADVAPI32(?,00000000,006E8977), ref: 006E8DAC
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 006E8DB8
            • HeapAlloc.KERNEL32(00000000), ref: 006E8DBF
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 006E8DD8
            • GetProcessHeap.KERNEL32(00000000,00000000,006E8977), ref: 006E8DEC
            • HeapFree.KERNEL32(00000000), ref: 006E8DF3
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 4dbfea9375f5d3cc6d4aa619b35bf923faebb3561e4f4e07358ecb3815e6ad61
            • Instruction ID: 288b3c7c77536342b449437f825c85c60c3ae99886464acfa43238853a2463ed
            • Opcode Fuzzy Hash: 4dbfea9375f5d3cc6d4aa619b35bf923faebb3561e4f4e07358ecb3815e6ad61
            • Instruction Fuzzy Hash: F411AC31902609FFDB109FA9CC09BEEBBAAEF55315F108169E84997290CB369D00DB64
            Function 006E8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 006E8B2A
            • OpenProcessToken.ADVAPI32(00000000), ref: 006E8B31
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 006E8B40
            • CloseHandle.KERNEL32(00000004), ref: 006E8B4B
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 006E8B7A
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 006E8B8E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
            • Instruction ID: 8153a66032b7b3b3bbdf309a7108ebb41654102a9dde8f451fd3f3840f72d064
            • Opcode Fuzzy Hash: aa1271459a5f9192587c05b0a80659e5e40e8e7e6f5d2ad674ad3103406cef98
            • Instruction Fuzzy Hash: FF112CB2501249AFDF01CFA9DD49FDE7BAAEF08314F048065FE08A61A0C7759D65DB60
            Function 0071C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
              • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069135C
              • Part of subcall function 006912F3: BeginPath.GDI32(?), ref: 00691373
              • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069139C
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0071C1C4
            • LineTo.GDI32(00000000,00000003,?), ref: 0071C1D8
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0071C1E6
            • LineTo.GDI32(00000000,00000000,?), ref: 0071C1F6
            • EndPath.GDI32(00000000), ref: 0071C206
            • StrokePath.GDI32(00000000), ref: 0071C216
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 69d49aa9b7ee011a05fbe019e6294da95aa2ea7a01fff70be6e772d8d2e8bc7a
            • Instruction ID: a7f3ae0073f8d03526ecd83dafd8724d00147d0ff2bfa9958790225bb9d6cce1
            • Opcode Fuzzy Hash: 69d49aa9b7ee011a05fbe019e6294da95aa2ea7a01fff70be6e772d8d2e8bc7a
            • Instruction Fuzzy Hash: 1F11097640014DBFDF129F94DC88EEA7FADEB08354F14C021FA184A1A1C7759E95DBA4
            Function 006B03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 006B03D3
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 006B03DB
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 006B03E6
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 006B03F1
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 006B03F9
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 006B0401
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
            • Instruction ID: 75088a9c96e027d7591fd6da29afa6d99cfb27887eb8c3f74ddd1fa4b82ae84c
            • Opcode Fuzzy Hash: 3b0e8b14e3a1b2e06fbbc44636c631f29efde770f95560b55bf368e8f9a20cc0
            • Instruction Fuzzy Hash: 8E016CB0901B59BDE3008F5A8C85B52FFA8FF19354F00411BE15C47941C7F5A864CBE5
            Function 006F568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 006F569B
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 006F56B1
            • GetWindowThreadProcessId.USER32(?,?), ref: 006F56C0
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56CF
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56D9
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 006F56E0
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
            • Instruction ID: 8f55f73bf8604ddbad40edfabf85e1592b853d857f4b5e35190589117406ad50
            • Opcode Fuzzy Hash: 037e4ba104e8ffc4c66e2c369eb63d7f31e621cc0db78b096531ce5c39741ddc
            • Instruction Fuzzy Hash: BDF09032241518BBE3215BA6DC0DEEF7F7CEFC6B11F008169FA04D10A0D7A41A0186B9
            Function 006F74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 006F74E5
            • EnterCriticalSection.KERNEL32(?,?,006A1044,?,?), ref: 006F74F6
            • TerminateThread.KERNEL32(00000000,000001F6,?,006A1044,?,?), ref: 006F7503
            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,006A1044,?,?), ref: 006F7510
              • Part of subcall function 006F6ED7: CloseHandle.KERNEL32(00000000,?,006F751D,?,006A1044,?,?), ref: 006F6EE1
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 006F7523
            • LeaveCriticalSection.KERNEL32(?,?,006A1044,?,?), ref: 006F752A
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
            • Instruction ID: af707ba1d571fc2dfe6887c5f07ef81ff3b8b8fb816f657fade26db6c34cd099
            • Opcode Fuzzy Hash: 29d86d9ad2a8373712d796c51c7e79762ab70c4eda716d43fb41c9375e0659d4
            • Instruction Fuzzy Hash: BAF05E7A544612EBDB511B68FC8D9EF772BFF45312B008631F602910F0CBB95811CB54
            Function 006E8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 006E8E7F
            • UnloadUserProfile.USERENV(?,?), ref: 006E8E8B
            • CloseHandle.KERNEL32(?), ref: 006E8E94
            • CloseHandle.KERNEL32(?), ref: 006E8E9C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 006E8EA5
            • HeapFree.KERNEL32(00000000), ref: 006E8EAC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
            • Instruction ID: ce77af4089731de237d61aec11c390d9b3a285fa87f90ba35f5c7d2c199b7464
            • Opcode Fuzzy Hash: e8abda6adec859afff0b14cd45038d73d96607f42ac2a6042144b2a3a650fa60
            • Instruction Fuzzy Hash: D0E0C236104405FBDA011FE9EC0C98ABF79FB89322B50C230F229810B0CB3A9820EB58
            Function 006E7A78 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C32
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C4A
            • CLSIDFromProgID.OLE32(?,?,00000000,0071FB80,000000FF,?,00000000,00000800,00000000,?,00722C7C,?), ref: 006E7C6F
            • _memcmp.LIBCMT ref: 006E7C90
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID: ,,r
            • API String ID: 314563124-1227627816
            • Opcode ID: 91cc2c796559b6e2e447e3abc2ad316d97adc6a4881c1e6c0a4cf45dbc62997f
            • Instruction ID: d38b9159f36aaab0eeba3c22d077cc2eba5e8798ced7c4a4afb6fda4f75eb6d5
            • Opcode Fuzzy Hash: 91cc2c796559b6e2e447e3abc2ad316d97adc6a4881c1e6c0a4cf45dbc62997f
            • Instruction Fuzzy Hash: 92811D75A01209EFCB04DF94C984DEEB7BAFF89715F204198F505AB250DB71AE46CB60
            Function 00708902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00708928
            • CharUpperBuffW.USER32(?,?), ref: 00708A37
            • VariantClear.OLEAUT32(?), ref: 00708BAF
              • Part of subcall function 006F7804: VariantInit.OLEAUT32(00000000), ref: 006F7844
              • Part of subcall function 006F7804: VariantCopy.OLEAUT32(00000000,?), ref: 006F784D
              • Part of subcall function 006F7804: VariantClear.OLEAUT32(00000000), ref: 006F7859
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: 437995a2c8325629ea2a95a15053bdd03099e9b4820ac3535127b4d234276d1e
            • Instruction ID: da907b6e6dc482387d7c9ef4aaa1de9f53364cfa70a04369aa7673de680667d7
            • Opcode Fuzzy Hash: 437995a2c8325629ea2a95a15053bdd03099e9b4820ac3535127b4d234276d1e
            • Instruction Fuzzy Hash: AD917171604301DFCB50DF28C48495BBBE9EF89314F048A6EF8968B3A1DB35E945CB52
            Function 006F2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
            • _memset.LIBCMT ref: 006F3077
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F30A6
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 006F3159
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 006F3187
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: 5a930e30911951505ba2b59e1ca99aa65a144811dbcb7b1cadcd0c579d060543
            • Instruction ID: 75031620c1f743c05a284916a70597f1bc874a6f154b334fa52cfe9cea2d3d6d
            • Opcode Fuzzy Hash: 5a930e30911951505ba2b59e1ca99aa65a144811dbcb7b1cadcd0c579d060543
            • Instruction Fuzzy Hash: 2F51F4716093289AD715EF28C8456FBB7EAEF45320F044A2EFA85D73A0DB70CE448756
            Function 006F2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006F2CAF
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 006F2CCB
            • DeleteMenu.USER32(?,00000007,00000000), ref: 006F2D11
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00756890,00000000), ref: 006F2D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
            • Instruction ID: 52ffc17f0171b81f5699a7bb0b33febf7e064374060197647ee23e6ca8d388f9
            • Opcode Fuzzy Hash: f97c089507206cf2ca00c65db4d15e984f52ef5fcfea80d370e87526bc9c6d74
            • Instruction Fuzzy Hash: EE418F302083069FD720DF28C855BAABBAAFF85320F14461DEA65972D1D770E904CFA6
            Function 0070DAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070DAD9
              • Part of subcall function 006979AB: _memmove.LIBCMT ref: 006979F9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharLower_memmove
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 3425801089-567219261
            • Opcode ID: 12d890d4ebe2c0cfa2a8c64000b42bc585f7105bd99f21c1dc4458775b4f90c0
            • Instruction ID: cbe8c3176680e29866e9d68a9fed947b0b355ed6a0a976a85c99b7b2ae811c67
            • Opcode Fuzzy Hash: 12d890d4ebe2c0cfa2a8c64000b42bc585f7105bd99f21c1dc4458775b4f90c0
            • Instruction Fuzzy Hash: 9E3161B0500619EBCF10EF98C8819EEB7F9FF05310B108A6DE866A76D1DB75AD05CB84
            Function 006E9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 006E93F6
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 006E9409
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 006E9439
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$_memmove$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 365058703-1403004172
            • Opcode ID: b296514f4ed1d3599f28ede84682eda63c0898f8910655b53a35db9f3f009c14
            • Instruction ID: d1d75b59e796b36bab096371193534996236c69815a361f272a70466481705c6
            • Opcode Fuzzy Hash: b296514f4ed1d3599f28ede84682eda63c0898f8910655b53a35db9f3f009c14
            • Instruction Fuzzy Hash: 1B2104B1901204BEDB14AB75DC868FFB7BEDF05320B10811DF925972E1DB380E4A9624
            Function 00701B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00701B40
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00701B66
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00701B96
            • InternetCloseHandle.WININET(00000000), ref: 00701BDD
