Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Salary_Receipt.exe

Overview

General Information

Sample name:Salary_Receipt.exe
Analysis ID:1561150
MD5:08a71f36822c8207f16013ed296ff269
SHA1:4b7bcd2c3246f98be32330a20892a28e998e4b19
SHA256:003b578a15479fac58ada62d5bb903102d3d3113f530ce3c51cd10c28f479868
Tags:exeFormbookXLoaderuser-Brad_malware
Infos:

Detection

FormBook
Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Salary_Receipt.exe (PID: 3608 cmdline: "C:\Users\user\Desktop\Salary_Receipt.exe" MD5: 08A71F36822C8207F16013ED296FF269)
    • svchost.exe (PID: 1744 cmdline: "C:\Users\user\Desktop\Salary_Receipt.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.4d0000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.4d0000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ParentImage: C:\Users\user\Desktop\Salary_Receipt.exe, ParentProcessId: 3608, ParentProcessName: Salary_Receipt.exe, ProcessCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ProcessId: 1744, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ParentImage: C:\Users\user\Desktop\Salary_Receipt.exe, ParentProcessId: 3608, ParentProcessName: Salary_Receipt.exe, ProcessCommandLine: "C:\Users\user\Desktop\Salary_Receipt.exe", ProcessId: 1744, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: Salary_Receipt.exeReversingLabs: Detection: 34%
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: Salary_Receipt.exeJoe Sandbox ML: detected
          Source: Salary_Receipt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: Salary_Receipt.exe, 00000000.00000003.1726225302.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.1727634874.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2162759290.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2160573022.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.0000000003000000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Salary_Receipt.exe, 00000000.00000003.1726225302.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.1727634874.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2162759290.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2160573022.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.0000000003000000.00000040.00001000.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001A4696
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AC93C FindFirstFileW,FindClose,0_2_001AC93C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001AC9C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF200
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF35D
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001AF65E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3A2B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3D4E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001ABF27
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_001B25E2
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001B425A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_001B4458
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_001B425A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_001A0219
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001CCDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_001CCDAC