              • Part of subcall function 00702777: GetLastError.KERNEL32(?,?,00701B0B,00000000,00000000,00000001), ref: 0070278C
              • Part of subcall function 00702777: SetEvent.KERNEL32(?,?,00701B0B,00000000,00000000,00000001), ref: 007027A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: af31eb74430e69b3055fbf6028d289c942793123ae9b4af1bc2c5363b7b1e34a
            • Instruction ID: 590d9733a77702f98485787a579e9af261afdf48d3d951f82c925404567fdfa5
            • Opcode Fuzzy Hash: af31eb74430e69b3055fbf6028d289c942793123ae9b4af1bc2c5363b7b1e34a
            • Instruction Fuzzy Hash: F4219FB1600208FFEB119F649C89EBF77ECEB49754F50822AF505A62C0EB289D059775
            Function 00716656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
              • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
              • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 007166D0
            • LoadLibraryW.KERNEL32(?), ref: 007166D7
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 007166EC
            • DestroyWindow.USER32(?), ref: 007166F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: dcc945c247dcd5f6b439afe4b087b00bb9f96af6490c28b5f69e9e27ee9797f7
            • Instruction ID: 3262d58c552d4a0d01740c3a544da57fc20d92899596a0f6fcf11f1e68fe4c26
            • Opcode Fuzzy Hash: dcc945c247dcd5f6b439afe4b087b00bb9f96af6490c28b5f69e9e27ee9797f7
            • Instruction Fuzzy Hash: DE2188B1200206EBEF108E68EC91EEB37ADEB59768F108629F910921E0D779CC919764
            Function 006F703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 006F705E
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F7091
            • GetStdHandle.KERNEL32(0000000C), ref: 006F70A3
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 006F70DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 19297f08e198323b95213c708fdfcc6d01eaa408cb99a7eabfcbb24b9c55d472
            • Instruction ID: 3bfe362d7ee094d6da09e6a7d9d168fe139ae56f7ae70cf745f976822b01475e
            • Opcode Fuzzy Hash: 19297f08e198323b95213c708fdfcc6d01eaa408cb99a7eabfcbb24b9c55d472
            • Instruction Fuzzy Hash: 3B2192B450420DABDB209F38DC05AEA77BABF44720F208619FEA0D73D0DB709951CB64
            Function 006F710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 006F712B
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006F715D
            • GetStdHandle.KERNEL32(000000F6), ref: 006F716E
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006F71A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 66b35d9de33d45af8cc018555cc37fd5bc4216d8b423ec1e11a4dfd8ae199786
            • Instruction ID: 70378d8855bd41b98135f1167b7174e4eb7c7efc1ea4a2538fba576014e866bd
            • Opcode Fuzzy Hash: 66b35d9de33d45af8cc018555cc37fd5bc4216d8b423ec1e11a4dfd8ae199786
            • Instruction Fuzzy Hash: 3321907550820DABDB20DF689C05AFAB7AAAF55730F244619FEA0D33D0D7709845CB54
            Function 006FAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 006FAEBF
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 006FAF13
            • __swprintf.LIBCMT ref: 006FAF2C
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,0071F910), ref: 006FAF6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: 84a9ab760c912dab61d3f24aefb0f1d836a431b562ea5af22ff619fccb38547d
            • Instruction ID: 933a098d3c016d5c87c72af6e3060650c342ecd7f7d8ec824e730fbb058c1813
            • Opcode Fuzzy Hash: 84a9ab760c912dab61d3f24aefb0f1d836a431b562ea5af22ff619fccb38547d
            • Instruction Fuzzy Hash: A4216074A0020DAFCB50EF68C985DEE7BB9EF49704B00806DF909EB251DB35EA41DB25
            Function 006EA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
              • Part of subcall function 006EA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006EA399
              • Part of subcall function 006EA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA3AC
              • Part of subcall function 006EA37C: GetCurrentThreadId.KERNEL32 ref: 006EA3B3
              • Part of subcall function 006EA37C: AttachThreadInput.USER32(00000000), ref: 006EA3BA
            • GetFocus.USER32 ref: 006EA554
              • Part of subcall function 006EA3C5: GetParent.USER32(?), ref: 006EA3D3
            • GetClassNameW.USER32(?,?,00000100), ref: 006EA59D
            • EnumChildWindows.USER32(?,006EA615), ref: 006EA5C5
            • __swprintf.LIBCMT ref: 006EA5DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
            • String ID: %s%d
            • API String ID: 1941087503-1110647743
            • Opcode ID: a8d9f72ac9e2a126eb7f5e6f8dd4dcaed590a00f6ed4c55251fba9e05dc05adc
            • Instruction ID: a703a30783cd18c802abd5eee23c7029ab33318c88a6181c9377acb13df555f5
            • Opcode Fuzzy Hash: a8d9f72ac9e2a126eb7f5e6f8dd4dcaed590a00f6ed4c55251fba9e05dc05adc
            • Instruction Fuzzy Hash: DA11E471201308BBCF10BFA5DC85FEA377E9F49300F008079F908AA192DA7469468B39
            Function 006F2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 006F2048
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 3964851224-769500911
            • Opcode ID: 27eb6d58f0088e7d52437cdc87e8a85aaf57f008c48eb6af53b43c8949fe5935
            • Instruction ID: a37df1646538a6bc524a9e8f5ac4fd63b6ed969d2255165a499dfa91a582b078
            • Opcode Fuzzy Hash: 27eb6d58f0088e7d52437cdc87e8a85aaf57f008c48eb6af53b43c8949fe5935
            • Instruction Fuzzy Hash: BC115B7195010E9FDF40EFA4D8518FEB7B6FF15304B1084A8E855A7396EB326916CF50
            Function 0070EE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0070EF1B
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 0070EF4B
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 0070F07E
            • CloseHandle.KERNEL32(?), ref: 0070F0FF
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: e9ff47dfef55d83a86f59b41814119d78a34a63802b856cca618a22c8fa76dc6
            • Instruction ID: b2f340630357edbf10d398ccfcf21f5b4ca4422991e5b6fc941ae6757a398fc6
            • Opcode Fuzzy Hash: e9ff47dfef55d83a86f59b41814119d78a34a63802b856cca618a22c8fa76dc6
            • Instruction Fuzzy Hash: 8481A1716003009FDB60DF28C886B2EB7EAEF48720F04891DF599DB6D2DB74AC018B55
            Function 006B564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
            • Instruction ID: 6efa691e20454ddcb106d797d9ac2dd0a2739f4a0078c2ede07432064d039dea
            • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
            • Instruction Fuzzy Hash: 555185B0B00B05DBDB249F69C8847EE77A7AF41320F64863DF827962D1EB709D918B45
            Function 007102C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 007110A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00710038,?,?), ref: 007110BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00710388
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 007103C7
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0071040E
            • RegCloseKey.ADVAPI32(?,?), ref: 0071043A
            • RegCloseKey.ADVAPI32(00000000), ref: 00710447
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
            • String ID:
            • API String ID: 3440857362-0
            • Opcode ID: 840e825b218a17cc804f458d02ab8ebbb0e83c17aae018159e0614a955b58632
            • Instruction ID: adb7db1828ea37a83c375b46e16fae39e57167db28776e4f4d0d6c38cbf264fd
            • Opcode Fuzzy Hash: 840e825b218a17cc804f458d02ab8ebbb0e83c17aae018159e0614a955b58632
            • Instruction Fuzzy Hash: F3515C31208244AFDB04EF58C881EAEB7E9FF88704F04892DF5958B2A1DB74E944CB56
            Function 0070DBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070DC3B
            • GetProcAddress.KERNEL32(00000000,?), ref: 0070DCBE
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 0070DCDA
            • GetProcAddress.KERNEL32(00000000,?), ref: 0070DD1B
            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0070DD35
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7B20,?,?,00000000), ref: 00695B8C
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7B20,?,?,00000000,?,?), ref: 00695BB0
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
            • String ID:
            • API String ID: 327935632-0
            • Opcode ID: 41931d981154da08c42345e0e0afbe5a83cacc738970cbd6cb8d3b7b4a844e6d
            • Instruction ID: a356d6cdf6a7cf2734d543764e01a71204696ae39d12fbe20f5d49c9042e662f
            • Opcode Fuzzy Hash: 41931d981154da08c42345e0e0afbe5a83cacc738970cbd6cb8d3b7b4a844e6d
            • Instruction Fuzzy Hash: 44514B35A00209DFDB11EFA8C4849AEB7F9FF18310B04C169E819AB361D775AD45CF54
            Function 006FE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006FE88A
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006FE8B3
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 006FE8F2
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 006FE917
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 006FE91F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: 827f49ad5bc2a9a9dfa7b89826113c923a5076054c89481d92294674e20aa02e
            • Instruction ID: 8ff9dfd6ca09fecff2e62761eb5dc1ddf56bd753e6f687d7bb6c9a8f462842d8
            • Opcode Fuzzy Hash: 827f49ad5bc2a9a9dfa7b89826113c923a5076054c89481d92294674e20aa02e
            • Instruction Fuzzy Hash: 62511E35A00209DFCF41EF68C9819ADBBFAFF08310B148099E949AB761CB35ED51DB64
            Function 0071A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 91528128c6e69d2f5e72f58d7d6b717991b0fc9739031c8051ab791900d1973f
            • Instruction ID: dd31fec0ff1b0c7b0379cd3d5f4fd7bba33310408439e1af90a88152cbd87f80
            • Opcode Fuzzy Hash: 91528128c6e69d2f5e72f58d7d6b717991b0fc9739031c8051ab791900d1973f
            • Instruction Fuzzy Hash: F041F535902204BFC710DF6CCC48FE9BBA5EB09310F558165FC65A72E1D778AD81DA51
            Function 00692344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00692357
            • ScreenToClient.USER32(007567B0,?), ref: 00692374
            • GetAsyncKeyState.USER32(00000001), ref: 00692399
            • GetAsyncKeyState.USER32(00000002), ref: 006923A7
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: d88ecf350b4d5ae48ea0ff64860c1513191b2351b3f90d5d09c99f8eeb6a1876
            • Instruction ID: 44db483f05e1b127746aa1f8cf2f9b63b42a01e7817efb1342755e9519bd85ca
            • Opcode Fuzzy Hash: d88ecf350b4d5ae48ea0ff64860c1513191b2351b3f90d5d09c99f8eeb6a1876
            • Instruction Fuzzy Hash: 21415135504116FBDF159F68C844FF9BB76FB05360F10835AF82992290C7389E94DB91
            Function 006E6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E695D
            • TranslateAcceleratorW.USER32(?,?,?), ref: 006E69A9
            • TranslateMessage.USER32(?), ref: 006E69D2
            • DispatchMessageW.USER32(?), ref: 006E69DC
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 006E69EB
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message$PeekTranslate$AcceleratorDispatch
            • String ID:
            • API String ID: 2108273632-0
            • Opcode ID: 3b16942d1a3f777960d7ea8b0e70c6f6e8aa28e8558fa2dbdeea42a969660667
            • Instruction ID: 85a635cb367092d0cf2dc36130ee3660ffd1ee86f96a67be6ddbe23b6616546d
            • Opcode Fuzzy Hash: 3b16942d1a3f777960d7ea8b0e70c6f6e8aa28e8558fa2dbdeea42a969660667
            • Instruction Fuzzy Hash: A131F8719023879ADB60CF76CC44FF67BAEAB25381F108179F421D32A2D7B89846D794
            Function 006E8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 006E8F12
            • PostMessageW.USER32(?,00000201,00000001), ref: 006E8FBC
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 006E8FC4
            • PostMessageW.USER32(?,00000202,00000000), ref: 006E8FD2
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 006E8FDA
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
            • Instruction ID: 0c69876085edf0f5070556bc1796d82aea2f6bbb452582aa5798839dc0ec9434
            • Opcode Fuzzy Hash: 962663268c1e7db7808b4dc0a13f48552e4bdf7cf189b346e53c4e1205bba5c5
            • Instruction Fuzzy Hash: 9931DC71501259EFDB00CFA9D94CADE7BB6FB04325F108269F928AB2D0C7B49910DB90
            Function 006EB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 006EB6C7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 006EB6E4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 006EB71C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 006EB742
            • _wcsstr.LIBCMT ref: 006EB74C
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 8ab5b4a40cfd06737771e7db6ce73a5d1dfa1249491c3cab58c59b013f9ea009
            • Instruction ID: 8e7f1d6cc2f2c14c47870858ec435723f78984508c2f1b56708654a2fe1ee977
            • Opcode Fuzzy Hash: 8ab5b4a40cfd06737771e7db6ce73a5d1dfa1249491c3cab58c59b013f9ea009
            • Instruction Fuzzy Hash: 3A210771205344BAEB255B3A9C49EBB7BAEDF45710F10802DFC05CA2A1EF61CC819764
            Function 0071B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • GetWindowLongW.USER32(?,000000F0), ref: 0071B44C
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0071B471
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0071B489
            • GetSystemMetrics.USER32(00000004), ref: 0071B4B2
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00701184,00000000), ref: 0071B4D0
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: abef9352e6ad258406aa93389daf13a6add0aa72971ff6dcf7ef9921dd94b9e4
            • Instruction ID: fa008bbd499316a073e10fd697b25588f58cbbfcac6566bc95f9ed33383fec9c
            • Opcode Fuzzy Hash: abef9352e6ad258406aa93389daf13a6add0aa72971ff6dcf7ef9921dd94b9e4
            • Instruction Fuzzy Hash: 4A218071610295AFCB108F3CDC04AEA3BA4EB05721B10C738FD26C31E1E7389890DB80
            Function 006E97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 006E9802
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9834
            • __itow.LIBCMT ref: 006E984C
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 006E9874
            • __itow.LIBCMT ref: 006E9885
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$__itow$_memmove
            • String ID:
            • API String ID: 2983881199-0
            • Opcode ID: 6324ad79cdfd9a6049da3840d769ccfc12a67c2ed4531a345b0e78f72831c8c0
            • Instruction ID: e5c0cad23f7d850e56a9506b09e5b322a85669d7bbfac0e859c4d1970c06986e
            • Opcode Fuzzy Hash: 6324ad79cdfd9a6049da3840d769ccfc12a67c2ed4531a345b0e78f72831c8c0
            • Instruction Fuzzy Hash: 6721F875701344ABDF109A668C86EEF7BBEDF49710F044039F904DB3A1EA708D4587A5
            Function 006912F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
            • SelectObject.GDI32(?,00000000), ref: 0069135C
            • BeginPath.GDI32(?), ref: 00691373
            • SelectObject.GDI32(?,00000000), ref: 0069139C
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: dd4f1bf82aac42c4637159b4eab8b521de1be6ffe6382908246b01da33cadf2f
            • Instruction ID: 71604a398fa39ce845c301848059544a8e71182169ccb9de9cd718eb2f991d01
            • Opcode Fuzzy Hash: dd4f1bf82aac42c4637159b4eab8b521de1be6ffe6382908246b01da33cadf2f
            • Instruction Fuzzy Hash: 98215370800309EBDF108F15DC047E97BB9EB11322F64C216F411976A0D3B5A991DB54
            Function 006EC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: aa6d4d130a9d16da4102a13f643f77d9d8ca47e80a2659a08792df57ce1306a9
            • Instruction ID: ca3869fae398a7896f221d8f320c065b823044c5bf1da021ab5baf00e970933c
            • Opcode Fuzzy Hash: aa6d4d130a9d16da4102a13f643f77d9d8ca47e80a2659a08792df57ce1306a9
            • Instruction Fuzzy Hash: 0F01F5F26063557BE604A6229C52FEB735E9B223B4F444024FD049A383FA50DE5383E5
            Function 006F4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 006F4D5C
            • __beginthreadex.LIBCMT ref: 006F4D7A
            • MessageBoxW.USER32(?,?,?,?), ref: 006F4D8F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 006F4DA5
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006F4DAC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
            • String ID:
            • API String ID: 3824534824-0
            • Opcode ID: d24e8e9b0355a728c26ff3a85b919c2aefd45c7430e4f711fec0640ed962901f
            • Instruction ID: e0dfb6cf359431ff7490c3e638db9454f01a6a264d943ad1f17427e3efd12043
            • Opcode Fuzzy Hash: d24e8e9b0355a728c26ff3a85b919c2aefd45c7430e4f711fec0640ed962901f
            • Instruction Fuzzy Hash: 0D110C72904208BBC7019BAC9C04AEB7FADEB45321F14C365FA14D33A1D6B98D4087A0
            Function 006E874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 006E8766
            • GetLastError.KERNEL32(?,006E822A,?,?,?), ref: 006E8770
            • GetProcessHeap.KERNEL32(00000008,?,?,006E822A,?,?,?), ref: 006E877F
            • HeapAlloc.KERNEL32(00000000,?,006E822A,?,?,?), ref: 006E8786
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 006E879D
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
            • Instruction ID: 7ac0c791ef2fe31fd83e2696d604f575242767420efc19ee442cb580d7888b43
            • Opcode Fuzzy Hash: ffc1156bfff9dc7c50cef5bf29c2443a732ef869cb58f93ecbe80ec8d1d44d18
            • Instruction Fuzzy Hash: C3014B71241248FFDB204FAADC88DAB7BADEF893557208569F849C32A0DA31CD00DA60
            Function 006F54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5502
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5510
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F5518
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 006F5522
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F555E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 011323184ce37132390d8dc17d6a749918cab4061466d46d5c8a193d89fc81cd
            • Instruction ID: 548c3e4b585b67e1737fbf45c6fbf72c7d28c2fdd294be242fcc05b810a2380e
            • Opcode Fuzzy Hash: 011323184ce37132390d8dc17d6a749918cab4061466d46d5c8a193d89fc81cd
            • Instruction Fuzzy Hash: 6E012D35D00A2DEBCF00DFE9E849AEDBB7AFB09711F008156EA02F2240DB345A54D7A5
            Function 006E7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?,?,006E799D), ref: 006E766F
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E768A
            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E7698
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?), ref: 006E76A8
            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,006E758C,80070057,?,?), ref: 006E76B4
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
            • Instruction ID: e9bf81b76789c92ff308a8f1d0d7ccaac4ec26060b9c6e812a1e2c88bf29f696
            • Opcode Fuzzy Hash: 30181561ffd2dafda6b988f9c4595291de12f0ba29a4519f34e7f6e157125a96
            • Instruction Fuzzy Hash: 6B01D472602704BBDB108F5DDC04BEA7BAEEB44755F108028FD04D3211E735DE0197A0
            Function 006E85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 006E8608
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 006E8612
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 006E8621
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 006E8628
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 006E863E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
            • Instruction ID: 68fb359894ef12957b7399be910590aac504a8630a0feeefc8a97f1ddd1688de
            • Opcode Fuzzy Hash: bd924b43b6f613030febf65d9b0ef95057dacbb3f5ccb41adab79c8e77a63a03
            • Instruction Fuzzy Hash: 04F0AF70201304BFEB100FA9DC99EEB3BADFF89754B008125F909C3290CB649C42DA60
            Function 006E8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8669
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E8673
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8682
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8689
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E869F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
            • Instruction ID: 9c9a512a0953904937cb52ecec26122a3de574340129babf5ee8d1ec4ef4f4b6
            • Opcode Fuzzy Hash: 1815d7d2d36fa9f89cb3d04e3d26aa7868fca0f39210839ba56e7f91eb6a52f6
            • Instruction Fuzzy Hash: BBF0C270201354BFEB111FA9EC88EE73BADEF89754B108025F909C3290CB74DD00DA60
            Function 006EC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 006EC6BA
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 006EC6D1
            • MessageBeep.USER32(00000000), ref: 006EC6E9
            • KillTimer.USER32(?,0000040A), ref: 006EC705
            • EndDialog.USER32(?,00000001), ref: 006EC71F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: af6557342acacc556a69dcd31cde5e6c27ce985134dca7a79dfefe554b30beca
            • Instruction ID: cc3175a6316429c27ebc0059fe4bd9ec8a8dbb6216351b53ecebf98ebd3b522a
            • Opcode Fuzzy Hash: af6557342acacc556a69dcd31cde5e6c27ce985134dca7a79dfefe554b30beca
            • Instruction Fuzzy Hash: 7801A230500744ABEB205F25DC4EFD677B9FF00711F008669F542A14E0EBE4A9568F84
            Function 006913B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 006913BF
            • StrokeAndFillPath.GDI32(?,?,006CBAD8,00000000,?), ref: 006913DB
            • SelectObject.GDI32(?,00000000), ref: 006913EE
            • DeleteObject.GDI32 ref: 00691401
            • StrokePath.GDI32(?), ref: 0069141C
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: ee2cd31cdcff9e78d3181f8d27841b246bce7f687e1844af7d5f87180831ce1a
            • Instruction ID: 0f8b68922be78dfe4b06cbdf421ed06c37d85c5b6f53f11dad4bfeddc386fdd6
            • Opcode Fuzzy Hash: ee2cd31cdcff9e78d3181f8d27841b246bce7f687e1844af7d5f87180831ce1a
            • Instruction Fuzzy Hash: FEF01930000749EBDF115F2AEC0C7E83BA9A725326F54C224E42A4A5F1C77999A5DF18