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Binary is likely a compiled AutoIt script file
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: This is a third-party compiled AutoIt script.0_2_00143B4C
          Source: Salary_Receipt.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: Salary_Receipt.exe, 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_fd2246af-e
          Source: Salary_Receipt.exe, 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_140a5f6a-7
          Source: Salary_Receipt.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4a70cfb3-d
          Source: Salary_Receipt.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_1a248459-4
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: Salary_Receipt.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004FCD33 NtClose,1_2_004FCD33
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B60 NtClose,LdrInitializeThunk,1_2_03072B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03072DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030735C0 NtCreateMutant,LdrInitializeThunk,1_2_030735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074340 NtSetContextThread,1_2_03074340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03074650 NtSuspendThread,1_2_03074650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072B80 NtQueryInformationFile,1_2_03072B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BA0 NtEnumerateValueKey,1_2_03072BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BE0 NtQueryValueKey,1_2_03072BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072BF0 NtAllocateVirtualMemory,1_2_03072BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AB0 NtWaitForSingleObject,1_2_03072AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AD0 NtReadFile,1_2_03072AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072AF0 NtWriteFile,1_2_03072AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F30 NtCreateSection,1_2_03072F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F60 NtCreateProcessEx,1_2_03072F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072F90 NtProtectVirtualMemory,1_2_03072F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FA0 NtQuerySection,1_2_03072FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FB0 NtResumeThread,1_2_03072FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072FE0 NtCreateFile,1_2_03072FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E30 NtWriteVirtualMemory,1_2_03072E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072E80 NtReadVirtualMemory,1_2_03072E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EA0 NtAdjustPrivilegesToken,1_2_03072EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072EE0 NtQueueApcThread,1_2_03072EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D00 NtSetInformationFile,1_2_03072D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D10 NtMapViewOfSection,1_2_03072D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072D30 NtUnmapViewOfSection,1_2_03072D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DB0 NtEnumerateKey,1_2_03072DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072DD0 NtDelayExecution,1_2_03072DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C00 NtQueryInformationProcess,1_2_03072C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C60 NtCreateKey,1_2_03072C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072C70 NtFreeVirtualMemory,1_2_03072C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CA0 NtQueryInformationToken,1_2_03072CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CC0 NtQueryVirtualMemory,1_2_03072CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072CF0 NtOpenProcess,1_2_03072CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073010 NtOpenDirectoryObject,1_2_03073010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073090 NtSetValueKey,1_2_03073090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030739B0 NtGetContextThread,1_2_030739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D10 NtOpenProcessToken,1_2_03073D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03073D70 NtOpenThread,1_2_03073D70
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A4021: CreateFileW,DeviceIoControl,CloseHandle,0_2_001A4021
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00198858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00198858
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_001A545F
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0014E8000_2_0014E800
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016DBB50_2_0016DBB5
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001C804A0_2_001C804A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0014E0600_2_0014E060
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001541400_2_00154140
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001624050_2_00162405
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001765220_2_00176522
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0017267E0_2_0017267E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001C06650_2_001C0665
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016283A0_2_0016283A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001568430_2_00156843
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001789DF0_2_001789DF
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00158A0E0_2_00158A0E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00176A940_2_00176A94
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001C0AE20_2_001C0AE2
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A8B130_2_001A8B13
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0019EB070_2_0019EB07
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016CD610_2_0016CD61
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001770060_2_00177006
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0015710E0_2_0015710E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001531900_2_00153190
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001412870_2_00141287
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001633C70_2_001633C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016F4190_2_0016F419
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001556800_2_00155680
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001616C40_2_001616C4
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001678D30_2_001678D3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001558C00_2_001558C0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00161BB80_2_00161BB8
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00179D050_2_00179D05
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0014FE400_2_0014FE40
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00161FD00_2_00161FD0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016BFE60_2_0016BFE6
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00B136000_2_00B13600
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004DE8EA1_2_004DE8EA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004DE8F31_2_004DE8F3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004DE93C1_2_004DE93C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D11801_2_004D1180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D29A01_2_004D29A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D32F01_2_004D32F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004FF3631_2_004FF363
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E057A1_2_004E057A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E05831_2_004E0583
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D26B01_2_004D26B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E6F431_2_004E6F43
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E07A31_2_004E07A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004DE7A31_2_004DE7A3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA3521_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F01_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031003E61_2_031003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E02741_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C02C01_2_030C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030301001_2_03030100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA1181_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C81581_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031001AA1_2_031001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F81CC1_2_030F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D20001_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030647501_2_03064750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030407701_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C01_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C6E01_2_0305C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030405351_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031005911_2_03100591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E44201_2_030E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F24461_2_030F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EE4F61_2_030EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB401_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F6BD71_2_030F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA801_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030569621_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A01_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310A9A61_2_0310A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304A8401_2_0304A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030428401_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030268B81_2_030268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E8F01_2_0306E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03082F281_2_03082F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060F301_2_03060F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E2F301_2_030E2F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F401_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BEFA01_2_030BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032FC81_2_03032FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEE261_2_030FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040E591_2_03040E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052E901_2_03052E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FCE931_2_030FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FEEDB1_2_030FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304AD001_2_0304AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DCD1F1_2_030DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03058DBF1_2_03058DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303ADE01_2_0303ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040C001_2_03040C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0CB51_2_030E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030CF21_2_03030CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F132D1_2_030F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302D34C1_2_0302D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0308739A1_2_0308739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030452A01_2_030452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B2C01_2_0305B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E12ED1_2_030E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307516C1_2_0307516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302F1721_2_0302F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0310B16B1_2_0310B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304B1B01_2_0304B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EF0CC1_2_030EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030470C01_2_030470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F70E91_2_030F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF0E01_2_030FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF7B01_2_030FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F16CC1_2_030F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F75711_2_030F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DD5B01_2_030DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FF43F1_2_030FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030314601_2_03031460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFB761_2_030FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FB801_2_0305FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B5BF01_2_030B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307DBF91_2_0307DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFA491_2_030FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7A461_2_030F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B3A6C1_2_030B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DDAAC1_2_030DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03085AA01_2_03085AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E1AA31_2_030E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EDAC61_2_030EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D59101_2_030D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030499501_2_03049950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305B9501_2_0305B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AD8001_2_030AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030438E01_2_030438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFF091_2_030FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03041F921_2_03041F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFFB11_2_030FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD21_2_03003FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03003FD51_2_03003FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03049EB01_2_03049EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03043D401_2_03043D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F1D5A1_2_030F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F7D731_2_030F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305FDC01_2_0305FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B9C321_2_030B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FFCF21_2_030FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0302B970 appears 260 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 030BF290 appears 105 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03075130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03087E54 appears 100 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 00147F41 appears 35 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 00168B40 appears 42 times
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: String function: 00160D27 appears 70 times
          Source: Salary_Receipt.exe, 00000000.00000003.1726522149.0000000003503000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Salary_Receipt.exe
          Source: Salary_Receipt.exe, 00000000.00000003.1726640252.00000000036AD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Salary_Receipt.exe
          Source: Salary_Receipt.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: classification engineClassification label: mal84.troj.evad.winEXE@3/2@0/0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AA2D5 GetLastError,FormatMessageW,0_2_001AA2D5
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00198713 AdjustTokenPrivileges,CloseHandle,0_2_00198713
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00198CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00198CC3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_001AB59E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001BF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_001BF121
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AC602 CoInitialize,CoCreateInstance,CoUninitialize,0_2_001AC602
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00144FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00144FE9
          Source: C:\Users\user\Desktop\Salary_Receipt.exeFile created: C:\Users\user\AppData\Local\Temp\aut72C7.tmpJump to behavior
          Source: Salary_Receipt.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\Salary_Receipt.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: Salary_Receipt.exeReversingLabs: Detection: 34%
          Source: unknownProcess created: C:\Users\user\Desktop\Salary_Receipt.exe "C:\Users\user\Desktop\Salary_Receipt.exe"
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: ntmarta.dllJump to behavior
          Source: Salary_Receipt.exeStatic file information: File size 1368064 > 1048576
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: Salary_Receipt.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: Salary_Receipt.exe, 00000000.00000003.1726225302.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.1727634874.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2162759290.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2160573022.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.0000000003000000.00000040.00001000.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: Salary_Receipt.exe, 00000000.00000003.1726225302.0000000003580000.00000004.00001000.00020000.00000000.sdmp, Salary_Receipt.exe, 00000000.00000003.1727634874.00000000033E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.2162759290.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.2160573022.0000000002C00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.000000000319E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.2203019089.0000000003000000.00000040.00001000.00020000.00000000.sdmp
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: Salary_Receipt.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001BC304 LoadLibraryA,GetProcAddress,0_2_001BC304
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0014C590 push eax; retn 0014h0_2_0014C599
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A8719 push FFFFFF8Bh; iretd 0_2_001A871B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016E94F push edi; ret 0_2_0016E951
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016EA68 push esi; ret 0_2_0016EA6A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00168B85 push ecx; ret 0_2_00168B98
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016EC43 push esi; ret 0_2_0016EC45
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016ED2C push edi; ret 0_2_0016ED2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004FD863 push edi; iretd 1_2_004FD86C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D51C0 pushad ; ret 1_2_004D51CB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004DD48E push cs; ret 1_2_004DD4BB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E64BD push ecx; ret 1_2_004E64DD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004F4CB3 push edi; ret 1_2_004F4CD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004D3570 push eax; ret 1_2_004D3572
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004EAEB5 push cs; iretd 1_2_004EAEBC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300225F pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030027FA pushad ; ret 1_2_030027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD push ecx; mov dword ptr [esp], ecx1_2_030309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300283D push eax; iretd 1_2_03002858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0300135E push eax; iretd 1_2_03001369
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03009939 push es; iretd 1_2_03009940
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00144A35
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001C55FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_001C55FD
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001633C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_001633C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\Salary_Receipt.exeAPI/Special instruction interceptor: Address: B13224
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeAPI coverage: 5.7 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 2892Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_001A4696
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AC93C FindFirstFileW,FindClose,0_2_001AC93C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_001AC9C7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF200
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_001AF35D
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001AF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001AF65E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3A2B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_001A3D4E
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001ABF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_001ABF27
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00144AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00144AFE
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E rdtsc 1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004E7ED3 LdrLoadDll,1_2_004E7ED3
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B41FD BlockInput,0_2_001B41FD
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00143B4C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00175CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_00175CCC
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001BC304 LoadLibraryA,GetProcAddress,0_2_001BC304
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00B13490 mov eax, dword ptr fs:[00000030h]0_2_00B13490
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00B134F0 mov eax, dword ptr fs:[00000030h]0_2_00B134F0