            Function 006A2E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006B0FF6: std::exception::exception.LIBCMT ref: 006B102C
              • Part of subcall function 006B0FF6: __CxxThrowException@8.LIBCMT ref: 006B1041
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 00697BB1: _memmove.LIBCMT ref: 00697C0B
            • __swprintf.LIBCMT ref: 006A302D
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 006A2EC6
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 1943609520-557222456
            • Opcode ID: 7970d386f48c9bc751dc740a0b05f5c33f4c9b4f9b950e25b66d12a99e69270e
            • Instruction ID: cff9607a13bf2f2d0fbc0a84fa200dcb4e6e1b120e8b04b4674f05885cd74378
            • Opcode Fuzzy Hash: 7970d386f48c9bc751dc740a0b05f5c33f4c9b4f9b950e25b66d12a99e69270e
            • Instruction Fuzzy Hash: BD919E715087119FCB18FF28D885CAEB7AAEF95700F00091EF4429B3A1DA20EE45CB66
            Function 006EB7B6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 006EB981
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container$%r
            • API String ID: 3565006973-1282070598
            • Opcode ID: bfb478a3aabb0f0aa5481469ebd6eb46331d4bdd9df22a01cc3b46095ce7229c
            • Instruction ID: f43eeb77957064f35a17aacf865e32107262fe77e2500cd7cd80a91519044b40
            • Opcode Fuzzy Hash: bfb478a3aabb0f0aa5481469ebd6eb46331d4bdd9df22a01cc3b46095ce7229c
            • Instruction Fuzzy Hash: 4E914A706013019FDB64CF69C884AABBBEAFF49710F24956DE949CB7A1DB70E841CB50
            Function 006B524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 006B52DD
              • Part of subcall function 006C0340: __87except.LIBCMT ref: 006C037B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: 68aa13a1957d75ef6a38b8e61df8b25f3387c3240aaf202bbd4f370a2da3ef97
            • Instruction ID: 509a759e69d6b0228ee80b7e85e8e20a5759bc4a509c85fb56bab92da07fbdab
            • Opcode Fuzzy Hash: 68aa13a1957d75ef6a38b8e61df8b25f3387c3240aaf202bbd4f370a2da3ef97
            • Instruction Fuzzy Hash: 8E5179A0A09602C6EB197724CA41BFA2BD6DB00350F20C95CE096823E5EB788DC5DB5A
            Function 006B023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: #$+
            • API String ID: 0-2552117581
            • Opcode ID: 607750abb68df1a788e0d9303e23dc0ed4482dd9d08a57925ec4bdd24dbb9f9e
            • Instruction ID: f1a7451abe256e834e2b737c3ac7204426c6ee208c0a5bd0108876b40759f0f6
            • Opcode Fuzzy Hash: 607750abb68df1a788e0d9303e23dc0ed4482dd9d08a57925ec4bdd24dbb9f9e
            • Instruction Fuzzy Hash: 94513375106386DFEF259F29C8886FE7BAAEF19310F144055E8929B3A0C7349D82CB64
            Function 006A3297 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 161COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$_free
            • String ID: Oaj
            • API String ID: 2620147621-1426506063
            • Opcode ID: 538634a15f13a6ec0a9f6d382c48a923107c8c60e0e7fe174f7fca781f746de0
            • Instruction ID: e10434978a8dd49770c6382b4cc296f7c6c2a238a247c06214050063e277885a
            • Opcode Fuzzy Hash: 538634a15f13a6ec0a9f6d382c48a923107c8c60e0e7fe174f7fca781f746de0
            • Instruction Fuzzy Hash: FD514AB1A083519FDB24DF28C451B6ABBE6AF86304F04492DF98987351EB31EE41CF52
            Function 006A62F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: af3a0d62436b034a1c56f0ba9770b9208ae1b1e70ffaafe09879a539b53d780c
            • Instruction ID: cad46537864313b9d0b7057fd7d48f5ec010587d9cc8ac090cfc93a35dc2f3d6
            • Opcode Fuzzy Hash: af3a0d62436b034a1c56f0ba9770b9208ae1b1e70ffaafe09879a539b53d780c
            • Instruction Fuzzy Hash: 2D51AFB1900309DBDB24DF65C8817EABBF6EF09714F24856EE54ACA240E7709A85CF40
            Function 00717BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0071F910,00000000,?,?,?,?), ref: 00717C4E
            • GetWindowLongW.USER32 ref: 00717C6B
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00717C7B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: b19108fb86cb8cdde690a5394ee18230fe1bfebc8e22687849e4791854b3deb8
            • Instruction ID: 44086ea8e1ca049a2f0006c9a21382b89611e97e11f58eb499e2c0ae58f567a0
            • Opcode Fuzzy Hash: b19108fb86cb8cdde690a5394ee18230fe1bfebc8e22687849e4791854b3deb8
            • Instruction Fuzzy Hash: D131A071244206AADB158F38CC41BEA77A9EB49324F208725F875931E0D739E891DBA0
            Function 00717648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 007176D0
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 007176E4
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00717708
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 62467167983b275f28cb7e8ca4415a3b5f3f35ed51e13e6a04cb5b0a357c4f8b
            • Instruction ID: 26087a065c31ad13c36323511ae0d004402d262ed31b302134f87691a4781e57
            • Opcode Fuzzy Hash: 62467167983b275f28cb7e8ca4415a3b5f3f35ed51e13e6a04cb5b0a357c4f8b
            • Instruction Fuzzy Hash: 97219F32600219ABDF15CE68CC46FEA3B79EF58714F110214FE156B1D0DAB9AC91CBA0
            Function 00716F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00716FAA
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00716FBA
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00716FDF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: ff3073289efa51db1f863aa6f129377ea171fc643fa69de1c191d9824fc4c36b
            • Instruction ID: dd48103239754ae48e55f5aca3731d88a1f979a8260f0decc3d480f1940268e9
            • Opcode Fuzzy Hash: ff3073289efa51db1f863aa6f129377ea171fc643fa69de1c191d9824fc4c36b
            • Instruction Fuzzy Hash: C3216232611118BFDF118F58DC85EEB37AEEF89754F118124F9149B1D0C675AC92CBA0
            Function 0071797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 007179E1
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 007179F6
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00717A03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: a7cc017f684979a60b679a68fa26f526512348155f2aa320fbfc77a9a9364451
            • Instruction ID: ceafb640a87c064a69c78077b315df715cbfa01288f07ca13bf801a605794e3e
            • Opcode Fuzzy Hash: a7cc017f684979a60b679a68fa26f526512348155f2aa320fbfc77a9a9364451
            • Instruction Fuzzy Hash: 5611E372244208BAEF149F78CC05FEB37A9EF89B64F114519FA41A60D0D275E891CB60
            Function 00694C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00694C2E), ref: 00694CA3
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00694CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
            • Instruction ID: f4815bf2157f65d08ab3a3577e6f780f9e9f6c925cb5d41e5b1edbcae27f0c86
            • Opcode Fuzzy Hash: 377fb98622cf5724a56b02258d63338a8cbd8fe497a2d8944db8e174dd10d7a4
            • Instruction Fuzzy Hash: 84D0C2B0500727DFCB204F38D908A8272EAAF00740B10C839D885C2690DA78C4C0C610
            Function 00694D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00694D2E,?,00694F4F,?,007562F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00694D6F
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00694D81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: c19dcc6f56c938cce691912c92c6fcf0c90dd2b07cfabca79a62165c95477e54
            • Instruction ID: b4a102f30e957ff50e834f52e05a22293755e063f5b9b948a77bf0d91bbcecd9
            • Opcode Fuzzy Hash: c19dcc6f56c938cce691912c92c6fcf0c90dd2b07cfabca79a62165c95477e54
            • Instruction Fuzzy Hash: F9D0C270500713DFDB204F34D80868272D9BF00352B10C939D486C2790DB78C480CA10
            Function 00694D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00694CE1,?), ref: 00694DA2
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00694DB4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: 5135ff84acd3144672275205648e0f3fd6f0494d19836fd8eb1b55520d195bb0
            • Instruction ID: 2c9b7568721b059ed21f28c4a3f4d0ac7a296c6b9d773e6e6bf9b8d3ddd32e96
            • Opcode Fuzzy Hash: 5135ff84acd3144672275205648e0f3fd6f0494d19836fd8eb1b55520d195bb0
            • Instruction Fuzzy Hash: DBD0C270510713DFDB204F34D808AC672D9AF04340B00C839D8C5C2690DB78C880C610
            Function 00711072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,007112C1), ref: 00711080
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00711092
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: a67512930105175822046792f4ca56c9203074f93004c7ad423a763b656acc29
            • Instruction ID: 4709f43c1796085d186d48ee5ad9b0261164fd2db3af690e5883061880f4792f
            • Opcode Fuzzy Hash: a67512930105175822046792f4ca56c9203074f93004c7ad423a763b656acc29
            • Instruction Fuzzy Hash: E3D01770910B16DFD7209F39D818A9A76E4BF09761B51CC3AE48ADA190E7B8C8C0CA50
            Function 007093F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00709009,?,0071F910), ref: 00709403
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00709415
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: eab8e49b35ec301683ae2a069100417850ba10bac25ebc42ff32d0b99b502a8c
            • Instruction ID: c98572201353c6978a6d08c6d2e64a1ab0273ea857e9d19dbaa46caa60b9e397
            • Opcode Fuzzy Hash: eab8e49b35ec301683ae2a069100417850ba10bac25ebc42ff32d0b99b502a8c
            • Instruction Fuzzy Hash: 9DD0C7B0504B27EFCB208F38D90828372E6AF00341B21C83AE886C26D0E77CC880CA20
            Function 006D1B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 6fcfdcb8d96ffa82978a3dc4a317785d703a2373492ce3a33ea453926cdb616c
            • Instruction ID: abad12929e980bf29ab57e15993f026933ee053abeb0c3c80078d27bdb065eae
            • Opcode Fuzzy Hash: 6fcfdcb8d96ffa82978a3dc4a317785d703a2373492ce3a33ea453926cdb616c
            • Instruction Fuzzy Hash: D7D012B1D44118FACB449B909C44CF9737EA705311F104597F50299540F3B49B869B25
            Function 006E76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
            • Instruction ID: 6aee2f7f728005af53b92c2fafc0af0b8af6bd8a10defcaa126f41400a4f6269
            • Opcode Fuzzy Hash: d48d461c34593fd73d4dbc3fec4a6203cc7486d793842d435b3ed71ce41aeb42
            • Instruction Fuzzy Hash: FCC16D74A05256EFCB14CF99C884EAEB7B6FF48710B1185A8E805EB351D730ED81CB90
            Function 0070E33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 0070E3D2
            • CharLowerBuffW.USER32(?,?), ref: 0070E415
              • Part of subcall function 0070DAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 0070DAD9
            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 0070E615
            • _memmove.LIBCMT ref: 0070E628
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharLower$AllocVirtual_memmove
            • String ID:
            • API String ID: 3659485706-0
            • Opcode ID: 169e044e0d806ce9c37a5a4c1821d60f1ef5a6ace820df7f38867f8f9071c38d
            • Instruction ID: a0b7b2f0edc6ff00ae9e574579d17384ab69abd37f489f76295c72895ee1f202