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00B11E70 mov eax, dword ptr fs:[00000030h]0_2_00B11E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A30B mov eax, dword ptr fs:[00000030h]1_2_0306A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C310 mov ecx, dword ptr fs:[00000030h]1_2_0302C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050310 mov ecx, dword ptr fs:[00000030h]1_2_03050310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B2349 mov eax, dword ptr fs:[00000030h]1_2_030B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov ecx, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B035C mov eax, dword ptr fs:[00000030h]1_2_030B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA352 mov eax, dword ptr fs:[00000030h]1_2_030FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8350 mov ecx, dword ptr fs:[00000030h]1_2_030D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D437C mov eax, dword ptr fs:[00000030h]1_2_030D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E388 mov eax, dword ptr fs:[00000030h]1_2_0302E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305438F mov eax, dword ptr fs:[00000030h]1_2_0305438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028397 mov eax, dword ptr fs:[00000030h]1_2_03028397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC3CD mov eax, dword ptr fs:[00000030h]1_2_030EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A3C0 mov eax, dword ptr fs:[00000030h]1_2_0303A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030383C0 mov eax, dword ptr fs:[00000030h]1_2_030383C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B63C0 mov eax, dword ptr fs:[00000030h]1_2_030B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov ecx, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE3DB mov eax, dword ptr fs:[00000030h]1_2_030DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D43D4 mov eax, dword ptr fs:[00000030h]1_2_030D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030403E9 mov eax, dword ptr fs:[00000030h]1_2_030403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E3F0 mov eax, dword ptr fs:[00000030h]1_2_0304E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030663FF mov eax, dword ptr fs:[00000030h]1_2_030663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302823B mov eax, dword ptr fs:[00000030h]1_2_0302823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov eax, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B8243 mov ecx, dword ptr fs:[00000030h]1_2_030B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A250 mov eax, dword ptr fs:[00000030h]1_2_0302A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036259 mov eax, dword ptr fs:[00000030h]1_2_03036259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034260 mov eax, dword ptr fs:[00000030h]1_2_03034260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302826B mov eax, dword ptr fs:[00000030h]1_2_0302826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E0274 mov eax, dword ptr fs:[00000030h]1_2_030E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E284 mov eax, dword ptr fs:[00000030h]1_2_0306E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0283 mov eax, dword ptr fs:[00000030h]1_2_030B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402A0 mov eax, dword ptr fs:[00000030h]1_2_030402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov ecx, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C62A0 mov eax, dword ptr fs:[00000030h]1_2_030C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A2C3 mov eax, dword ptr fs:[00000030h]1_2_0303A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030402E1 mov eax, dword ptr fs:[00000030h]1_2_030402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov eax, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DE10E mov ecx, dword ptr fs:[00000030h]1_2_030DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov ecx, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DA118 mov eax, dword ptr fs:[00000030h]1_2_030DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F0115 mov eax, dword ptr fs:[00000030h]1_2_030F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060124 mov eax, dword ptr fs:[00000030h]1_2_03060124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov ecx, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C4144 mov eax, dword ptr fs:[00000030h]1_2_030C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C156 mov eax, dword ptr fs:[00000030h]1_2_0302C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C8158 mov eax, dword ptr fs:[00000030h]1_2_030C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036154 mov eax, dword ptr fs:[00000030h]1_2_03036154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03070185 mov eax, dword ptr fs:[00000030h]1_2_03070185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030EC188 mov eax, dword ptr fs:[00000030h]1_2_030EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4180 mov eax, dword ptr fs:[00000030h]1_2_030D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B019F mov eax, dword ptr fs:[00000030h]1_2_030B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A197 mov eax, dword ptr fs:[00000030h]1_2_0302A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F61C3 mov eax, dword ptr fs:[00000030h]1_2_030F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE1D0 mov eax, dword ptr fs:[00000030h]1_2_030AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_031061E5 mov eax, dword ptr fs:[00000030h]1_2_031061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030601F8 mov eax, dword ptr fs:[00000030h]1_2_030601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4000 mov ecx, dword ptr fs:[00000030h]1_2_030B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D2000 mov eax, dword ptr fs:[00000030h]1_2_030D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E016 mov eax, dword ptr fs:[00000030h]1_2_0304E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A020 mov eax, dword ptr fs:[00000030h]1_2_0302A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C020 mov eax, dword ptr fs:[00000030h]1_2_0302C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6030 mov eax, dword ptr fs:[00000030h]1_2_030C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032050 mov eax, dword ptr fs:[00000030h]1_2_03032050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6050 mov eax, dword ptr fs:[00000030h]1_2_030B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305C073 mov eax, dword ptr fs:[00000030h]1_2_0305C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303208A mov eax, dword ptr fs:[00000030h]1_2_0303208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C80A8 mov eax, dword ptr fs:[00000030h]1_2_030C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov eax, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F60B8 mov ecx, dword ptr fs:[00000030h]1_2_030F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B20DE mov eax, dword ptr fs:[00000030h]1_2_030B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0302A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030380E9 mov eax, dword ptr fs:[00000030h]1_2_030380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B60E0 mov eax, dword ptr fs:[00000030h]1_2_030B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C0F0 mov eax, dword ptr fs:[00000030h]1_2_0302C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030720F0 mov ecx, dword ptr fs:[00000030h]1_2_030720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C700 mov eax, dword ptr fs:[00000030h]1_2_0306C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030710 mov eax, dword ptr fs:[00000030h]1_2_03030710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060710 mov eax, dword ptr fs:[00000030h]1_2_03060710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C720 mov eax, dword ptr fs:[00000030h]1_2_0306C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov ecx, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306273C mov eax, dword ptr fs:[00000030h]1_2_0306273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AC730 mov eax, dword ptr fs:[00000030h]1_2_030AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov esi, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306674D mov eax, dword ptr fs:[00000030h]1_2_0306674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030750 mov eax, dword ptr fs:[00000030h]1_2_03030750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE75D mov eax, dword ptr fs:[00000030h]1_2_030BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072750 mov eax, dword ptr fs:[00000030h]1_2_03072750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4755 mov eax, dword ptr fs:[00000030h]1_2_030B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038770 mov eax, dword ptr fs:[00000030h]1_2_03038770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040770 mov eax, dword ptr fs:[00000030h]1_2_03040770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D678E mov eax, dword ptr fs:[00000030h]1_2_030D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030307AF mov eax, dword ptr fs:[00000030h]1_2_030307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E47A0 mov eax, dword ptr fs:[00000030h]1_2_030E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303C7C0 mov eax, dword ptr fs:[00000030h]1_2_0303C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B07C3 mov eax, dword ptr fs:[00000030h]1_2_030B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030527ED mov eax, dword ptr fs:[00000030h]1_2_030527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE7E1 mov eax, dword ptr fs:[00000030h]1_2_030BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030347FB mov eax, dword ptr fs:[00000030h]1_2_030347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE609 mov eax, dword ptr fs:[00000030h]1_2_030AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304260B mov eax, dword ptr fs:[00000030h]1_2_0304260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03072619 mov eax, dword ptr fs:[00000030h]1_2_03072619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304E627 mov eax, dword ptr fs:[00000030h]1_2_0304E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03066620 mov eax, dword ptr fs:[00000030h]1_2_03066620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068620 mov eax, dword ptr fs:[00000030h]1_2_03068620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303262C mov eax, dword ptr fs:[00000030h]1_2_0303262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0304C640 mov eax, dword ptr fs:[00000030h]1_2_0304C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F866E mov eax, dword ptr fs:[00000030h]1_2_030F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A660 mov eax, dword ptr fs:[00000030h]1_2_0306A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03062674 mov eax, dword ptr fs:[00000030h]1_2_03062674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034690 mov eax, dword ptr fs:[00000030h]1_2_03034690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C6A6 mov eax, dword ptr fs:[00000030h]1_2_0306C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030666B0 mov eax, dword ptr fs:[00000030h]1_2_030666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A6C7 mov eax, dword ptr fs:[00000030h]1_2_0306A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE6F2 mov eax, dword ptr fs:[00000030h]1_2_030AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B06F1 mov eax, dword ptr fs:[00000030h]1_2_030B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6500 mov eax, dword ptr fs:[00000030h]1_2_030C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104500 mov eax, dword ptr fs:[00000030h]1_2_03104500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040535 mov eax, dword ptr fs:[00000030h]1_2_03040535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E53E mov eax, dword ptr fs:[00000030h]1_2_0305E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038550 mov eax, dword ptr fs:[00000030h]1_2_03038550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306656A mov eax, dword ptr fs:[00000030h]1_2_0306656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov eax, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032582 mov ecx, dword ptr fs:[00000030h]1_2_03032582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064588 mov eax, dword ptr fs:[00000030h]1_2_03064588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E59C mov eax, dword ptr fs:[00000030h]1_2_0306E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B05A7 mov eax, dword ptr fs:[00000030h]1_2_030B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030545B1 mov eax, dword ptr fs:[00000030h]1_2_030545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E5CF mov eax, dword ptr fs:[00000030h]1_2_0306E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030365D0 mov eax, dword ptr fs:[00000030h]1_2_030365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A5D0 mov eax, dword ptr fs:[00000030h]1_2_0306A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E5E7 mov eax, dword ptr fs:[00000030h]1_2_0305E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030325E0 mov eax, dword ptr fs:[00000030h]1_2_030325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C5ED mov eax, dword ptr fs:[00000030h]1_2_0306C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068402 mov eax, dword ptr fs:[00000030h]1_2_03068402
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302E420 mov eax, dword ptr fs:[00000030h]1_2_0302E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302C427 mov eax, dword ptr fs:[00000030h]1_2_0302C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B6420 mov eax, dword ptr fs:[00000030h]1_2_030B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A430 mov eax, dword ptr fs:[00000030h]1_2_0306A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306E443 mov eax, dword ptr fs:[00000030h]1_2_0306E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302645D mov eax, dword ptr fs:[00000030h]1_2_0302645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305245A mov eax, dword ptr fs:[00000030h]1_2_0305245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC460 mov ecx, dword ptr fs:[00000030h]1_2_030BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305A470 mov eax, dword ptr fs:[00000030h]1_2_0305A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030364AB mov eax, dword ptr fs:[00000030h]1_2_030364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030644B0 mov ecx, dword ptr fs:[00000030h]1_2_030644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BA4B0 mov eax, dword ptr fs:[00000030h]1_2_030BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030304E5 mov ecx, dword ptr fs:[00000030h]1_2_030304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AEB1D mov eax, dword ptr fs:[00000030h]1_2_030AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EB20 mov eax, dword ptr fs:[00000030h]1_2_0305EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030F8B28 mov eax, dword ptr fs:[00000030h]1_2_030F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6B40 mov eax, dword ptr fs:[00000030h]1_2_030C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FAB40 mov eax, dword ptr fs:[00000030h]1_2_030FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D8B42 mov eax, dword ptr fs:[00000030h]1_2_030D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEB50 mov eax, dword ptr fs:[00000030h]1_2_030DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CB7E mov eax, dword ptr fs:[00000030h]1_2_0302CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040BBE mov eax, dword ptr fs:[00000030h]1_2_03040BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E4BB0 mov eax, dword ptr fs:[00000030h]1_2_030E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03050BCB mov eax, dword ptr fs:[00000030h]1_2_03050BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030BCD mov eax, dword ptr fs:[00000030h]1_2_03030BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEBD0 mov eax, dword ptr fs:[00000030h]1_2_030DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038BF0 mov eax, dword ptr fs:[00000030h]1_2_03038BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EBFC mov eax, dword ptr fs:[00000030h]1_2_0305EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCBF0 mov eax, dword ptr fs:[00000030h]1_2_030BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BCA11 mov eax, dword ptr fs:[00000030h]1_2_030BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA24 mov eax, dword ptr fs:[00000030h]1_2_0306CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EA2E mov eax, dword ptr fs:[00000030h]1_2_0305EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03054A35 mov eax, dword ptr fs:[00000030h]1_2_03054A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA38 mov eax, dword ptr fs:[00000030h]1_2_0306CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03036A50 mov eax, dword ptr fs:[00000030h]1_2_03036A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03040A5B mov eax, dword ptr fs:[00000030h]1_2_03040A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CA6F mov eax, dword ptr fs:[00000030h]1_2_0306CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030DEA60 mov eax, dword ptr fs:[00000030h]1_2_030DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030ACA72 mov eax, dword ptr fs:[00000030h]1_2_030ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303EA80 mov eax, dword ptr fs:[00000030h]1_2_0303EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03104A80 mov eax, dword ptr fs:[00000030h]1_2_03104A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03068A90 mov edx, dword ptr fs:[00000030h]1_2_03068A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03038AA0 mov eax, dword ptr fs:[00000030h]1_2_03038AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086AA4 mov eax, dword ptr fs:[00000030h]1_2_03086AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03086ACC mov eax, dword ptr fs:[00000030h]1_2_03086ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030AD0 mov eax, dword ptr fs:[00000030h]1_2_03030AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03064AD0 mov eax, dword ptr fs:[00000030h]1_2_03064AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306AAEE mov eax, dword ptr fs:[00000030h]1_2_0306AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030AE908 mov eax, dword ptr fs:[00000030h]1_2_030AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC912 mov eax, dword ptr fs:[00000030h]1_2_030BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03028918 mov eax, dword ptr fs:[00000030h]1_2_03028918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B892A mov eax, dword ptr fs:[00000030h]1_2_030B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C892B mov eax, dword ptr fs:[00000030h]1_2_030C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B0946 mov eax, dword ptr fs:[00000030h]1_2_030B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03056962 mov eax, dword ptr fs:[00000030h]1_2_03056962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov edx, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0307096E mov eax, dword ptr fs:[00000030h]1_2_0307096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4978 mov eax, dword ptr fs:[00000030h]1_2_030D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC97C mov eax, dword ptr fs:[00000030h]1_2_030BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030429A0 mov eax, dword ptr fs:[00000030h]1_2_030429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030309AD mov eax, dword ptr fs:[00000030h]1_2_030309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov esi, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B89B3 mov eax, dword ptr fs:[00000030h]1_2_030B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C69C0 mov eax, dword ptr fs:[00000030h]1_2_030C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0303A9D0 mov eax, dword ptr fs:[00000030h]1_2_0303A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030649D0 mov eax, dword ptr fs:[00000030h]1_2_030649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA9D3 mov eax, dword ptr fs:[00000030h]1_2_030FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE9E0 mov eax, dword ptr fs:[00000030h]1_2_030BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030629F9 mov eax, dword ptr fs:[00000030h]1_2_030629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC810 mov eax, dword ptr fs:[00000030h]1_2_030BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov ecx, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03052835 mov eax, dword ptr fs:[00000030h]1_2_03052835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306A830 mov eax, dword ptr fs:[00000030h]1_2_0306A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D483A mov eax, dword ptr fs:[00000030h]1_2_030D483A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03042840 mov ecx, dword ptr fs:[00000030h]1_2_03042840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03060854 mov eax, dword ptr fs:[00000030h]1_2_03060854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03034859 mov eax, dword ptr fs:[00000030h]1_2_03034859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]1_2_030BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BE872 mov eax, dword ptr fs:[00000030h]1_2_030BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6870 mov eax, dword ptr fs:[00000030h]1_2_030C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030C6870 mov eax, dword ptr fs:[00000030h]1_2_030C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03030887 mov eax, dword ptr fs:[00000030h]1_2_03030887
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030BC89D mov eax, dword ptr fs:[00000030h]1_2_030BC89D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305E8C0 mov eax, dword ptr fs:[00000030h]1_2_0305E8C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030FA8E4 mov eax, dword ptr fs:[00000030h]1_2_030FA8E4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C8F9 mov eax, dword ptr fs:[00000030h]1_2_0306C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306C8F9 mov eax, dword ptr fs:[00000030h]1_2_0306C8F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030E6F00 mov eax, dword ptr fs:[00000030h]1_2_030E6F00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03032F12 mov eax, dword ptr fs:[00000030h]1_2_03032F12
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0306CF1F mov eax, dword ptr fs:[00000030h]1_2_0306CF1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0305EF28 mov eax, dword ptr fs:[00000030h]1_2_0305EF28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]1_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]1_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]1_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030B4F40 mov eax, dword ptr fs:[00000030h]1_2_030B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_030D4F42 mov eax, dword ptr fs:[00000030h]1_2_030D4F42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0302CF50 mov eax, dword ptr fs:[00000030h]1_2_0302CF50
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001981F7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016A364 SetUnhandledExceptionFilter,0_2_0016A364
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0016A395