            • Opcode Fuzzy Hash: 169e044e0d806ce9c37a5a4c1821d60f1ef5a6ace820df7f38867f8f9071c38d
            • Instruction Fuzzy Hash: 91C16AB1608341DFCB54DF28C48096ABBE5FF88314F148A6DF8999B391D735E946CB82
            Function 007083A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 007083D8
            • CoUninitialize.OLE32 ref: 007083E3
              • Part of subcall function 006EDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 006EDAC5
            • VariantInit.OLEAUT32(?), ref: 007083EE
            • VariantClear.OLEAUT32(?), ref: 007086BF
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: c9187abd4157a7f889691354583978825685c8aa7da23c0f0e987883832c9b09
            • Instruction ID: bb93df305ca02e1c78acfc2809c87483e5b1b45dbc9adcd34a54345e8b4651bc
            • Opcode Fuzzy Hash: c9187abd4157a7f889691354583978825685c8aa7da23c0f0e987883832c9b09
            • Instruction Fuzzy Hash: D5A14975204701DFCB90DF18C881A1AB7E9BF88314F09854DF99A9B7A2CB34ED00CB5A
            Function 006E6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 56304a661946377f264d4764106bc2f4065401de3739c8be350113a05d95d04d
            • Instruction ID: 061929b02193f40711c4a956d181e7fbe4beaf2f129f1220172407646f7d1f82
            • Opcode Fuzzy Hash: 56304a661946377f264d4764106bc2f4065401de3739c8be350113a05d95d04d
            • Instruction Fuzzy Hash: B9510B706093819EDB609F6AD891B7EB3EBAF14310F20881FF596CB2D1DB709844DB15
            Function 00719A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(0131F090,?), ref: 00719AD2
            • ScreenToClient.USER32(00000002,00000002), ref: 00719B05
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00719B72
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: c9d7397f95a4cf78bb503c5545b53afaa25afbde87b0fa7cc18bc46f98dc9675
            • Instruction ID: 40445bc0cb89b962093cdf2ccbd0e746dd8b30ac33d85b8c0bb36db2df7575c7
            • Opcode Fuzzy Hash: c9d7397f95a4cf78bb503c5545b53afaa25afbde87b0fa7cc18bc46f98dc9675
            • Instruction Fuzzy Hash: 5651F974A04209AFCF20DF68D8919EE7BB6FF55320F148269F9159B2D0D774AD82CB90
            Function 00706CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00706CE4
            • WSAGetLastError.WSOCK32(00000000), ref: 00706CF4
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00706D58
            • WSAGetLastError.WSOCK32(00000000), ref: 00706D64
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$__itow__swprintfsocket
            • String ID:
            • API String ID: 2214342067-0
            • Opcode ID: 6a1d898168bb7a27b771b1c4ae99c0775ba40f7e718bcc24f888c16f4b4b98b5
            • Instruction ID: aab3f258bab7a30736ac705a1afb8ee5163669d9b106a7c774722a4302dfe077
            • Opcode Fuzzy Hash: 6a1d898168bb7a27b771b1c4ae99c0775ba40f7e718bcc24f888c16f4b4b98b5
            • Instruction Fuzzy Hash: 3341B134740200AFEF50AF28CC96F6A77EAAB04B20F44801CFA199B2D2DA759C008799
            Function 0070672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0071F910), ref: 007067BA
            • _strlen.LIBCMT ref: 007067EC
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: cc51e91e133df603a06d6abd7690065226e9312e6a648249b2bc3e5214a4c79d
            • Instruction ID: 8df7ec7992825723034fba9e430b6dcf4490d124fff3bbf30c3285f50316ca9f
            • Opcode Fuzzy Hash: cc51e91e133df603a06d6abd7690065226e9312e6a648249b2bc3e5214a4c79d
            • Instruction Fuzzy Hash: E641A431A00104EFCB54EB68DCD5EAEB3EAAF44314F14826DF816972D1DB34AD50C755
            Function 006FBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 006FBB09
            • GetLastError.KERNEL32(?,00000000), ref: 006FBB2F
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 006FBB54
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 006FBB80
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: a2e0022842317afca084396453092559533189e18495806652f567e9b3ea44c4
            • Instruction ID: adcbc1e0a21f1dd3a3f07504161b8dd720da47a3056f7b1a018655b6156a25f9
            • Opcode Fuzzy Hash: a2e0022842317afca084396453092559533189e18495806652f567e9b3ea44c4
            • Instruction Fuzzy Hash: 24411639200614DFCF10EF19C584A6DBBEAEF49310B09849CE94A9B762CB34FD01CBA5
            Function 00718AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00718B4D
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: fc0f1b80af14e6c2e98260f402dfd0dced97a20e1c37f31793867470c2a61a58
            • Instruction ID: 5bd2fdd520cf893424ccb1e315c243e1008e6f4f5c550817efc1e6cf2102030f
            • Opcode Fuzzy Hash: fc0f1b80af14e6c2e98260f402dfd0dced97a20e1c37f31793867470c2a61a58
            • Instruction Fuzzy Hash: 083190F4608204BFEBB09B1CCC85BE937A5EB05310F648616FA51E62E0CE3CA9C09656
            Function 0071ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 0071AE1A
            • GetWindowRect.USER32(?,?), ref: 0071AE90
            • PtInRect.USER32(?,?,0071C304), ref: 0071AEA0
            • MessageBeep.USER32(00000000), ref: 0071AF11
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 87384b047b1497cb97b01689743f9e745acabe4b2195e3c0a46712bb721614e7
            • Instruction ID: 3610f2260aa57756f79df4f48b79856f5a8a065b3e204f8110a15b714da736f5
            • Opcode Fuzzy Hash: 87384b047b1497cb97b01689743f9e745acabe4b2195e3c0a46712bb721614e7
            • Instruction Fuzzy Hash: E8418D70601219EFCB11CF5CC885AE97BF5FB48351F1881A9E814DB291D738E986DF92
            Function 006F0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 006F1037
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 006F1053
            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 006F10B9
            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 006F110B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
            • Instruction ID: 845f3aeaf1765d5128aa43279f1a5830120c43e3436cfd8dcd48261f5face626
            • Opcode Fuzzy Hash: 97acd75d246a9250857afd4c72cb5dd647d37c12b8f3523322109af52d44938f
            • Instruction Fuzzy Hash: BA313B30E4469CEEFB30CB698C057F9BBABAB46350F04821AE7805A2D1CF7449D19765
            Function 006F1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 006F1176
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 006F1192
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 006F11F1
            • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 006F1243
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
            • Instruction ID: 31b36aecc4262ecac90dc3888e51236cda7362898997682cc701653cc7334e5a
            • Opcode Fuzzy Hash: a121f8ee64c42ead1890e1874d69154c2c2746db417ddc61eb19069f74ab95c0
            • Instruction Fuzzy Hash: D9315A3094060CDEFF30CBA98C147FABBABAB4A350F04831EF7909A6D1C3394A959755
            Function 006C6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 006C644B
            • __isleadbyte_l.LIBCMT ref: 006C6479
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C64A7
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 006C64DD
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: 6284525b4a01dec12163be6bb3f61e7d0399142aaba4c0d440660185ff40bdbd
            • Instruction ID: ad3f98ebe3100f0ade92faa9aa714607145e769b8b7ea3e5530e6efb1f319615
            • Opcode Fuzzy Hash: 6284525b4a01dec12163be6bb3f61e7d0399142aaba4c0d440660185ff40bdbd
            • Instruction Fuzzy Hash: B631AC31600256AFDB298F65C845FBA7BEAFF40310F15C02DF854872A1EB31D891DB98
            Function 00715175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00715189
              • Part of subcall function 006F387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 006F3897
              • Part of subcall function 006F387D: GetCurrentThreadId.KERNEL32 ref: 006F389E
              • Part of subcall function 006F387D: AttachThreadInput.USER32(00000000,?,006F52A7), ref: 006F38A5
            • GetCaretPos.USER32(?), ref: 0071519A
            • ClientToScreen.USER32(00000000,?), ref: 007151D5
            • GetForegroundWindow.USER32 ref: 007151DB
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: a7df68b64eba48a1a01537f1cbe7d2a88e470bec04f07ead66abf63994f91635
            • Instruction ID: 4b3abe071f8be71b39dc82ad6104bcfee91ebc196ac6f827cd7082215f374210
            • Opcode Fuzzy Hash: a7df68b64eba48a1a01537f1cbe7d2a88e470bec04f07ead66abf63994f91635
            • Instruction Fuzzy Hash: A5310D71900108AFDB44EFA9C8859EFB7FEEF98300F10806EE515E7251EA759E45CBA4
            Function 0071C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • GetCursorPos.USER32(?), ref: 0071C7C2
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,006CBBFB,?,?,?,?,?), ref: 0071C7D7
            • GetCursorPos.USER32(?), ref: 0071C824
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,006CBBFB,?,?,?), ref: 0071C85E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: c88d086b65ad90b00a45acc20fe975615e55121a093be690158b72cc38dbf2df
            • Instruction ID: 4d98bc40d9b3d3805e02cadb9ff1e8d6ea58f444a8d87b47d68f1ed09169aff5
            • Opcode Fuzzy Hash: c88d086b65ad90b00a45acc20fe975615e55121a093be690158b72cc38dbf2df
            • Instruction Fuzzy Hash: 1A319635500118EFCB16CF9CC8D8EEA7BB6EB49310F448169F9058B2A1C7799D90DF64
            Function 006B0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • __setmode.LIBCMT ref: 006B0BF2
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7B20,?,?,00000000), ref: 00695B8C
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7B20,?,?,00000000,?,?), ref: 00695BB0
            • _fprintf.LIBCMT ref: 006B0C29
            • OutputDebugStringW.KERNEL32(?), ref: 006E6331
              • Part of subcall function 006B4CDA: _flsall.LIBCMT ref: 006B4CF3
            • __setmode.LIBCMT ref: 006B0C5E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
            • String ID:
            • API String ID: 521402451-0
            • Opcode ID: d93412df1dc63a73ecffcccef209947fbb7a13594c631d9d33f2843bd7cc7b1d
            • Instruction ID: 25cd2649246b0ab52055a0891242cd7e93799074b52127a47847e6f4b80d954c
            • Opcode Fuzzy Hash: d93412df1dc63a73ecffcccef209947fbb7a13594c631d9d33f2843bd7cc7b1d
            • Instruction Fuzzy Hash: C81102B29042187EDB45B3B8AC429FE7F6FAF41320F14416EF20597193EF71198283A9
            Function 006E8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006E8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 006E8669
              • Part of subcall function 006E8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 006E8673
              • Part of subcall function 006E8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8682
              • Part of subcall function 006E8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 006E8689
              • Part of subcall function 006E8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 006E869F
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 006E8BEB