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\Salary_Receipt.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\Salary_Receipt.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2BF008Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00198C93 LogonUserW,0_2_00198C93
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00143B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00143B4C
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00144A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00144A35
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A4EC9 mouse_event,0_2_001A4EC9
          Source: C:\Users\user\Desktop\Salary_Receipt.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Salary_Receipt.exe"Jump to behavior
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001981F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_001981F7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001A4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_001A4C03
          Source: Salary_Receipt.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: Salary_Receipt.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0016886B cpuid 0_2_0016886B
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001750D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_001750D7
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00182230 GetUserNameW,0_2_00182230
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_0017418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0017418A
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_00144AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00144AFE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Salary_Receipt.exeBinary or memory string: WIN_81
          Source: Salary_Receipt.exeBinary or memory string: WIN_XP
          Source: Salary_Receipt.exeBinary or memory string: WIN_XPe
          Source: Salary_Receipt.exeBinary or memory string: WIN_VISTA
          Source: Salary_Receipt.exeBinary or memory string: WIN_7
          Source: Salary_Receipt.exeBinary or memory string: WIN_8
          Source: Salary_Receipt.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.4d0000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_001B6596
          Source: C:\Users\user\Desktop\Salary_Receipt.exeCode function: 0_2_001B6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_001B6A5A

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory15
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		2
          Virtualization/Sandbox Evasion          		Security Account Manager2
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Salary_Receipt.exe34%ReversingLabs
          Salary_Receipt.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:41.0.0 Charoite
          Analysis ID:1561150
          Start date and time:2024-11-22 20:24:05 +01:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 22s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:5
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:Salary_Receipt.exe
          Detection:MAL
          Classification:mal84.troj.evad.winEXE@3/2@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 99%
          • Number of executed functions: 49
          • Number of non-executed functions: 274
          Cookbook Comments:
          • Found application associated with file extension: .exe
          • Stop behavior analysis, all processes terminated

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, SIHClient.exe, conhost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.
          • VT rate limit hit for: Salary_Receipt.exe

          Simulations

          Behavior and APIs

          TimeTypeDescription
          14:25:48API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\Maianthemum

          Download File
          Process:C:\Users\user\Desktop\Salary_Receipt.exe
          File Type:data
          Category:dropped
          Size (bytes):289792
          Entropy (8bit):7.9910645089588295
          Encrypted:true
          SSDEEP:6144:KEkcGHBeDQAT5VxfLDVf+MS+Lf+7tvCm4:KEohejvvZHDbOtvCr
          MD5:408A5EC1F110188E8E21593DD50900A6
          SHA1:B0C4D492BA2DF8DB21535294E8A2A231847F0B8B
          SHA-256:9DF8C4DC27FCA123110DCD510C14F03058632CB2A761C3028436B8016D8A50B2
          SHA-512:94A20041DBA945DB7FC179C0BF2B4498E10CFE0645946E7A0788727D209EA4D35485534FBFCD891B1B79842ED85E4638D8A5A966F02121960A11D6B8F57E2D6C
          Malicious:false
          Reputation:low
          Preview:x..34DQCB55R..7D.CF55RQ3wDQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5.RQ39[.MF.<.p.6..b.]\!qCE+61'X.10]Y+%c$P. $].-?c.zfr<\S!.NK?.RQ37DQC?4<.lSP.l#!..26.-...|UR.K...m#!./....$6..\V:lSP.QCF55RQ3g.QC.44R.(].QCF55RQ3.DSBM4>RQi3DQCF55RQ3.PQCF%5RQC3DQC.55BQ37FQC@55RQ37DWCF55RQ374UCF75RQ37DSC..5RA37TQCF5%RQ#7DQCF5%RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55R.GR<%CF5A.U37TQCFo1RQ#7DQCF55RQ37DQCf552Q37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5

          C:\Users\user\AppData\Local\Temp\aut72C7.tmp

          Download File
          Process:C:\Users\user\Desktop\Salary_Receipt.exe
          File Type:data
          Category:dropped
          Size (bytes):289792
          Entropy (8bit):7.9910645089588295
          Encrypted:true
          SSDEEP:6144:KEkcGHBeDQAT5VxfLDVf+MS+Lf+7tvCm4:KEohejvvZHDbOtvCr
          MD5:408A5EC1F110188E8E21593DD50900A6
          SHA1:B0C4D492BA2DF8DB21535294E8A2A231847F0B8B
          SHA-256:9DF8C4DC27FCA123110DCD510C14F03058632CB2A761C3028436B8016D8A50B2
          SHA-512:94A20041DBA945DB7FC179C0BF2B4498E10CFE0645946E7A0788727D209EA4D35485534FBFCD891B1B79842ED85E4638D8A5A966F02121960A11D6B8F57E2D6C
          Malicious:false
          Reputation:low
          Preview:x..34DQCB55R..7D.CF55RQ3wDQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5.RQ39[.MF.<.p.6..b.]\!qCE+61'X.10]Y+%c$P. $].-?c.zfr<\S!.NK?.RQ37DQC?4<.lSP.l#!..26.-...|UR.K...m#!./....$6..\V:lSP.QCF55RQ3g.QC.44R.(].QCF55RQ3.DSBM4>RQi3DQCF55RQ3.PQCF%5RQC3DQC.55BQ37FQC@55RQ37DWCF55RQ374UCF75RQ37DSC..5RA37TQCF5%RQ#7DQCF5%RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55R.GR<%CF5A.U37TQCFo1RQ#7DQCF55RQ37DQCf552Q37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF55RQ37DQCF5

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.2006815532797
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:Salary_Receipt.exe
          File size:1'368'064 bytes
          MD5:08a71f36822c8207f16013ed296ff269
          SHA1:4b7bcd2c3246f98be32330a20892a28e998e4b19
          SHA256:003b578a15479fac58ada62d5bb903102d3d3113f530ce3c51cd10c28f479868
          SHA512:9afed6b147a13a83899a1f039de34fa26579bf3aff112e1bae9dc36c024542e6ce7c2556ff178cd9e8e885a30c8952888f0860e776a8201f927b4e06f8c1f678
          SSDEEP:24576:1AHnh+eWsN3skA4RV1Hom2KXMmHaO6GGVDL/8CMbyHa9AoodgPWo5:kh+ZkldoPK8YaO6GGx/tMbyzgPp
          TLSH:7F55CF82B3D18031FFAA92735B66BB25567F7D699433851F12883C74BDB11B2123E623
          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

          File Icon

          Icon Hash:3121090929212160

          Static PE Info

          General

          Entrypoint:0x42800a
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x674039F2 [Fri Nov 22 07:59:46 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:afcdf79be1557326c854b6e20cb900a7

          Entrypoint Preview

          Instruction
          call 00007FED8C8B4FFDh
          jmp 00007FED8C8A7DB4h
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          int3
          push edi
          push esi
          mov esi, dword ptr [esp+10h]
          mov ecx, dword ptr [esp+14h]
          mov edi, dword ptr [esp+0Ch]
          mov eax, ecx
          mov edx, ecx
          add eax, esi
          cmp edi, esi
          jbe 00007FED8C8A7F3Ah
          cmp edi, eax
          jc 00007FED8C8A829Eh
          bt dword ptr [004C41FCh], 01h
          jnc 00007FED8C8A7F39h
          rep movsb
          jmp 00007FED8C8A824Ch
          cmp ecx, 00000080h
          jc 00007FED8C8A8104h
          mov eax, edi
          xor eax, esi
          test eax, 0000000Fh
          jne 00007FED8C8A7F40h
          bt dword ptr [004BF324h], 01h
          jc 00007FED8C8A8410h
          bt dword ptr [004C41FCh], 00000000h
          jnc 00007FED8C8A80DDh
          test edi, 00000003h
          jne 00007FED8C8A80EEh
          test esi, 00000003h
          jne 00007FED8C8A80CDh
          bt edi, 02h
          jnc 00007FED8C8A7F3Fh
          mov eax, dword ptr [esi]
          sub ecx, 04h
          lea esi, dword ptr [esi+04h]
          mov dword ptr [edi], eax
          lea edi, dword ptr [edi+04h]
          bt edi, 03h
          jnc 00007FED8C8A7F43h
          movq xmm1, qword ptr [esi]
          sub ecx, 08h
          lea esi, dword ptr [esi+08h]
          movq qword ptr [edi], xmm1
          lea edi, dword ptr [edi+08h]
          test esi, 00000007h
          je 00007FED8C8A7F95h
          bt esi, 03h

          Rich Headers

          Programming Language:
          • [ASM] VS2013 build 21005
          • [ C ] VS2013 build 21005
          • [C++] VS2013 build 21005
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729
          • [ASM] VS2013 UPD5 build 40629
          • [RES] VS2013 build 21005
          • [LNK] VS2013 UPD5 build 40629