            • _memcmp.LIBCMT ref: 006E8C0E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 006E8C44
            • HeapFree.KERNEL32(00000000), ref: 006E8C4B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 351937fd024da08ed23b9e65b09372a8094b5a3bfa3894fb824248cee01f60ab
            • Instruction ID: c914a3f8a8727a7bca748394f79de14fe878d12ee53e31d9f8b89e135c24476e
            • Opcode Fuzzy Hash: 351937fd024da08ed23b9e65b09372a8094b5a3bfa3894fb824248cee01f60ab
            • Instruction Fuzzy Hash: 9E21B071E02208EFCB00CFA5C948BEEB7B9EF45744F148099E458A7240EB30AE06CB60
            Function 00701A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00701A97
              • Part of subcall function 00701B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00701B40
              • Part of subcall function 00701B21: InternetCloseHandle.WININET(00000000), ref: 00701BDD
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
            • Instruction ID: 9922b2aee79aa5bfa97ad0e399d73d6419d449b776046a8238cbfbcf1e24cd26
            • Opcode Fuzzy Hash: 819036aadfec4f457c65f96ffa6ae940980c67ab96323092917d361d7cd33015
            • Instruction Fuzzy Hash: FD21CF72200600FFDB169F648C05FBAB7EDFF44700F90821AFA05966D1EB3998119BA4
            Function 006EE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006EF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,006EE1C4,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?), ref: 006EF5BC
              • Part of subcall function 006EF5AD: lstrcpyW.KERNEL32(00000000,?,?,006EE1C4,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EF5E2
              • Part of subcall function 006EF5AD: lstrcmpiW.KERNEL32(00000000,?,006EE1C4,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?), ref: 006EF613
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EE1DD
            • lstrcpyW.KERNEL32(00000000,?,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EE203
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,006EEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 006EE237
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: 35da5793b3c76dbc8724be86178848aec119f5633fd6241183905fe7d882ab16
            • Instruction ID: 246e074d0645c02c40dc1fbe55e8fda5280405381c04c6d863ebbaca8cc42cc2
            • Opcode Fuzzy Hash: 35da5793b3c76dbc8724be86178848aec119f5633fd6241183905fe7d882ab16
            • Instruction Fuzzy Hash: 6111D336201385EFCB25AF65DC45DBA77BAFF45310B40802AF906CB290EB729951D7A4
            Function 006C5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 006C5351
              • Part of subcall function 006B594C: __FF_MSGBANNER.LIBCMT ref: 006B5963
              • Part of subcall function 006B594C: __NMSG_WRITE.LIBCMT ref: 006B596A
              • Part of subcall function 006B594C: RtlAllocateHeap.NTDLL(01300000,00000000,00000001,00000000,?,?,?,006B1013,?), ref: 006B598F
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: ef5a648d33b5cf5e076b714ac251778da61bec4484ed7d50c174958acd38d917
            • Instruction ID: 1fafe3eea2fa1bd56f13e3ce35780d8a683dcbe0b6c66c98480b73f500511320
            • Opcode Fuzzy Hash: ef5a648d33b5cf5e076b714ac251778da61bec4484ed7d50c174958acd38d917
            • Instruction Fuzzy Hash: 5411E272504A15AECB202F64AC04BE9379AEF003A0B10452EF80E9B291EAB599C18358
            Function 00694531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00694560
              • Part of subcall function 0069410D: _memset.LIBCMT ref: 0069418D
              • Part of subcall function 0069410D: _wcscpy.LIBCMT ref: 006941E1
              • Part of subcall function 0069410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006941F1
            • KillTimer.USER32(?,00000001,?,?), ref: 006945B5
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 006945C4
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 006CD6CE
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: 2791045b7af55d82431e3f90529b98cb08b9d79334ac315f394500babee23d42
            • Instruction ID: f487ec0422ba931940cf6ada488c76770dbdda019c596875d4997aa75b4d1438
            • Opcode Fuzzy Hash: 2791045b7af55d82431e3f90529b98cb08b9d79334ac315f394500babee23d42
            • Instruction Fuzzy Hash: F221F570904784AFEB328B648C45FF7BBEDDF01304F00409EE69E56281C7B41A85CB55
            Function 006F40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 006F40D1
            • _memset.LIBCMT ref: 006F40F2
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006F4144
            • CloseHandle.KERNEL32(00000000), ref: 006F414D
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: 7eb53ce48727c45af4b05ffbd52d70fcc5fd7bc823c53dc96013b22bcf37a157
            • Instruction ID: 7163b06fc7f8a02323c7a2db4e25addf9a51492b14136a6f0da9a72092c3f60d
            • Opcode Fuzzy Hash: 7eb53ce48727c45af4b05ffbd52d70fcc5fd7bc823c53dc96013b22bcf37a157
            • Instruction Fuzzy Hash: 9B11AB7590122C7AE7309BA59C4DFFBBB7CEF45760F10419AF908D7290D6744E808BA4
            Function 0070667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,006F7B20,?,?,00000000), ref: 00695B8C
              • Part of subcall function 00695B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,006F7B20,?,?,00000000,?,?), ref: 00695BB0
            • gethostbyname.WSOCK32(?,?,?), ref: 007066AC
            • WSAGetLastError.WSOCK32(00000000), ref: 007066B7
            • _memmove.LIBCMT ref: 007066E4
            • inet_ntoa.WSOCK32(?), ref: 007066EF
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
            • String ID:
            • API String ID: 1504782959-0
            • Opcode ID: 522c6609b6a743f59a7c51fdf3cfb9c23e154282e8722329431cec85f33850ec
            • Instruction ID: 970f45a5c392e9db7944ade2c731a259ae7dc4848f653393a1207cdb6b767193
            • Opcode Fuzzy Hash: 522c6609b6a743f59a7c51fdf3cfb9c23e154282e8722329431cec85f33850ec
            • Instruction Fuzzy Hash: 43117975900508AFCF41FBA8D996DEEB7BDAF14310B048129F502A72A1DF34AE14CB69
            Function 006E9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 006E9043
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E9055
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E906B
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 006E9086
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
            • Instruction ID: 9f1986e03a525d5e18e75caab1b8b231dfea9f33f4f63582299ff63f3cdbb2ca
            • Opcode Fuzzy Hash: c65a6f208035f703a754aff219547e6faa073b1c8ad3d5fb3a48433355829e9e
            • Instruction Fuzzy Hash: 69114C79901218FFDB10DFA5C885EDDBB75FF48310F204095E904B7290D6716E50DBA4
            Function 00691290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00692612: GetWindowLongW.USER32(?,000000EB), ref: 00692623
            • DefDlgProcW.USER32(?,00000020,?), ref: 006912D8
            • GetClientRect.USER32(?,?), ref: 006CB84B
            • GetCursorPos.USER32(?), ref: 006CB855
            • ScreenToClient.USER32(?,?), ref: 006CB860
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: 29e11118999fc81400ff1e106778d97f43170ac3e169084c0a67c5bf95c882d5
            • Instruction ID: 1855b7f3ae47d8cc2f07bd61ca654d9ff514479228015685bac14a3fd611b522
            • Opcode Fuzzy Hash: 29e11118999fc81400ff1e106778d97f43170ac3e169084c0a67c5bf95c882d5
            • Instruction Fuzzy Hash: A2112B3550001AABCF00EFA8D8859FE77BEEB06301F5044A5F901EB651C734BA918BA9
            Function 006F1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F166F
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F1694
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F169E
            • Sleep.KERNEL32(?,?,?,?,?,?,?,006F01FD,?,006F1250,?,00008000), ref: 006F16D1
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 075d6985c50f6ce019c02c5ba472c40663038e0dec70580b4822356b3478ec6f
            • Instruction ID: ca149cad7f93e67fce6e1b53f592c1c40aad37d6f82f411b666e5f69d0e50a21
            • Opcode Fuzzy Hash: 075d6985c50f6ce019c02c5ba472c40663038e0dec70580b4822356b3478ec6f
            • Instruction Fuzzy Hash: AC115231D0051DE7CF009FA5D944AFEBF79FF0A791F158159DA40FA240CB3455509B9A
            Function 006C7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: f60e21115057fde5e422975fb29557482437150954833999394424eb78964b72
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: 16017B3204814ABBCF525F85DC01DEE3F27FF29340B088619FA1858131C23ACAB1AF81
            Function 0071B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 0071B59E
            • ScreenToClient.USER32(?,?), ref: 0071B5B6
            • ScreenToClient.USER32(?,?), ref: 0071B5DA
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0071B5F5
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
            • Instruction ID: 21c421c107557cf3811dd61183703eba57afab117af3351d027bfa1215fc3003
            • Opcode Fuzzy Hash: 2bec43f42d4f33bc7f50b7448ba930a34a463701839a2bd1e7b4d2f0ceba649b
            • Instruction Fuzzy Hash: 811146B9D00209EFDB41CF99C4449EEFBB5FB08310F108166E914E3260D735AA658F54
            Function 0071B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0071B8FE
            • _memset.LIBCMT ref: 0071B90D
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00757F20,00757F64), ref: 0071B93C
            • CloseHandle.KERNEL32 ref: 0071B94E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: f04b2c087b47664b3e26d7e70e0c79da134d970278a30bfcd6907f5f9b2a1862
            • Instruction ID: c467f396b383791030c6b734de096301e2694f1020d796e58badf61dd2570c49
            • Opcode Fuzzy Hash: f04b2c087b47664b3e26d7e70e0c79da134d970278a30bfcd6907f5f9b2a1862
            • Instruction Fuzzy Hash: 74F05EF2644310BBE210AB65BC06FFB3A5DEB08355F008031FA09D52E2D7BA5901C7AC
            Function 006F6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 006F6E88
              • Part of subcall function 006F794E: _memset.LIBCMT ref: 006F7983
            • _memmove.LIBCMT ref: 006F6EAB
            • _memset.LIBCMT ref: 006F6EB8
            • LeaveCriticalSection.KERNEL32(?), ref: 006F6EC8
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalSection_memset$EnterLeave_memmove
            • String ID:
            • API String ID: 48991266-0
            • Opcode ID: ecb43adb0bb6f8bd4c1f7a4f6516a6529a20a3c965a341317f939b3bdcb7584c
            • Instruction ID: 10ef9b025a2242a3d789ccf9e9905df2c35a3d63d1ad7d0de73b2b2eac31da6f
            • Opcode Fuzzy Hash: ecb43adb0bb6f8bd4c1f7a4f6516a6529a20a3c965a341317f939b3bdcb7584c
            • Instruction Fuzzy Hash: EDF05E7A200214BBCF416F55DC85A9ABB2AFF45320B04C065FE085F26ACB75A951DBB8
            Function 0071C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006912F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0069134D
              • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069135C