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x8397c.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x14c0000x7134.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xc80000x8397c0x83a009719e0473e6d737b733d73d3d1018f23False0.865052602682811data7.657639937806841IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x14c0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xc85480x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xc86700x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xc87980x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xc88c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 5905 x 5905 px/mEnglishGreat Britain0.47606382978723405
          RT_ICON0xc8d280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 5905 x 5905 px/mEnglishGreat Britain0.4120544090056285
          RT_ICON0xc9dd00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 5905 x 5905 px/mEnglishGreat Britain0.37572614107883817
          RT_ICON0xcc3780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 5905 x 5905 px/mEnglishGreat Britain0.36254133207368916
          RT_ICON0xd05a00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 5905 x 5905 px/mEnglishGreat Britain0.339701880988998
          RT_ICON0xe0dc80x16c88PNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishGreat Britain0.998692670381483
          RT_MENU0xf7a500x50dataEnglishGreat Britain0.9
          RT_STRING0xf7aa00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xf80340x68adataEnglishGreat Britain0.2747909199522103
          RT_STRING0xf86c00x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xf8b500x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xf914c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xf97a80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xf9c100x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xf9d680x516afdata1.0003328465577368
          RT_GROUP_ICON0x14b4180x5adataEnglishGreat Britain0.7888888888888889
          RT_GROUP_ICON0x14b4740x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x14b4880x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x14b49c0x14dataEnglishGreat Britain1.25
          RT_VERSION0x14b4b00xdcdataEnglishGreat Britain0.6181818181818182
          RT_MANIFEST0x14b58c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
          VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
          WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
          USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
          USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
          GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
          COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
          SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
          OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:14:25:02
          Start date:22/11/2024
          Path:C:\Users\user\Desktop\Salary_Receipt.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Salary_Receipt.exe"
          Imagebase:0x140000
          File size:1'368'064 bytes
          MD5 hash:08A71F36822C8207F16013ED296FF269
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:14:25:03
          Start date:22/11/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\Salary_Receipt.exe"
          Imagebase:0x6b0000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2202769937.00000000004D0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.2202978487.0000000002D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.6%
            Dynamic/Decrypted Code Coverage:0.9%
            Signature Coverage:7.4%
            Total number of Nodes:1995
            Total number of Limit Nodes:29
            execution_graph 97468 141055 97473 142649 97468->97473 97483 1477c7 97473->97483 97478 142754 97479 14105a 97478->97479 97491 143416 59 API calls 2 library calls 97478->97491 97480 162f80 97479->97480 97537 162e84 97480->97537 97482 141064 97492 160ff6 97483->97492 97485 1477e8 97486 160ff6 Mailbox 59 API calls 97485->97486 97487 1426b7 97486->97487 97488 143582 97487->97488 97530 1435b0 97488->97530 97491->97478 97494 160ffe 97492->97494 97495 161018 97494->97495 97497 16101c std::exception::exception 97494->97497 97502 16594c 97494->97502 97519 1635e1 DecodePointer 97494->97519 97495->97485 97520 1687db RaiseException 97497->97520 97499 161046 97521 168711 58 API calls _free 97499->97521 97501 161058 97501->97485 97503 1659c7 97502->97503 97511 165958 97502->97511 97528 1635e1 DecodePointer 97503->97528 97505 1659cd 97529 168d68 58 API calls __getptd_noexit 97505->97529 97508 16598b RtlAllocateHeap 97509 1659bf 97508->97509 97508->97511 97509->97494 97511->97508 97512 1659b3 97511->97512 97513 165963 97511->97513 97517 1659b1 97511->97517 97525 1635e1 DecodePointer 97511->97525 97526 168d68 58 API calls __getptd_noexit 97512->97526 97513->97511 97522 16a3ab 58 API calls 2 library calls 97513->97522 97523 16a408 58 API calls 7 library calls 97513->97523 97524 1632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97513->97524 97527 168d68 58 API calls __getptd_noexit 97517->97527 97519->97494 97520->97499 97521->97501 97522->97513 97523->97513 97525->97511 97526->97517 97527->97509 97528->97505 97529->97509 97531 1435bd 97530->97531 97532 1435a1 97530->97532 97531->97532 97533 1435c4 RegOpenKeyExW 97531->97533 97532->97478 97533->97532 97534 1435de RegQueryValueExW 97533->97534 97535 143614 RegCloseKey 97534->97535 97536 1435ff 97534->97536 97535->97532 97536->97535 97538 162e90 __setmbcp 97537->97538 97545 163457 97538->97545 97544 162eb7 __setmbcp 97544->97482 97562 169e4b 97545->97562 97547 162e99 97548 162ec8 DecodePointer DecodePointer 97547->97548 97549 162ea5 97548->97549 97550 162ef5 97548->97550 97559 162ec2 97549->97559 97550->97549 97608 1689e4 59 API calls 2 library calls 97550->97608 97552 162f58 EncodePointer EncodePointer 97552->97549 97553 162f07 97553->97552 97554 162f2c 97553->97554 97609 168aa4 61 API calls __realloc_crt 97553->97609 97554->97549 97557 162f46 EncodePointer 97554->97557 97610 168aa4 61 API calls __realloc_crt 97554->97610 97557->97552 97558 162f40 97558->97549 97558->97557 97611 163460 97559->97611 97563 169e6f EnterCriticalSection 97562->97563 97564 169e5c 97562->97564 97563->97547 97569 169ed3 97564->97569 97566 169e62 97566->97563 97593 1632f5 58 API calls 3 library calls 97566->97593 97570 169edf __setmbcp 97569->97570 97571 169f00 97570->97571 97572 169ee8 97570->97572 97580 169f21 __setmbcp 97571->97580 97597 168a5d 58 API calls 2 library calls 97571->97597 97594 16a3ab 58 API calls 2 library calls 97572->97594 97574 169eed 97595 16a408 58 API calls 7 library calls 97574->97595 97577 169f15 97578 169f1c 97577->97578 97579 169f2b 97577->97579 97598 168d68 58 API calls __getptd_noexit 97578->97598 97583 169e4b __lock 58 API calls 97579->97583 97580->97566 97581 169ef4 97596 1632df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 97581->97596 97585 169f32 97583->97585 97587 169f57 97585->97587 97588 169f3f 97585->97588 97600 162f95 97587->97600 97599 16a06b InitializeCriticalSectionAndSpinCount 97588->97599 97591 169f4b 97606 169f73 LeaveCriticalSection _doexit 97591->97606 97594->97574 97595->97581 97597->97577 97598->97580 97599->97591 97601 162f9e RtlFreeHeap 97600->97601 97602 162fc7 _free 97600->97602 97601->97602 97603 162fb3 97601->97603 97602->97591 97607 168d68 58 API calls __getptd_noexit 97603->97607 97605 162fb9 GetLastError 97605->97602 97606->97580 97607->97605 97608->97553 97609->97554 97610->97558 97614 169fb5 LeaveCriticalSection 97611->97614 97613 162ec7 97613->97544 97614->97613 97615 b123b0 97629 b10000 97615->97629 97617 b1245f 97632 b122a0 97617->97632 97619 b12488 CreateFileW 97621 b124dc 97619->97621 97624 b124d7 97619->97624 97622 b124f3 VirtualAlloc 97621->97622 97621->97624 97623 b12511 ReadFile 97622->97623 97622->97624 97623->97624 97625 b1252c 97623->97625 97626 b112a0 13 API calls 97625->97626 97627 b1255f 97626->97627 97628 b12582 ExitProcess 97627->97628 97628->97624 97635 b13490 GetPEB 97629->97635 97631 b1068b 97631->97617 97633 b122a9 Sleep 97632->97633 97634 b122b7 97633->97634 97636 b134ba 97635->97636 97636->97631 97637 184599 97641 19655c 97637->97641 97639 1845a4 97640 19655c 85 API calls 97639->97640 97640->97639 97646 196596 97641->97646 97649 196569 97641->97649 97642 196598 97680 149488 84 API calls Mailbox 97642->97680 97643 19659d 97652 149997 97643->97652 97646->97639 97649->97642 97649->97643 97649->97646 97650 196590 97649->97650 97679 149700 59 API calls _wcsstr 97650->97679 97653 1499b1 97652->97653 97654 1499ab 97652->97654 97655 17f9fc __i64tow 97653->97655 97656 1499f9 97653->97656 97658 1499b7 __itow 97653->97658 97661 17f903 97653->97661 97670 147c8e 97654->97670 97685 1638d8 83 API calls 4 library calls 97656->97685 97660 160ff6 Mailbox 59 API calls 97658->97660 97662 1499d1 97660->97662 97663 160ff6 Mailbox 59 API calls 97661->97663 97668 17f97b Mailbox _wcscpy 97661->97668 97662->97654 97681 147f41 97662->97681 97665 17f948 97663->97665 97666 160ff6 Mailbox 59 API calls 97665->97666 97667 17f96e 97666->97667 97667->97668 97669 147f41 59 API calls 97667->97669 97686 1638d8 83 API calls 4 library calls 97668->97686 97669->97668 97671 17f094 97670->97671 97672 147ca0 97670->97672 97693 198123 59 API calls _memmove 97671->97693 97687 147bb1 97672->97687 97675 147cac 97675->97646 97676 17f09e 97694 1481a7 97676->97694 97678 17f0a6 Mailbox 97679->97646 97680->97643 97682 147f50 __wsetenvp _memmove 97681->97682 97683 160ff6 Mailbox 59 API calls 97682->97683 97684 147f8e 97683->97684 97684->97654 97685->97658 97686->97655 97688 147be5 _memmove 97687->97688 97689 147bbf 97687->97689 97688->97675 97688->97688 97689->97688 97690 160ff6 Mailbox 59 API calls 97689->97690 97691 147c34 97690->97691 97692 160ff6 Mailbox 59 API calls 97691->97692 97692->97688 97693->97676 97695 1481b2 97694->97695 97696 1481ba 97694->97696 97698 1480d7 59 API calls 2 library calls 97695->97698 97696->97678 97698->97696 97699 141016 97704 144ad2 97699->97704 97702 162f80 __cinit 67 API calls 97703 141025 97702->97703 97705 160ff6 Mailbox 59 API calls 97704->97705 97706 144ada 97705->97706 97707 14101b 97706->97707 97711 144a94 97706->97711 97707->97702 97712 144a9d 97711->97712 97714 144aaf 97711->97714 97713 162f80 __cinit 67 API calls 97712->97713 97713->97714 97715 144afe 97714->97715 97716 1477c7 59 API calls 97715->97716 97717 144b16 GetVersionExW 97716->97717 97739 147d2c 97717->97739 97719 144b59 97729 144b86 97719->97729 97752 147e8c 97719->97752 97721 144b7a 97756 147886 97721->97756 97723 144bf1 GetCurrentProcess IsWow64Process 97724 144c0a 97723->97724 97726 144c20 97724->97726 97727 144c89 GetSystemInfo 97724->97727 97725 17dc8d 97748 144c95 97726->97748 97728 144c56 97727->97728 97728->97707 97729->97723 97729->97725 97732 144c32 97735 144c95 2 API calls 97732->97735 97733 144c7d GetSystemInfo 97734 144c47 97733->97734 97734->97728 97736 144c4d FreeLibrary 97734->97736 97737 144c3a GetNativeSystemInfo 97735->97737 97736->97728 97737->97734 97740 147da5 97739->97740 97741 147d38 __wsetenvp 97739->97741 97742 147e8c 59 API calls 97740->97742 97743 147d73 97741->97743 97744 147d4e 97741->97744 97747 147d56 _memmove 97742->97747 97761 148189 97743->97761 97760 148087 59 API calls Mailbox 97744->97760 97747->97719 97749 144c2e 97748->97749 97750 144c9e LoadLibraryA 97748->97750 97749->97732 97749->97733 97750->97749 97751 144caf GetProcAddress 97750->97751 97751->97749 97753 147e9a 97752->97753 97755 147ea3 _memmove 97752->97755 97753->97755 97764 147faf 97753->97764 97755->97721 97757 147894 97756->97757 97758 147e8c 59 API calls 97757->97758 97759 1478a4 97758->97759 97759->97729 97760->97747 97762 160ff6 Mailbox 59 API calls 97761->97762 97763 148193 97762->97763 97763->97747 97765 147fc2 97764->97765 97767 147fbf _memmove 97764->97767 97766 160ff6 Mailbox 59 API calls 97765->97766 97766->97767 97767->97755 97768 141066 97773 14f8cf 97768->97773 97770 14106c 97771 162f80 __cinit 67 API calls 97770->97771 97772 141076 97771->97772 97774 14f8f0 97773->97774 97806 160143 97774->97806 97778 14f937 97779 1477c7 59 API calls 97778->97779 97780 14f941 97779->97780 97781 1477c7 59 API calls 97780->97781 97782 14f94b 97781->97782 97783 1477c7 59 API calls 97782->97783 97784 14f955 97783->97784 97785 1477c7 59 API calls 97784->97785 97786 14f993 97785->97786 97787 1477c7 59 API calls 97786->97787 97788 14fa5e 97787->97788 97816 1560e7 97788->97816 97792 14fa90 97793 1477c7 59 API calls 97792->97793 97794 14fa9a 97793->97794 97844 15ffde 97794->97844 97796 14fae1 97797 14faf1 GetStdHandle 97796->97797 97798 14fb3d 97797->97798 97799 1849d5 97797->97799 97800 14fb45 OleInitialize 97798->97800 97799->97798 97801 1849de 97799->97801 97800->97770 97851 1a6dda 64 API calls Mailbox 97801->97851 97803 1849e5 97852 1a74a9 CreateThread 97803->97852 97805 1849f1 CloseHandle 97805->97800 97853 16021c 97806->97853 97809 16021c 59 API calls 97810 160185 97809->97810 97811 1477c7 59 API calls 97810->97811 97812 160191 97811->97812 97813 147d2c 59 API calls 97812->97813 97814 14f8f6 97813->97814 97815 1603a2 6 API calls 97814->97815 97815->97778 97817 1477c7 59 API calls 97816->97817 97818 1560f7 97817->97818 97819 1477c7 59 API calls 97818->97819 97820 1560ff 97819->97820 97860 155bfd 97820->97860 97823 155bfd 59 API calls 97824 15610f 97823->97824 97825 1477c7 59 API calls 97824->97825 97826 15611a 97825->97826 97827 160ff6 Mailbox 59 API calls 97826->97827 97828 14fa68 97827->97828 97829 156259 97828->97829 97830 156267 97829->97830 