              • Part of subcall function 006912F3: BeginPath.GDI32(?), ref: 00691373
              • Part of subcall function 006912F3: SelectObject.GDI32(?,00000000), ref: 0069139C
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0071C030
            • LineTo.GDI32(00000000,?,?), ref: 0071C03D
            • EndPath.GDI32(00000000), ref: 0071C04D
            • StrokePath.GDI32(00000000), ref: 0071C05B
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: 6958861c2280b13c287139456d8cd6791b2585e8a6986f6ba501f315ddbe5df8
            • Instruction ID: b2e8191c150d1cf630876d010172bd0e5264d9daf3b4f6fc4c25b1c7f7e801cf
            • Opcode Fuzzy Hash: 6958861c2280b13c287139456d8cd6791b2585e8a6986f6ba501f315ddbe5df8
            • Instruction Fuzzy Hash: E1F05E31141269BBDB126F98AC0AFCE3F59AF1A311F14C000FA15650E2C7BD5691DB99
            Function 006EA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 006EA399
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 006EA3AC
            • GetCurrentThreadId.KERNEL32 ref: 006EA3B3
            • AttachThreadInput.USER32(00000000), ref: 006EA3BA
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: f3b079e1a4b2fe3201157bf0206f951b16afbeb10a76f7cf65091b4e1483d14f
            • Instruction ID: 38ddb9b161bf251442d1ae927e333dbc4fc91ea7cdb47a432b1cbe6a3bf3a4c1
            • Opcode Fuzzy Hash: f3b079e1a4b2fe3201157bf0206f951b16afbeb10a76f7cf65091b4e1483d14f
            • Instruction Fuzzy Hash: B1E06D31142368BADB201FA6DC0DED73F2DEF167A1F00C024F508C40A0C675D540DBA5
            Function 00692218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00692231
            • SetTextColor.GDI32(?,000000FF), ref: 0069223B
            • SetBkMode.GDI32(?,00000001), ref: 00692250
            • GetStockObject.GDI32(00000005), ref: 00692258
            • GetWindowDC.USER32(?,00000000), ref: 006CC0D3
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 006CC0E0
            • GetPixel.GDI32(00000000,?,00000000), ref: 006CC0F9
            • GetPixel.GDI32(00000000,00000000,?), ref: 006CC112
            • GetPixel.GDI32(00000000,?,?), ref: 006CC132
            • ReleaseDC.USER32(?,00000000), ref: 006CC13D
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: 8aacfdb4e9216505138f29fcdf25fc072ab17312db1a39c8d7b462aa66226268
            • Instruction ID: a036708f3935a8c29390b9e99e3bb6e8558169f7a2682f3c079d9a51fe2c10e1
            • Opcode Fuzzy Hash: 8aacfdb4e9216505138f29fcdf25fc072ab17312db1a39c8d7b462aa66226268
            • Instruction Fuzzy Hash: 47E03031104144FADB215F68EC09BD83B15EB05332F14C366FA69880E1C7754590DB11
            Function 006E8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 006E8C63
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,006E882E), ref: 006E8C6A
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,006E882E), ref: 006E8C77
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,006E882E), ref: 006E8C7E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
            • Instruction ID: fc3b123762660f7b0ddf1e27c0ea6d7485a9bb92bd5f25e212179d41c5b3b1a8
            • Opcode Fuzzy Hash: d2c4388b59a69907c1452b4e728b265e41477846f5122732679a0380a500ebb9
            • Instruction Fuzzy Hash: F8E04F366423119FD7205FB56E0CBD63BA8AF55B92F15C828E649CA090DA3894418B65
            Function 006D2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 006D2187
            • GetDC.USER32(00000000), ref: 006D2191
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006D21B1
            • ReleaseDC.USER32(?), ref: 006D21D2
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 659eec6fbcf988ea7bcd26654ab3bd5d75f31da23c1c3407c0811b6e81350bcc
            • Instruction ID: c949bd268189a3b5b39974a3709b11e65e328fc9210a588cc2e9613919395c18
            • Opcode Fuzzy Hash: 659eec6fbcf988ea7bcd26654ab3bd5d75f31da23c1c3407c0811b6e81350bcc
            • Instruction Fuzzy Hash: BBE01A75800204EFDF019FA8CC08ADD7BF6EB5C350F11C42AF95A972A0CB3881429F49
            Function 006D219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 006D219B
            • GetDC.USER32(00000000), ref: 006D21A5
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 006D21B1
            • ReleaseDC.USER32(?), ref: 006D21D2
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 63229a29e2a81ee611745ba06e058d93603c3845b4485971a88fa1e9c9102748
            • Instruction ID: e6c475e29c75726cd00a057012da350ec933339166af5787fcbc05fede3afd6d
            • Opcode Fuzzy Hash: 63229a29e2a81ee611745ba06e058d93603c3845b4485971a88fa1e9c9102748
            • Instruction Fuzzy Hash: 44E0EEB5800204AFCF01AFA8C80869D7BB6EB4C360F11C029F95AA72A0CB3891429F48
            Function 006963A0 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: %r
            • API String ID: 0-2999538795
            • Opcode ID: 38fbff4aeb8eda2d17bf9d3e4cd6a42f057bf53790db0dc789514cd7d2d428cc
            • Instruction ID: 6f9c018a34fed3c6a4dcdace3cb5d67f94e258b5671f0e0e26b5a899e091f229
            • Opcode Fuzzy Hash: 38fbff4aeb8eda2d17bf9d3e4cd6a42f057bf53790db0dc789514cd7d2d428cc
            • Instruction Fuzzy Hash: BAB1A1719002099BCF14EF98C4819FEB7BEFF44310F50812AF902A7A95DB359E86CB65
            Function 0070B1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __itow_s
            • String ID: xru$xru
            • API String ID: 3653519197-2112298241
            • Opcode ID: e061729c33ad5e1d9bf69c2eceb6b98d08db6e7875aa82dd2bbdf8e4109bf77d
            • Instruction ID: 48c5604472903c2e0260573637442726f99e33c1c92ccd872c86f92b0ceff7a6
            • Opcode Fuzzy Hash: e061729c33ad5e1d9bf69c2eceb6b98d08db6e7875aa82dd2bbdf8e4109bf77d
            • Instruction Fuzzy Hash: D0B16D70A00209EFCB14DF54C880EAEB7FAFF58300F148659F9459B292EB75EA41CB64
            Function 006FB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006AFEC6: _wcscpy.LIBCMT ref: 006AFEE9
              • Part of subcall function 00699997: __itow.LIBCMT ref: 006999C2
              • Part of subcall function 00699997: __swprintf.LIBCMT ref: 00699A0C
            • __wcsnicmp.LIBCMT ref: 006FB298
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 006FB361
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: 9e775aa817c3bfaddd69a7c80f6a7ed03ec45ccbe9e18b082df81803abe59ad3
            • Instruction ID: e0a83c7d87e3159a451f4313ccf052950affb1b3710830a1321750eb9d7d05f5
            • Opcode Fuzzy Hash: 9e775aa817c3bfaddd69a7c80f6a7ed03ec45ccbe9e18b082df81803abe59ad3
            • Instruction Fuzzy Hash: 0E616176A00219AFCB14EB98C881EFEB7BAAF08310F15505DF546AB391DB70AE41CB55
            Function 006D8A77 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID: Oaj
            • API String ID: 4104443479-1426506063
            • Opcode ID: e25d1d63914e36d6523bcbe38dae89e4fe877d3bb12b76798303c8d92ec3af8b
            • Instruction ID: 3fcf890b70298ed304ef1b5721bbca2c87fedd3d141c8a0080148951f138f1c0
            • Opcode Fuzzy Hash: e25d1d63914e36d6523bcbe38dae89e4fe877d3bb12b76798303c8d92ec3af8b
            • Instruction Fuzzy Hash: B2515DB0E006199FDB64DF68C884AEEB7B2FF45304F14852AE85AD7340EB31A955CB51
            Function 006A2AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 006A2AC8
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 006A2AE1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 31a08223093864b7b03acddeae44fdede1f5e221924ae7a76849dfd0a8525dcf
            • Instruction ID: 34cde37dc15619052a2a75b3d4f7bf0b4581bb7ecdc1cb942764e7f5a123a421
            • Opcode Fuzzy Hash: 31a08223093864b7b03acddeae44fdede1f5e221924ae7a76849dfd0a8525dcf
            • Instruction Fuzzy Hash: E65157714187449BE360AF14D886BAFBBFCFF84310F42885DF1E9411A1EB349529CB2A
            Function 006F99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0069506B: __fread_nolock.LIBCMT ref: 00695089
            • _wcscmp.LIBCMT ref: 006F9AAE
            • _wcscmp.LIBCMT ref: 006F9AC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: b02b7c822275a89291731221cf260463b46d2cc4e2c0d33317f456b53e39dab2
            • Instruction ID: b65b348dd45e78a28326efd398252b42121acd1bd11641a7a107a2db9e019aa9
            • Opcode Fuzzy Hash: b02b7c822275a89291731221cf260463b46d2cc4e2c0d33317f456b53e39dab2
            • Instruction Fuzzy Hash: A341D6B1A00619BADF219AA0DC45FEFB7BEDF45710F00007DBA01A7281DA759A4587A5
            Function 006D099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID: Dtu$Dtu
            • API String ID: 1473721057-3210119752
            • Opcode ID: 67b702e39c0ac86bcd5a457f7d01d796fcfd36bb5d5d3d4b4a3d6190214560af
            • Instruction ID: f7b704b3de456003995eb882558380dba0ab52373af750e221f476e1618ca79e
            • Opcode Fuzzy Hash: 67b702e39c0ac86bcd5a457f7d01d796fcfd36bb5d5d3d4b4a3d6190214560af
            • Instruction Fuzzy Hash: 21510674A08341CFDB54CF59C080A6ABBF6BB99344F54885DF8858B721D772EC81CB82
            Function 00702882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00702892
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 007028C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: 108f15285473c3ee2635f180fda927a2b9170ae0dcdb4f47247f3017fb415cee
            • Instruction ID: 4bb9fb8f8625c16b0f08b853172b2a15917e9bd4f0b9eb27f92b038122d0f44e
            • Opcode Fuzzy Hash: 108f15285473c3ee2635f180fda927a2b9170ae0dcdb4f47247f3017fb415cee
            • Instruction Fuzzy Hash: E2314A71810119AFCF45EFA1CC89EEEBFB9FF08310F004129F815A61A6DB355A56DBA4
            Function 00716CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00716D86
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00716DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: 3438f95f047b8d6bebe2f7b1a927be0027123fe08fdcc28b534c9749bbbf8396
            • Instruction ID: fd46f9fda1f11b379070353744bd061b219afebf89fd4fe864c68db5b26deefe
            • Opcode Fuzzy Hash: 3438f95f047b8d6bebe2f7b1a927be0027123fe08fdcc28b534c9749bbbf8396
            • Instruction Fuzzy Hash: B3319C71200604AEDF109F38DC81AFB77ADFF48720F10861DF8A997190DA39AC91CB64
            Function 006F2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006F2E00
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 006F2E3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 26aa0d8153d2d683fff8d2efdd6e98797b9388b3753eb60a706535340dd89ede
            • Instruction ID: f5cf89d0f16b46efa224a872a880d6f7b4bf18ce10bc5d56975d44c6a7fdbe03
            • Opcode Fuzzy Hash: 26aa0d8153d2d683fff8d2efdd6e98797b9388b3753eb60a706535340dd89ede
            • Instruction Fuzzy Hash: 0031C57160030EABEB248F58C9957FEBBBBEF05350F24402EEA85962A1E7749944CF54
            Function 00716943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 007169D0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007169DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: 2d4abdb773defc9e2b02b47c855a8be9ce1054ed2d04c27e521d09230c730fa6