97831 1477c7 59 API calls 97830->97831 97832 156272 97831->97832 97833 1477c7 59 API calls 97832->97833 97834 15627d 97833->97834 97835 1477c7 59 API calls 97834->97835 97836 156288 97835->97836 97837 1477c7 59 API calls 97836->97837 97838 156293 97837->97838 97839 155bfd 59 API calls 97838->97839 97840 15629e 97839->97840 97841 160ff6 Mailbox 59 API calls 97840->97841 97842 1562a5 RegisterWindowMessageW 97841->97842 97842->97792 97845 195cc3 97844->97845 97846 15ffee 97844->97846 97863 1a9d71 60 API calls 97845->97863 97847 160ff6 Mailbox 59 API calls 97846->97847 97849 15fff6 97847->97849 97849->97796 97850 195cce 97851->97803 97852->97805 97864 1a748f 65 API calls 97852->97864 97854 1477c7 59 API calls 97853->97854 97855 160227 97854->97855 97856 1477c7 59 API calls 97855->97856 97857 16022f 97856->97857 97858 1477c7 59 API calls 97857->97858 97859 16017b 97858->97859 97859->97809 97861 1477c7 59 API calls 97860->97861 97862 155c05 97861->97862 97862->97823 97863->97850 97865 167e93 97866 167e9f __setmbcp 97865->97866 97902 16a048 GetStartupInfoW 97866->97902 97868 167ea4 97904 168dbc GetProcessHeap 97868->97904 97870 167efc 97871 167f07 97870->97871 97987 167fe3 58 API calls 3 library calls 97870->97987 97905 169d26 97871->97905 97874 167f0d 97875 167f18 __RTC_Initialize 97874->97875 97988 167fe3 58 API calls 3 library calls 97874->97988 97926 16d812 97875->97926 97878 167f27 97879 167f33 GetCommandLineW 97878->97879 97989 167fe3 58 API calls 3 library calls 97878->97989 97945 175173 GetEnvironmentStringsW 97879->97945 97882 167f32 97882->97879 97885 167f4d 97886 167f58 97885->97886 97990 1632f5 58 API calls 3 library calls 97885->97990 97955 174fa8 97886->97955 97889 167f5e 97890 167f69 97889->97890 97991 1632f5 58 API calls 3 library calls 97889->97991 97969 16332f 97890->97969 97893 167f71 97894 167f7c __wwincmdln 97893->97894 97992 1632f5 58 API calls 3 library calls 97893->97992 97975 14492e 97894->97975 97897 167f90 97898 167f9f 97897->97898 97993 163598 58 API calls _doexit 97897->97993 97994 163320 58 API calls _doexit 97898->97994 97901 167fa4 __setmbcp 97903 16a05e 97902->97903 97903->97868 97904->97870 97995 1633c7 EncodePointer 97905->97995 97907 169d2b 98000 169f7c 97907->98000 97910 169d34 98013 169d9c 61 API calls 2 library calls 97910->98013 97913 169d39 97913->97874 97915 169d51 98007 168a15 97915->98007 97918 169d93 98016 169d9c 61 API calls 2 library calls 97918->98016 97921 169d72 97921->97918 97923 169d78 97921->97923 97922 169d98 97922->97874 98015 169c73 58 API calls 4 library calls 97923->98015 97925 169d80 GetCurrentThreadId 97925->97874 97927 16d81e __setmbcp 97926->97927 97928 169e4b __lock 58 API calls 97927->97928 97929 16d825 97928->97929 97930 168a15 __calloc_crt 58 API calls 97929->97930 97931 16d836 97930->97931 97932 16d8a1 GetStartupInfoW 97931->97932 97933 16d841 @_EH4_CallFilterFunc@8 __setmbcp 97931->97933 97935 16d9e5 97932->97935 97937 16d8b6 97932->97937 97933->97878 97934 16daad 98032 16dabd LeaveCriticalSection _doexit 97934->98032 97935->97934 97939 16da32 GetStdHandle 97935->97939 97941 16da45 GetFileType 97935->97941 98031 16a06b InitializeCriticalSectionAndSpinCount 97935->98031 97937->97935 97938 168a15 __calloc_crt 58 API calls 97937->97938 97940 16d904 97937->97940 97938->97937 97939->97935 97940->97935 97942 16d938 GetFileType 97940->97942 98030 16a06b InitializeCriticalSectionAndSpinCount 97940->98030 97941->97935 97942->97940 97946 175184 97945->97946 97947 167f43 97945->97947 98033 168a5d 58 API calls 2 library calls 97946->98033 97951 174d6b GetModuleFileNameW 97947->97951 97949 1751aa _memmove 97950 1751c0 FreeEnvironmentStringsW 97949->97950 97950->97947 97952 174d9f _wparse_cmdline 97951->97952 97954 174ddf _wparse_cmdline 97952->97954 98034 168a5d 58 API calls 2 library calls 97952->98034 97954->97885 97956 174fb9 97955->97956 97958 174fc1 __wsetenvp 97955->97958 97956->97889 97957 168a15 __calloc_crt 58 API calls 97965 174fea __wsetenvp 97957->97965 97958->97957 97959 175041 97960 162f95 _free 58 API calls 97959->97960 97960->97956 97961 168a15 __calloc_crt 58 API calls 97961->97965 97962 175066 97963 162f95 _free 58 API calls 97962->97963 97963->97956 97965->97956 97965->97959 97965->97961 97965->97962 97966 17507d 97965->97966 98035 174857 58 API calls 2 library calls 97965->98035 98036 169006 IsProcessorFeaturePresent 97966->98036 97970 16333b __IsNonwritableInCurrentImage 97969->97970 98059 16a711 97970->98059 97972 163359 __initterm_e 97973 162f80 __cinit 67 API calls 97972->97973 97974 163378 _doexit __IsNonwritableInCurrentImage 97972->97974 97973->97974 97974->97893 97976 144948 97975->97976 97986 1449e7 97975->97986 97977 144982 IsThemeActive 97976->97977 98062 1635ac 97977->98062 97981 1449ae 98074 144a5b SystemParametersInfoW SystemParametersInfoW 97981->98074 97983 1449ba 98075 143b4c 97983->98075 97985 1449c2 SystemParametersInfoW 97985->97986 97986->97897 97987->97871 97988->97875 97989->97882 97993->97898 97994->97901 97996 1633d8 __init_pointers __initp_misc_winsig 97995->97996 98017 16a764 EncodePointer 97996->98017 97998 1633f0 __init_pointers 97999 16a0d9 34 API calls 97998->97999 97999->97907 98001 169f88 98000->98001 98003 169d30 98001->98003 98018 16a06b InitializeCriticalSectionAndSpinCount 98001->98018 98003->97910 98004 169fca 98003->98004 98005 169fe1 TlsAlloc 98004->98005 98006 169d46 98004->98006 98006->97910 98006->97915 98010 168a1c 98007->98010 98009 168a57 98009->97918 98014 16a026 TlsSetValue 98009->98014 98010->98009 98012 168a3a 98010->98012 98019 175446 98010->98019 98012->98009 98012->98010 98027 16a372 Sleep 98012->98027 98013->97913 98014->97921 98015->97925 98016->97922 98017->97998 98018->98001 98020 175451 98019->98020 98026 17546c 98019->98026 98021 17545d 98020->98021 98020->98026 98028 168d68 58 API calls __getptd_noexit 98021->98028 98022 17547c RtlAllocateHeap 98025 175462 98022->98025 98022->98026 98025->98010 98026->98022 98026->98025 98029 1635e1 DecodePointer 98026->98029 98027->98012 98028->98025 98029->98026 98030->97940 98031->97935 98032->97933 98033->97949 98034->97954 98035->97965 98037 169011 98036->98037 98042 168e99 98037->98042 98041 16902c 98041->97889 98043 168eb3 _memset __call_reportfault 98042->98043 98044 168ed3 IsDebuggerPresent 98043->98044 98050 16a395 SetUnhandledExceptionFilter UnhandledExceptionFilter 98044->98050 98047 168f97 __call_reportfault 98051 16c836 98047->98051 98048 168fba 98049 16a380 GetCurrentProcess TerminateProcess 98048->98049 98049->98041 98050->98047 98052 16c840 IsProcessorFeaturePresent 98051->98052 98053 16c83e 98051->98053 98055 175b5a 98052->98055 98053->98048 98058 175b09 5 API calls 2 library calls 98055->98058 98057 175c3d 98057->98048 98058->98057 98060 16a714 EncodePointer 98059->98060 98060->98060 98061 16a72e 98060->98061 98061->97972 98063 169e4b __lock 58 API calls 98062->98063 98064 1635b7 DecodePointer EncodePointer 98063->98064 98127 169fb5 LeaveCriticalSection 98064->98127 98066 1449a7 98067 163614 98066->98067 98068 16361e 98067->98068 98069 163638 98067->98069 98068->98069 98128 168d68 58 API calls __getptd_noexit 98068->98128 98069->97981 98071 163628 98129 168ff6 9 API calls __filbuf 98071->98129 98073 163633 98073->97981 98074->97983 98076 143b59 __ftell_nolock 98075->98076 98077 1477c7 59 API calls 98076->98077 98078 143b63 GetCurrentDirectoryW 98077->98078 98130 143778 98078->98130 98080 143b8c IsDebuggerPresent 98081 17d4ad MessageBoxA 98080->98081 98082 143b9a 98080->98082 98084 17d4c7 98081->98084 98083 143c73 98082->98083 98082->98084 98085 143bb7 98082->98085 98086 143c7a SetCurrentDirectoryW 98083->98086 98340 147373 59 API calls Mailbox 98084->98340 98211 1473e5 98085->98211 98089 143c87 Mailbox 98086->98089 98089->97985 98090 17d4d7 98095 17d4ed SetCurrentDirectoryW 98090->98095 98092 143bd5 GetFullPathNameW 98093 147d2c 59 API calls 98092->98093 98094 143c10 98093->98094 98227 150a8d 98094->98227 98095->98089 98098 143c2e 98099 143c38 98098->98099 98341 1a4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 98098->98341 98243 143a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 98099->98243 98102 17d50a 98102->98099 98105 17d51b 98102->98105 98342 144864 98105->98342 98106 143c42 98108 143c55 98106->98108 98251 1443db 98106->98251 98262 150b30 98108->98262 98110 17d523 98113 147f41 59 API calls 98110->98113 98112 143c60 98112->98083 98339 1444cb Shell_NotifyIconW _memset 98112->98339 98114 17d530 98113->98114 98116 17d55f 98114->98116 98117 17d53a 98114->98117 98119 147e0b 59 API calls 98116->98119 98349 147e0b 98117->98349 98121 17d55b GetForegroundWindow ShellExecuteW 98119->98121 98125 17d58f Mailbox 98121->98125 98122 147c8e 59 API calls 98124 17d552 98122->98124 98126 147e0b 59 API calls 98124->98126 98125->98083 98126->98121 98127->98066 98128->98071 98129->98073 98131 1477c7 59 API calls 98130->98131 98132 14378e 98131->98132 98356 143d43 98132->98356 98134 1437ac 98135 144864 61 API calls 98134->98135 98136 1437c0 98135->98136 98137 147f41 59 API calls 98136->98137 98138 1437cd 98137->98138 98370 144f3d 98138->98370 98141 17d3ae 98437 1a97e5 98141->98437 98143 1437ee Mailbox 98146 1481a7 59 API calls 98143->98146 98145 17d3cd 98148 162f95 _free 58 API calls 98145->98148 98149 143801 98146->98149 98150 17d3da 98148->98150 98394 1493ea 98149->98394 98152 144faa 84 API calls 98150->98152 98154 17d3e3 98152->98154 98158 143ee2 59 API calls 98154->98158 98155 147f41 59 API calls 98156 14381a 98155->98156 98397 148620 98156->98397 98160 17d3fe 98158->98160 98159 14382c Mailbox 98161 147f41 59 API calls 98159->98161 98162 143ee2 59 API calls 98160->98162 98163 143852 98161->98163 98164 17d41a 98162->98164 98165 148620 69 API calls 98163->98165 98166 144864 61 API calls 98164->98166 98168 143861 Mailbox 98165->98168 98167 17d43f 98166->98167 98169 143ee2 59 API calls 98167->98169 98171 1477c7 59 API calls 98168->98171 98170 17d44b 98169->98170 98172 1481a7 59 API calls 98170->98172 98173 14387f 98171->98173 98174 17d459 98172->98174 98401 143ee2 98173->98401 98176 143ee2 59 API calls 98174->98176 98178 17d468 98176->98178 98184 1481a7 59 API calls 98178->98184 98180 143899 98180->98154 98181 1438a3 98180->98181 98182 16313d _W_store_winword 60 API calls 98181->98182 98183 1438ae 98182->98183 98183->98160 98185 1438b8 98183->98185 98186 17d48a 98184->98186 98187 16313d _W_store_winword 60 API calls 98185->98187 98188 143ee2 59 API calls 98186->98188 98189 1438c3 98187->98189 98190 17d497 98188->98190 98189->98164 98191 1438cd 98189->98191 98190->98190 98192 16313d _W_store_winword 60 API calls 98191->98192 98193 1438d8 98192->98193 98193->98178 98194 143919 98193->98194 98196 143ee2 59 API calls 98193->98196 98194->98178 98195 143926 98194->98195 98417 14942e 98195->98417 98198 1438fc 98196->98198 98200 1481a7 59 API calls 98198->98200 98202 14390a 98200->98202 98204 143ee2 59 API calls 98202->98204 98204->98194 98206 1493ea 59 API calls 98208 143961 98206->98208 98207 149040 60 API calls 98207->98208 98208->98206 98208->98207 98209 143ee2 59 API calls 98208->98209 98210 1439a7 Mailbox 98208->98210 98209->98208 98210->98080 98212 1473f2 __ftell_nolock 98211->98212 98213 17ee4b _memset 98212->98213 98214 14740b 98212->98214 98217 17ee67 GetOpenFileNameW 98213->98217 99065 1448ae 98214->99065 98219 17eeb6 98217->98219 98221 147d2c 59 API calls 98219->98221 98223 17eecb 98221->98223 98223->98223 98224 147429 99093 1469ca 98224->99093 98228 150a9a __ftell_nolock 98227->98228 99351 146ee0 98228->99351 98230 150a9f 98231 143c26 98230->98231 99362 1512fe 89 API calls 98230->99362 98231->98090 98231->98098 98233 150aac 98233->98231 99363 154047 91 API calls Mailbox 98233->99363 98235 150ab5 98235->98231 98236 150ab9 GetFullPathNameW 98235->98236 98237 147d2c 59 API calls 98236->98237 98238 150ae5 98237->98238 98239 147d2c 59 API calls 98238->98239 98240 150af2 98239->98240 98241 1850d5 _wcscat 98240->98241 98242 147d2c 59 API calls 98240->98242 98242->98231 98244 143ac2 LoadImageW RegisterClassExW 98243->98244 98245 17d49c 98243->98245 99366 143041 7 API calls 98244->99366 99367 1448fe LoadImageW EnumResourceNamesW 98245->99367 98248 143b46 98250 1439e7 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98248->98250 98249 17d4a5 98250->98106 98252 144406 _memset 98251->98252 99368 144213 98252->99368 98255 14448b 98257 1444a5 Shell_NotifyIconW 98255->98257 98258 1444c1 Shell_NotifyIconW 98255->98258 98259 1444b3 98257->98259 98258->98259 99372 14410d 98259->99372 98261 1444ba 98261->98108 98263 1850ed 98262->98263 98275 150b55 98262->98275 99455 1aa0b5 89 API calls 4 library calls 98263->99455 98265 150e44 98266 150e5a 98265->98266 99452 1511d0 10 API calls Mailbox 98265->99452 98266->98112 98269 151044 98269->98266 98271 151051 98269->98271 98270 150bab PeekMessageW 98292 150b65 Mailbox 98270->98292 99453 1511f3 341 API calls Mailbox 98271->99453 98274 151058 LockWindowUpdate DestroyWindow GetMessageW 98274->98266 98277 15108a 98274->98277 98275->98292 99456 149fbd 60 API calls 98275->99456 99457 1968bf 341 API calls 98275->99457 98276 1852ab Sleep 98276->98292 98278 186082 TranslateMessage DispatchMessageW GetMessageW 98277->98278 98278->98278 98280 1860b2 98278->98280 98280->98266 98281 18517a TranslateAcceleratorW 98282 150fa3 PeekMessageW 98281->98282 98281->98292 98282->98292 98283 150fbf TranslateMessage DispatchMessageW 98283->98282 98284 185c49 WaitForSingleObject 98288 185c66 GetExitCodeProcess CloseHandle 98284->98288 98284->98292 98285 150fee Mailbox 98291 1477c7 59 API calls 98285->98291 98285->98292 98297 1510f5 