            • Instruction ID: c33f8063a704384daa53b17f5fbd21cd4a8b6279f3ea51cad4ffe8f965d35d21
            • Opcode Fuzzy Hash: 2d4abdb773defc9e2b02b47c855a8be9ce1054ed2d04c27e521d09230c730fa6
            • Instruction Fuzzy Hash: DF1198717002096FEF119F18CC91EFB3B6EEB993A4F114129F9589B2D0D679EC9187A0
            Function 00716E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00691D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00691D73
              • Part of subcall function 00691D35: GetStockObject.GDI32(00000011), ref: 00691D87
              • Part of subcall function 00691D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00691D91
            • GetWindowRect.USER32(00000000,?), ref: 00716EE0
            • GetSysColor.USER32(00000012), ref: 00716EFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: eda383d078d8abce99a0718bf49b528bb6e965102ab951e5fde5ea62f003b2df
            • Instruction ID: 330ba75720b93d4db4a92bdee87a165504a46fee09b3e396caa48dcd7baa16bf
            • Opcode Fuzzy Hash: eda383d078d8abce99a0718bf49b528bb6e965102ab951e5fde5ea62f003b2df
            • Instruction Fuzzy Hash: A921297261021AAFDB04DFA8DD45AEA7BB9FB08314F044629F955D3290E638E8A19B50
            Function 00716B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00716C11
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00716C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 39744fb2d0dac6c65be7c1e26db7301a57d22ff520070d60cdd7a4ec53857931
            • Instruction ID: 049c287e80a37ada2bf1a4e59772f1f015990c0fe30c79b0a676e211654654e6
            • Opcode Fuzzy Hash: 39744fb2d0dac6c65be7c1e26db7301a57d22ff520070d60cdd7a4ec53857931
            • Instruction Fuzzy Hash: 12119AB1104208ABEB208E689C41AEB376AEB05368F608724F960D71E0C679EC919B60
            Function 006F2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 006F2F11
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006F2F30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: ae6f603284d990690cb7374eb3b5ab91c078c1da7edd22dffe104e6feea3b9bc
            • Instruction ID: f9d22d64248c37b03bb45298f307d52e0033422b370dae971cd419cf7f29b8df
            • Opcode Fuzzy Hash: ae6f603284d990690cb7374eb3b5ab91c078c1da7edd22dffe104e6feea3b9bc
            • Instruction Fuzzy Hash: A911D03195221EABCB20DB58DD14BF977BBFB01310F1440A5EA54E73A0E7B0AD04CB95
            Function 007024CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00702520
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00702549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: db0af2c811029dc427bb42d0313ff876959e5d1b86ebe8a57670fb75de938070
            • Instruction ID: 5883f34bc5f5a38d4ea651a9e54df6d5a76e88f63a30a4a587edbba53754867e
            • Opcode Fuzzy Hash: db0af2c811029dc427bb42d0313ff876959e5d1b86ebe8a57670fb75de938070
            • Instruction Fuzzy Hash: 8811E372100225FADB248F518C9DEFBFFA8FB05355F10826AF50542181D3785952D6E0
            Function 007080A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0070830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,007080C8,?,00000000,?,?), ref: 00708322
            • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 007080CB
            • htons.WSOCK32(00000000,?,00000000), ref: 00708108
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWidehtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 2496851823-2422070025
            • Opcode ID: 731c42dfa174f9321d3b3cb6eacc61ea37aa1ec01e42b6613c859ed91c695d2b
            • Instruction ID: 9e3df8aa3a003597109efde44d1fcb7f97cb279dadc322c482775502b50d32eb
            • Opcode Fuzzy Hash: 731c42dfa174f9321d3b3cb6eacc61ea37aa1ec01e42b6613c859ed91c695d2b
            • Instruction Fuzzy Hash: E811E534500309EBDB10AF68CC86FEDB365FF14320F10862AF951A72D2DB35A811C75A
            Function 006A0A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00693C26,007562F8,?,?,?), ref: 006A0ACE
              • Part of subcall function 00697D2C: _memmove.LIBCMT ref: 00697D66
            • _wcscat.LIBCMT ref: 006D50E1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FullNamePath_memmove_wcscat
            • String ID: cu
            • API String ID: 257928180-2324572491
            • Opcode ID: 6b9c1b87b27f786a532337131380c833fcda5970becd0c95eb333970c7458d82
            • Instruction ID: ecdc0eee7f9da47c5cbaa867adbc63737ebdd790e1e9312c2f61a5420a64413e
            • Opcode Fuzzy Hash: 6b9c1b87b27f786a532337131380c833fcda5970becd0c95eb333970c7458d82
            • Instruction Fuzzy Hash: 2D1165359042089B9B81FB64CD01ED977BEEF09350B0040A9F949D7291EA75DF898B25
            Function 006E92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 006E9355
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: b5484f24eb560e24f4dcb28ea8b96ddf881834035a7af277a5bd533cfb910a4e
            • Instruction ID: 57c547d36bb1bd1cf805d7b44424ddfd92e4c80b7c8270aade7d9dcff0b1a250
            • Opcode Fuzzy Hash: b5484f24eb560e24f4dcb28ea8b96ddf881834035a7af277a5bd533cfb910a4e
            • Instruction Fuzzy Hash: 37019E71A06314AB8F04EBA5CC928FE776EBF06320B140619F932676E2DB3569089664
            Function 006F901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __fread_nolock_memmove
            • String ID: EA06
            • API String ID: 1988441806-3962188686
            • Opcode ID: dfaa24ab2e1a72f70246fa0d74382cbaa761a41eef67de399048271f6ebbe06f
            • Instruction ID: bf28fd7bee8313085ca68433d2813c47b4e72b86389c1840ca3496b29b078652
            • Opcode Fuzzy Hash: dfaa24ab2e1a72f70246fa0d74382cbaa761a41eef67de399048271f6ebbe06f
            • Instruction Fuzzy Hash: F801B9B19042687EDB68C6A8C856FFE7BF89B15301F00419EF552D6181E975A6048B64
            Function 006E91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 006E924D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 3ce2074c89893be85c66a9159f2c1d1786bb1becaf0ddb7413cfd3b56fc9187c
            • Instruction ID: ffc104ac53512dd50fda192439554b3021c168203affa99d047aee508db6d2c2
            • Opcode Fuzzy Hash: 3ce2074c89893be85c66a9159f2c1d1786bb1becaf0ddb7413cfd3b56fc9187c
            • Instruction Fuzzy Hash: D301D471A423047BCF04EBA1C992DFF73AE9F05300F240019BA12676D1EA156F0C9675
            Function 006E9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00697F41: _memmove.LIBCMT ref: 00697F82
              • Part of subcall function 006EB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 006EB0E7
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 006E92D0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: ec747267dc8230c6548974f949e32e9abd82ea5c1722d6a760fc8ff79f8e4976
            • Instruction ID: 72dc108d9ac2ae9e73097fa70ca42499d7b907c2fd487f5a55a22a750b118bf8
            • Opcode Fuzzy Hash: ec747267dc8230c6548974f949e32e9abd82ea5c1722d6a760fc8ff79f8e4976
            • Instruction Fuzzy Hash: 1801F771A423047BCF00E6A5C982DFF73AE9F00300F240019B902676D1DB155F089679
            Function 006B6DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: __calloc_crt
            • String ID: @Ru
            • API String ID: 3494438863-658108087
            • Opcode ID: 73b40c6363bc33376fa92a82675f62b2f115defd1f5105e92889bcb071325fdd
            • Instruction ID: 8240d25e32e057f0c2da3a268e3b05b711cef9e8c1224859add757292748bbcb
            • Opcode Fuzzy Hash: 73b40c6363bc33376fa92a82675f62b2f115defd1f5105e92889bcb071325fdd
            • Instruction Fuzzy Hash: 1FF04FB1B097169BE7649F18FD016E13796FB41721F50852AF101CB290EBBC88C18799
            Function 006F51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: 6cb92cab7677c304bb8ce1d89766c2612d291b9a0e033c88e670b839e6b18fc7
            • Instruction ID: e8365104051d5c7ac32a4c2eb0ab2385e8db5736ee2ee6542944b470896d2ae4
            • Opcode Fuzzy Hash: 6cb92cab7677c304bb8ce1d89766c2612d291b9a0e033c88e670b839e6b18fc7
            • Instruction Fuzzy Hash: FEE02B7260022C26D7109699AC09AE7F7ACEB40721F00016BF910D3180E5649A4487D4
            Function 006E81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 006E81CA
              • Part of subcall function 006B3598: _doexit.LIBCMT ref: 006B35A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: 5e227b0eb10cc9b248556b473804f130b731616060d3dce2c229c49e386e592f
            • Instruction ID: 80d9a4448ee5e98c59713b873a116cff98d6ba2ff822631cc1c779c10d3b5739
            • Opcode Fuzzy Hash: 5e227b0eb10cc9b248556b473804f130b731616060d3dce2c229c49e386e592f
            • Instruction Fuzzy Hash: C3D05B723C536C36D26433E96C07FC675494F15B51F504019FB08555D38ED555C243ED
            Function 006CB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 006CB564: _memset.LIBCMT ref: 006CB571
              • Part of subcall function 006B0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,006CB540,?,?,?,0069100A), ref: 006B0B89
            • IsDebuggerPresent.KERNEL32(?,?,?,0069100A), ref: 006CB544
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0069100A), ref: 006CB553
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 006CB54E
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 3158253471-631824599
            • Opcode ID: cd59340c578646774db811852b980d474c4e5fb3165bfbfb54f9fe8ba8cf816b
            • Instruction ID: 83692c5f5c307df6aabf8c6375adfd00663f20f8d50afd82f6c2a660f7d6ca5d
            • Opcode Fuzzy Hash: cd59340c578646774db811852b980d474c4e5fb3165bfbfb54f9fe8ba8cf816b
            • Instruction Fuzzy Hash: 36E06DB02003118FE760EF28E4097927BE4EB00704F00C92CE446C3752DBB8E444CB65
            Function 00715BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00715BF5
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00715C08
              • Part of subcall function 006F54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 006F555E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.2059500232.0000000000691000.00000020.00000001.01000000.00000003.sdmp, Offset: 00690000, based on PE: true
            • Associated: 00000000.00000002.2059486407.0000000000690000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.000000000071F000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059539822.0000000000745000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059576636.000000000074F000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.2059590442.0000000000758000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_690000_Salary_Receipt.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 5070861fbde28e9377c6080efa63ea3ea47c9688e9e6e31f5e85ce0de1c3f47e
            • Instruction ID: bf306c0181a2c27bda0d829478acb9fa40b84ac0ff2de1011c47159815af90ba
            • Opcode Fuzzy Hash: 5070861fbde28e9377c6080efa63ea3ea47c9688e9e6e31f5e85ce0de1c3f47e
            • Instruction Fuzzy Hash: C4D012313C8315BBE774BB74AC0FFE76A65BB01B51F008839F74AAA1D1D9E85800C658