98285->98297 98298 160719 timeGetTime 98285->98298 98302 185fb9 GetExitCodeProcess 98285->98302 98304 14b93d 109 API calls 98285->98304 98309 1c61ac 110 API calls 98285->98309 98310 185c9e 98285->98310 98312 1854a2 Sleep 98285->98312 98313 186041 Sleep 98285->98313 98315 147f41 59 API calls 98285->98315 99464 1a28f7 60 API calls 98285->99464 99465 149fbd 60 API calls 98285->99465 99466 148b13 69 API calls Mailbox 98285->99466 99467 14b89c 341 API calls 98285->99467 99468 196a50 60 API calls 98285->99468 99469 1a54e6 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98285->99469 99470 1a3e91 66 API calls Mailbox 98285->99470 98287 150e73 timeGetTime 98287->98292 98288->98297 98289 150fdd Sleep 98289->98285 98290 1481a7 59 API calls 98290->98292 98291->98285 98292->98265 98292->98270 98292->98276 98292->98281 98292->98282 98292->98283 98292->98284 98292->98285 98292->98287 98292->98289 98292->98290 98293 185f22 Sleep 98292->98293 98295 160ff6 59 API calls Mailbox 98292->98295 98292->98297 98299 1510ae timeGetTime 98292->98299 98303 149997 84 API calls 98292->98303 98311 149fbd 60 API calls 98292->98311 98319 14a000 314 API calls 98292->98319 98325 1aa0b5 89 API calls 98292->98325 98327 148620 69 API calls 98292->98327 98328 149df0 59 API calls Mailbox 98292->98328 98329 14b89c 314 API calls 98292->98329 98331 1966f4 59 API calls Mailbox 98292->98331 98332 147f41 59 API calls 98292->98332 98333 148b13 69 API calls 98292->98333 98334 1859ff VariantClear 98292->98334 98335 185a95 VariantClear 98292->98335 98336 148e34 59 API calls Mailbox 98292->98336 98337 185843 VariantClear 98292->98337 98338 197405 59 API calls 98292->98338 99400 14e800 98292->99400 99431 14f5c0 98292->99431 99449 14e580 341 API calls 98292->99449 99450 14fe40 341 API calls 2 library calls 98292->99450 99451 1431ce IsDialogMessageW GetClassLongW 98292->99451 99458 1c629f 59 API calls 98292->99458 99459 1a9c9f 59 API calls Mailbox 98292->99459 99460 19d9e3 59 API calls 98292->99460 99461 196665 59 API calls 2 library calls 98292->99461 99462 148561 59 API calls 98292->99462 99463 14843f 59 API calls Mailbox 98292->99463 98293->98285 98295->98292 98297->98112 98298->98285 99454 149fbd 60 API calls 98299->99454 98305 185fcf WaitForSingleObject 98302->98305 98306 185fe5 CloseHandle 98302->98306 98303->98292 98304->98285 98305->98292 98305->98306 98306->98285 98309->98285 98310->98297 98311->98292 98312->98292 98313->98292 98315->98285 98319->98292 98325->98292 98327->98292 98328->98292 98329->98292 98331->98292 98332->98292 98333->98292 98334->98292 98335->98292 98336->98292 98337->98292 98338->98292 98339->98083 98340->98090 98341->98102 98343 171b90 __ftell_nolock 98342->98343 98344 144871 GetModuleFileNameW 98343->98344 98345 147f41 59 API calls 98344->98345 98346 144897 98345->98346 98347 1448ae 60 API calls 98346->98347 98348 1448a1 Mailbox 98347->98348 98348->98110 98350 17f173 98349->98350 98351 147e1f 98349->98351 98353 148189 59 API calls 98350->98353 99845 147db0 98351->99845 98355 17f17e __wsetenvp _memmove 98353->98355 98354 147e2a 98354->98122 98357 143d50 __ftell_nolock 98356->98357 98358 147d2c 59 API calls 98357->98358 98364 143eb6 Mailbox 98357->98364 98360 143d82 98358->98360 98369 143db8 Mailbox 98360->98369 98478 147b52 98360->98478 98361 147b52 59 API calls 98361->98369 98362 143e89 98363 147f41 59 API calls 98362->98363 98362->98364 98366 143eaa 98363->98366 98364->98134 98365 147f41 59 API calls 98365->98369 98367 143f84 59 API calls 98366->98367 98367->98364 98369->98361 98369->98362 98369->98364 98369->98365 98481 143f84 98369->98481 98487 144d13 98370->98487 98375 17dd0f 98377 144faa 84 API calls 98375->98377 98376 144f68 LoadLibraryExW 98497 144cc8 98376->98497 98379 17dd16 98377->98379 98381 144cc8 3 API calls 98379->98381 98383 17dd1e 98381->98383 98523 14506b 98383->98523 98384 144f8f 98384->98383 98385 144f9b 98384->98385 98386 144faa 84 API calls 98385->98386 98388 1437e6 98386->98388 98388->98141 98388->98143 98391 17dd45 98531 145027 98391->98531 98395 160ff6 Mailbox 59 API calls 98394->98395 98396 14380d 98395->98396 98396->98155 98398 14862b 98397->98398 98399 148652 98398->98399 98785 148b13 69 API calls Mailbox 98398->98785 98399->98159 98402 143f05 98401->98402 98403 143eec 98401->98403 98405 147d2c 59 API calls 98402->98405 98404 1481a7 59 API calls 98403->98404 98406 14388b 98404->98406 98405->98406 98407 16313d 98406->98407 98408 1631be 98407->98408 98409 163149 98407->98409 98788 1631d0 60 API calls 4 library calls 98408->98788 98416 16316e 98409->98416 98786 168d68 58 API calls __getptd_noexit 98409->98786 98411 1631cb 98411->98180 98413 163155 98787 168ff6 9 API calls __filbuf 98413->98787 98415 163160 98415->98180 98416->98180 98418 149436 98417->98418 98419 160ff6 Mailbox 59 API calls 98418->98419 98420 149444 98419->98420 98421 143936 98420->98421 98789 14935c 59 API calls Mailbox 98420->98789 98423 1491b0 98421->98423 98790 1492c0 98423->98790 98425 1491bf 98426 160ff6 Mailbox 59 API calls 98425->98426 98427 143944 98425->98427 98426->98427 98428 149040 98427->98428 98429 17f5a5 98428->98429 98435 149057 98428->98435 98429->98435 98800 148d3b 59 API calls Mailbox 98429->98800 98431 1491a0 98799 149e9c 60 API calls Mailbox 98431->98799 98432 149158 98433 160ff6 Mailbox 59 API calls 98432->98433 98436 14915f 98433->98436 98435->98431 98435->98432 98435->98436 98436->98208 98438 145045 85 API calls 98437->98438 98439 1a9854 98438->98439 98801 1a99be 98439->98801 98442 14506b 74 API calls 98443 1a9881 98442->98443 98444 14506b 74 API calls 98443->98444 98445 1a9891 98444->98445 98446 14506b 74 API calls 98445->98446 98447 1a98ac 98446->98447 98448 14506b 74 API calls 98447->98448 98449 1a98c7 98448->98449 98450 145045 85 API calls 98449->98450 98451 1a98de 98450->98451 98452 16594c _W_store_winword 58 API calls 98451->98452 98453 1a98e5 98452->98453 98454 16594c _W_store_winword 58 API calls 98453->98454 98455 1a98ef 98454->98455 98456 14506b 74 API calls 98455->98456 98457 1a9903 98456->98457 98458 1a9393 GetSystemTimeAsFileTime 98457->98458 98459 1a9916 98458->98459 98460 1a992b 98459->98460 98461 1a9940 98459->98461 98462 162f95 _free 58 API calls 98460->98462 98463 1a9946 98461->98463 98464 1a99a5 98461->98464 98465 1a9931 98462->98465 98807 1a8d90 116 API calls __fcloseall 98463->98807 98467 162f95 _free 58 API calls 98464->98467 98468 162f95 _free 58 API calls 98465->98468 98470 17d3c1 98467->98470 98468->98470 98469 1a999d 98471 162f95 _free 58 API calls 98469->98471 98470->98145 98472 144faa 98470->98472 98471->98470 98473 144fb4 98472->98473 98474 144fbb 98472->98474 98808 1655d6 98473->98808 98476 144fca 98474->98476 98477 144fdb FreeLibrary 98474->98477 98476->98145 98477->98476 98479 147faf 59 API calls 98478->98479 98480 147b5d 98479->98480 98480->98360 98482 143f92 98481->98482 98486 143fb4 _memmove 98481->98486 98484 160ff6 Mailbox 59 API calls 98482->98484 98483 160ff6 Mailbox 59 API calls 98485 143fc8 98483->98485 98484->98486 98485->98369 98486->98483 98536 144d61 98487->98536 98490 144d3a 98491 144d53 98490->98491 98492 144d4a FreeLibrary 98490->98492 98494 16548b 98491->98494 98492->98491 98493 144d61 2 API calls 98493->98490 98540 1654a0 98494->98540 98496 144f5c 98496->98375 98496->98376 98700 144d94 98497->98700 98500 144ced 98502 144cff FreeLibrary 98500->98502 98503 144d08 98500->98503 98501 144d94 2 API calls 98501->98500 98502->98503 98504 144dd0 98503->98504 98505 160ff6 Mailbox 59 API calls 98504->98505 98506 144de5 98505->98506 98704 14538e 98506->98704 98508 144df1 _memmove 98509 144e2c 98508->98509 98510 144f21 98508->98510 98511 144ee9 98508->98511 98512 145027 69 API calls 98509->98512 98718 1a9ba5 95 API calls 98510->98718 98707 144fe9 CreateStreamOnHGlobal 98511->98707 98520 144e35 98512->98520 98515 14506b 74 API calls 98515->98520 98517 144ec9 98517->98384 98518 17dcd0 98519 145045 85 API calls 98518->98519 98521 17dce4 98519->98521 98520->98515 98520->98517 98520->98518 98713 145045 98520->98713 98522 14506b 74 API calls 98521->98522 98522->98517 98524 17ddf6 98523->98524 98525 14507d 98523->98525 98742 165812 98525->98742 98528 1a9393 98762 1a91e9 98528->98762 98530 1a93a9 98530->98391 98532 145036 98531->98532 98534 17ddb9 98531->98534 98767 165e90 98532->98767 98535 14503e 98537 144d2e 98536->98537 98538 144d6a LoadLibraryA 98536->98538 98537->98490 98537->98493 98538->98537 98539 144d7b GetProcAddress 98538->98539 98539->98537 98542 1654ac __setmbcp 98540->98542 98541 1654bf 98589 168d68 58 API calls __getptd_noexit 98541->98589 98542->98541 98544 1654f0 98542->98544 98559 170738 98544->98559 98545 1654c4 98590 168ff6 9 API calls __filbuf 98545->98590 98548 1654f5 98549 1654fe 98548->98549 98550 16550b 98548->98550 98591 168d68 58 API calls __getptd_noexit 98549->98591 98552 165535 98550->98552 98553 165515 98550->98553 98574 170857 98552->98574 98592 168d68 58 API calls __getptd_noexit 98553->98592 98554 1654cf @_EH4_CallFilterFunc@8 __setmbcp 98554->98496 98560 170744 __setmbcp 98559->98560 98561 169e4b __lock 58 API calls 98560->98561 98562 170752 98561->98562 98563 1707cd 98562->98563 98570 169ed3 __mtinitlocknum 58 API calls 98562->98570 98572 1707c6 98562->98572 98597 166e8d 59 API calls __lock 98562->98597 98598 166ef7 LeaveCriticalSection LeaveCriticalSection _doexit 98562->98598 98599 168a5d 58 API calls 2 library calls 98563->98599 98566 170843 __setmbcp 98566->98548 98567 1707d4 98567->98572 98600 16a06b InitializeCriticalSectionAndSpinCount 98567->98600 98570->98562 98571 1707fa EnterCriticalSection 98571->98572 98594 17084e 98572->98594 98582 170877 __wopenfile 98574->98582 98575 170891 98605 168d68 58 API calls __getptd_noexit 98575->98605 98577 170896 98606 168ff6 9 API calls __filbuf 98577->98606 98579 170aaf 98602 1787f1 98579->98602 98580 165540 98593 165562 LeaveCriticalSection LeaveCriticalSection _fprintf 98580->98593 98582->98575 98588 170a4c 98582->98588 98607 163a0b 60 API calls 3 library calls 98582->98607 98584 170a45 98584->98588 98608 163a0b 60 API calls 3 library calls 98584->98608 98586 170a64 98586->98588 98609 163a0b 60 API calls 3 library calls 98586->98609 98588->98575 98588->98579 98589->98545 98590->98554 98591->98554 98592->98554 98593->98554 98601 169fb5 LeaveCriticalSection 98594->98601 98596 170855 98596->98566 98597->98562 98598->98562 98599->98567 98600->98571 98601->98596 98610 177fd5 98602->98610 98604 17880a 98604->98580 98605->98577 98606->98580 98607->98584 98608->98586 98609->98588 98611 177fe1 __setmbcp 98610->98611 98612 177ff7 98611->98612 98615 17802d 98611->98615 98697 168d68 58 API calls __getptd_noexit 98612->98697 98614 177ffc 98698 168ff6 9 API calls __filbuf 98614->98698 98621 17809e 98615->98621 98618 178049 98699 178072 LeaveCriticalSection __unlock_fhandle 98618->98699 98620 178006 __setmbcp 98620->98604 98622 1780be 98621->98622 98623 16471a __wsopen_nolock 58 API calls 98622->98623 98627 1780da 98623->98627 98624 178211 98625 169006 __invoke_watson 8 API calls 98624->98625 98626 1787f0 98625->98626 98628 177fd5 __wsopen_helper 103 API calls 98626->98628 98627->98624 98629 178114 98627->98629 98636 178137 98627->98636 98630 17880a 98628->98630 98631 168d34 __dosmaperr 58 API calls 98629->98631 98630->98618 98632 178119 98631->98632 98633 168d68 __calloc_impl 58 API calls 98632->98633 98634 178126 98633->98634 98637 168ff6 __filbuf 9 API calls 98634->98637 98635 1781f5 98638 168d34 __dosmaperr 58 API calls 98635->98638 98636->98635 98644 1781d3 98636->98644 98639 178130 98637->98639 98640 1781fa 98638->98640 98639->98618 98641 168d68 __calloc_impl 58 API calls 98640->98641 98642 178207 98641->98642 98643 168ff6 __filbuf 9 API calls 98642->98643 98643->98624 98645 16d4d4 __alloc_osfhnd 61 API calls 98644->98645 98646 1782a1 98645->98646 98647 1782ce 98646->98647 98648 1782ab 98646->98648 98649 177f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98647->98649 98650 168d34 __dosmaperr 58 API calls 98648->98650 98660 1782f0 98649->98660 98651 1782b0 98650->98651 98652 168d68 __calloc_impl 58 API calls 98651->98652 98654 1782ba 98652->98654 98653 17836e GetFileType 98655 1783bb 98653->98655 98656 178379 GetLastError 98653->98656 98658 168d68 __calloc_impl 58 API calls 98654->98658 98667 16d76a __set_osfhnd 59 API calls 98655->98667 98659 168d47 __dosmaperr 58 API calls 98656->98659 98657 17833c GetLastError 98661 168d47 __dosmaperr 58 API calls 98657->98661 98658->98639 98662 1783a0 CloseHandle 98659->98662 98660->98653 98660->98657 98663 177f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98660->98663 98664 178361 98661->98664 98662->98664 98665 1783ae 98662->98665 98666 178331 98663->98666 98668 168d68 __calloc_impl 58 API calls 98664->98668 98669 168d68 __calloc_impl 58 API calls 98665->98669 98666->98653 98666->98657 98671 1783d9 98667->98671 98668->98624 98670 1783b3 98669->98670 98670->98664 98672 178594 98671->98672 98673 171b11 __lseeki64_nolock 60 API calls 98671->98673 98689 17845a 98671->98689 98672->98624 98674 178767 CloseHandle 98672->98674 98675 178443 98673->98675 98676 177f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 98674->98676 98678 168d34 __dosmaperr 58 API calls 98675->98678 98694 178462 98675->98694 98677 17878e 98676->98677 98680 178796 GetLastError 98677->98680 98681 17861e 98677->98681 98678->98689 98679 1710ab 70 API calls __read_nolock 98679->98694 98682 168d47 __dosmaperr 58 API calls 98680->98682 98681->98624 98683 1787a2 98682->98683 98686 16d67d __free_osfhnd 59 API calls 98683->98686 98684 170d2d __close_nolock 61 API calls 98684->98694 98685 1799f2 __chsize_nolock 82 API calls 98685->98694 98686->98681 98687 171b11 60 API calls __lseeki64_nolock 98687->98689 98688 16dac6 __write 78 API calls 98688->98689 98689->98672 98689->98687 98689->98688 98689->98694 98690 178611 98691 170d2d __close_nolock 61 API calls 98690->98691 98693 178618 98691->98693 98692 1785fa 98692->98672 98696 168d68 __calloc_impl 58 API calls 98693->98696 98694->98679 98694->98684 98694->98685 98694->98689 98694->98690 98694->98692 98695 171b11 60 API calls __lseeki64_nolock 98694->98695 98695->98694 98696->98681 98697->98614 98698->98620 98699->98620 98701 144ce1 98700->98701 98702 144d9d LoadLibraryA 98700->98702 98701->98500 98701->98501 98702->98701 98703 144dae GetProcAddress 98702->98703 98703->98701 98705 160ff6 Mailbox 59 API calls 98704->98705 98706 1453a0 98705->98706 98706->98508 98708 145003 FindResourceExW 98707->98708 98712 145020 98707->98712 98709 17dd5c LoadResource 98708->98709 98708->98712 98710 17dd71 SizeofResource 98709->98710 98709->98712 98711 17dd85 LockResource 98710->98711 98710->98712 98711->98712 98712->98509 98714 145054 98713->98714 98715 17ddd4 98713->98715 98719 165a7d 98714->98719 98717 145062 98717->98520 98718->98509 98720 165a89 __setmbcp 98719->98720 98721 165a9b 98720->98721 98723 165ac1 98720->98723 98732 168d68 58 API calls __getptd_noexit 98721->98732 98734 166e4e 98723->98734 98724 165aa0 98733 168ff6 9 API calls __filbuf 98724->98733 98729 165ad6 98741 165af8 LeaveCriticalSection LeaveCriticalSection _fprintf 98729->98741 98731 165aab __setmbcp 98731->98717 98732->98724 98733->98731 98735 166e80 EnterCriticalSection 98734->98735 98736 166e5e 98734->98736 98739 165ac7 98735->98739 98736->98735 98737 166e66 98736->98737 98738 169e4b __lock 58 API calls 98737->98738 98738->98739 98740 1659ee 83 API calls 5 library calls 98739->98740 98740->98729 98741->98731 98745 16582d 98742->98745 98744 14508e 98744->98528 98746 165839 __setmbcp 98745->98746 98747 165874 __setmbcp 98746->98747 98748 16584f _memset 98746->98748 98749 16587c 98746->98749 98747->98744 98758 168d68 58 API calls __getptd_noexit 98748->98758 98750 166e4e __lock_file 59 API calls 98749->98750 98752 165882 98750->98752 98760 16564d 72 API calls 5 library calls 98752->98760 98753 165869 98759 168ff6 9 API calls __filbuf 98753->98759 98756 165898 98761 1658b6 LeaveCriticalSection LeaveCriticalSection _fprintf 98756->98761 98758->98753 98759->98747 98760->98756 98761->98747 98765 16543a GetSystemTimeAsFileTime 98762->98765 98764 1a91f8 98764->98530 98766 165468 __aulldiv 98765->98766 98766->98764 98768 165e9c __setmbcp 98767->98768 98769 165ec3 98768->98769 98770 165eae 98768->98770 98772 166e4e __lock_file 59 API calls 98769->98772 98781 168d68 58 API calls __getptd_noexit 98770->98781 98774 165ec9 98772->98774 98773 165eb3 98782 168ff6 9 API calls __filbuf 98773->98782 98783 165b00 67 API calls 6 library calls 98774->98783 98777 165ed4 98784 165ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 98777->98784 98779 165ee6 98780 165ebe __setmbcp 98779->98780 98780->98535 98781->98773 98782->98780 98783->98777 98784->98779 98785->98399 98786->98413 98787->98415 98788->98411 98789->98421 98791 1492c9 Mailbox 98790->98791 98792 17f5c8 98791->98792 98797 1492d3 98791->98797 98793 160ff6 Mailbox 59 API calls 98792->98793 98796 17f5d4 98793->98796 98794 1492da 98794->98425 98796->98796 98797->98794 98798 149df0 59 API calls Mailbox 98797->98798 98798->98797 98799->98436 98800->98435 98806 1a99d2 __tzset_nolock _wcscmp 98801->98806 98802 14506b 74 API calls 98802->98806 98803 1a9866 98803->98442 98803->98470 98804 1a9393 GetSystemTimeAsFileTime 98804->98806 98805 145045 85 API calls 98805->98806 98806->98802 98806->98803 98806->98804 98806->98805 98807->98469 98809 1655e2 __setmbcp 98808->98809 98810 1655f6 98809->98810 98811 16560e 98809->98811 98837 168d68 58 API calls __getptd_noexit 98810->98837 98813 166e4e __lock_file 59 API calls 98811->98813 98818 165606 __setmbcp 98811->98818 98815 165620 98813->98815 98814 1655fb 98838 168ff6 9 API calls __filbuf 98814->98838 98821 16556a 98815->98821 98818->98474 98822 16558d 98821->98822 98823 165579 98821->98823 98829 165589 98822->98829 98840 164c6d 98822->98840 98883 168d68 58 API calls __getptd_noexit 98823->98883 98825 16557e 98884 168ff6 9 API calls __filbuf 98825->98884 98839 165645 LeaveCriticalSection LeaveCriticalSection _fprintf 98829->98839 98833 1655a7 98857 170c52 98833->98857 98835 1655ad 98835->98829 98836 162f95 _free 58 API calls 98835->98836 98836->98829 98837->98814 98838->98818 98839->98818 98841 164c80 98840->98841 98845 164ca4 98840->98845 98842 164916 __filbuf 58 API calls 98841->98842 98841->98845 98843 164c9d 98842->98843 98885 16dac6 98843->98885 98846 170dc7 98845->98846 98847 1655a1 98846->98847 98848 170dd4 98846->98848 98850 164916 98847->98850 98848->98847 98849 162f95 _free 58 API calls 98848->98849 98849->98847 98851 164935 98850->98851 98852 164920 98850->98852 98851->98833 99020 168d68 58 API calls __getptd_noexit 98852->99020 98854 164925 99021 168ff6 9 API calls __filbuf 98854->99021 98856 164930 98856->98833 98858 170c5e __setmbcp 98857->98858 98859 170c82 98858->98859 98860 170c6b 98858->98860 98862 170d0d 98859->98862 98864 170c92 98859->98864 99037 168d34 58 API calls __getptd_noexit 98860->99037 99042 168d34 58 API calls __getptd_noexit 98862->99042 98863 170c70 99038 168d68 58 API calls __getptd_noexit 98863->99038 98867 170cb0 98864->98867 98868 170cba 98864->98868 99039 168d34 58 API calls __getptd_noexit 98867->99039 98871 16d446 ___lock_fhandle 59 API calls 98868->98871 98869 170cb5 99043 168d68 58 API calls __getptd_noexit 98869->99043 98873 170cc0 98871->98873 98875 170cd3 98873->98875 98876 170cde 98873->98876 98874 170d19 99044 168ff6 9 API calls __filbuf 98874->99044 99022 170d2d 98875->99022 99040 168d68 58 API calls __getptd_noexit 98876->99040 98878 170c77 __setmbcp 98878->98835 98881 170cd9 99041 170d05 LeaveCriticalSection __unlock_fhandle 98881->99041 98883->98825 98884->98829 98886 16dad2 __setmbcp 98885->98886 98887 16daf6 98886->98887 98888 16dadf 98886->98888 98890 16db95 98887->98890 98893 16db0a 98887->98893 98986 168d34 58 API calls __getptd_noexit 98888->98986 98992 168d34 58 API calls __getptd_noexit 98890->98992 98892 16dae4 98987 168d68 58 API calls __getptd_noexit 98892->98987 98894 16db32 98893->98894 98895 16db28 98893->98895 98913 16d446 98894->98913 98988 168d34 58 API calls __getptd_noexit 98895->98988 98896 16db2d 98993 168d68 58 API calls __getptd_noexit 98896->98993 98900 16db38 98902 16db5e 98900->98902 98903 16db4b 98900->98903 98989 168d68 58 API calls __getptd_noexit 98902->98989 98922 16dbb5 98903->98922 98904 16dba1 98994 168ff6 9 API calls __filbuf 98904->98994 98908 16daeb __setmbcp 98908->98845 98909 16db57 98991 16db8d LeaveCriticalSection __unlock_fhandle 98909->98991 98910 16db63 98990 168d34 58 API calls __getptd_noexit 98910->98990 98914 16d452 __setmbcp 98913->98914 98915 16d4a1 EnterCriticalSection 98914->98915 98917 169e4b __lock 58 API calls 98914->98917 98916 16d4c7 __setmbcp 98915->98916 98916->98900 98918 16d477 98917->98918 98919 16d48f 98918->98919 98995 16a06b InitializeCriticalSectionAndSpinCount 98918->98995 98996 16d4cb LeaveCriticalSection _doexit 98919->98996 98923 16dbc2 __ftell_nolock 98922->98923 98924 16dc20 98923->98924 98925 16dc01 98923->98925 98953 16dbf6 98923->98953 98928 16dc78 98924->98928 98929 16dc5c 98924->98929 99006 168d34 58 API calls __getptd_noexit 98925->99006 98926 16c836 setSBUpLow 6 API calls 98930 16e416 98926->98930 98933 16dc91 98928->98933 99012 171b11 60 API calls 3 library calls 98928->99012 99009 168d34 58 API calls __getptd_noexit 98929->99009 98930->98909 98931 16dc06 99007 168d68 58 API calls __getptd_noexit 98931->99007 98997 175ebb 98933->98997 98935 16dc61 99010 168d68 58 API calls __getptd_noexit 98935->99010 98937 16dc0d 99008 168ff6 9 API calls __filbuf 98937->99008 98941 16dc9f 98942 16dff8 98941->98942 99013 169bec 58 API calls 2 library calls 98941->99013 98944 16e016 98942->98944 98945 16e38b WriteFile 98942->98945 98943 16dc68 99011 168ff6 9 API calls __filbuf 98943->99011 98948 16e13a 98944->98948 98956 16e02c 98944->98956 98949 16dfeb GetLastError 98945->98949 98954 16dfb8 98945->98954 98960 16e22f 98948->98960 98962 16e145 98948->98962 98949->98954 98950 16dccb GetConsoleMode 98950->98942 98952 16dd0a 98950->98952 98951 16e3c4 98951->98953 99018 168d68 58 API calls __getptd_noexit 98951->99018 98952->98942 98955 16dd1a GetConsoleCP 98952->98955 98953->98926 98954->98951 98954->98953 98959 16e118 98954->98959 98955->98951 98983 16dd49 98955->98983 98956->98951 98957 16e09b WriteFile 98956->98957 98957->98949 98961 16e0d8 98957->98961 98964 16e123 98959->98964 98965 16e3bb 98959->98965 98960->98951 98966 16e2a4 WideCharToMultiByte 98960->98966 98961->98956 98967 16e0fc 98961->98967 98962->98951 98968 16e1aa WriteFile 98962->98968 98963 16e3f2 99019 168d34 58 API calls __getptd_noexit 98963->99019 99015 168d68 58 API calls __getptd_noexit 98964->99015 99017 168d47 58 API calls 3 library calls 98965->99017 98966->98949 98978 16e2eb 98966->98978 98967->98954 98968->98949 98970 16e1f9 98968->98970 98970->98954 98970->98962 98970->98967 98973 16e128 99016 168d34 58 API calls __getptd_noexit 98973->99016 98974 16e2f3 WriteFile 98977 16e346 GetLastError 98974->98977 98974->98978 98977->98978 98978->98954 98978->98960 98978->98967 98978->98974 98979 177cae WriteConsoleW CreateFileW __putwch_nolock 98984 16de9f 98979->98984 98980 17650a 60 API calls __write_nolock 98980->98983 98981 16de32 WideCharToMultiByte 98981->98954 98982 16de6d WriteFile 98981->98982 98982->98949 98982->98984 98983->98954 98983->98980 98983->98981 98983->98984 99014 163835 58 API calls __isleadbyte_l 98983->99014 98984->98949 98984->98954 98984->98979 98984->98983 98985 16dec7 WriteFile 98984->98985 98985->98949 98985->98984 98986->98892 98987->98908 98988->98896 98989->98910 98990->98909 98991->98908 98992->98896 98993->98904 98994->98908 98995->98919 98996->98915 98998 175ec6 98997->98998 98999 175ed3 98997->98999 99000 168d68 __calloc_impl 58 API calls 98998->99000 99001 175edf 98999->99001 99002 168d68 __calloc_impl 58 API calls 98999->99002 99004 175ecb 99000->99004 99001->98941 99003 175f00 99002->99003 99005 168ff6 __filbuf 9 API calls 99003->99005 99004->98941 99005->99004 99006->98931 99007->98937 99008->98953 99009->98935 99010->98943 99011->98953 99012->98933 99013->98950 99014->98983 99015->98973 99016->98953 99017->98953 99018->98963 99019->98953 99020->98854 99021->98856 99045 16d703 99022->99045 99024 170d91 99058 16d67d 59 API calls 2 library calls 99024->99058 99025 170d3b 99025->99024 99027 170d6f 99025->99027 99028 16d703 __lseeki64_nolock 58 API calls 99025->99028 99027->99024 99029 16d703 __lseeki64_nolock 58 API calls 99027->99029 99031 170d66 99028->99031 99032 170d7b CloseHandle 99029->99032 99030 170d99 99033 170dbb 99030->99033 99059 168d47 58 API calls 3 library calls 99030->99059 99034 16d703 __lseeki64_nolock 58 API calls 99031->99034 99032->99024 99035 170d87 GetLastError 99032->99035 99033->98881 99034->99027 99035->99024 99037->98863 99038->98878 99039->98869 99040->98881 99041->98878 99042->98869 99043->98874 99044->98878 99046 16d723 99045->99046 99047 16d70e 99045->99047 99052 16d748 99046->99052 99062 168d34 58 API calls __getptd_noexit 99046->99062 99060 168d34 58 API calls __getptd_noexit 99047->99060 99049 16d713 99061 168d68 58 API calls __getptd_noexit 99049->99061 99052->99025 99053 16d752 99063 168d68 58 API calls __getptd_noexit 99053->99063 99055 16d71b 99055->99025 99056 16d75a 99064 168ff6 9 API calls __filbuf 99056->99064 99058->99030 99059->99033 99060->99049 99061->99055 99062->99053 99063->99056 99064->99055 99127 171b90 99065->99127 99068 1448f7 99129 147eec 99068->99129 99069 1448da 99070 147d2c 59 API calls 99069->99070 99072 1448e6 99070->99072 99073 147886 59 API calls 99072->99073 99074 1448f2 99073->99074 99075 1609d5 99074->99075 99076 1609e2 __ftell_nolock 99075->99076 99077 1609f1 GetLongPathNameW 99076->99077 99078 147d2c 59 API calls 99077->99078 99079 14741d 99078->99079 99080 14716b 99079->99080 99081 1477c7 59 API calls 99080->99081 99082 14717d 99081->99082 99083 1448ae 60 API calls 99082->99083 99084 147188 99083->99084 99085 147193 99084->99085 99086 17ecae 99084->99086 99087 143f84 59 API calls 99085->99087 99090 17ecc8 99086->99090 99139 147a68 61 API calls 99086->99139 99089 14719f 99087->99089 99133 1434c2 99089->99133 99092 1471b2 Mailbox 99092->98224 99094 144f3d 136 API calls 99093->99094 99095 1469ef 99094->99095 99096 17e45a 99095->99096 99098 144f3d 136 API calls 99095->99098 99097 1a97e5 122 API calls 99096->99097 99099 17e46f 99097->99099 99100 146a03 99098->99100 99101 17e473 99099->99101 99102 17e490 99099->99102 99100->99096 99103 146a0b 99100->99103 99104 144faa 84 API calls 99101->99104 99105 160ff6 Mailbox 59 API calls 99102->99105 99106 146a17 99103->99106 99107 17e47b 99103->99107 99104->99107 99126 17e4d5 Mailbox 99105->99126 99140 146bec 99106->99140 99247 1a4534 90 API calls _wprintf 99107->99247 99111 17e489 99111->99102 99112 17e689 99113 162f95 _free 58 API calls 99112->99113 99114 17e691 99113->99114 99115 144faa 84 API calls 99114->99115 99120 17e69a 99115->99120 99119 162f95 _free 58 API calls 99119->99120 99120->99119 99121 144faa 84 API calls 99120->99121 99251 19fcb1 89 API calls 4 library calls 99120->99251 99121->99120 99123 147f41 59 API calls 99123->99126 99126->99112 99126->99120 99126->99123 99233 14766f 99126->99233 99241 1474bd 99126->99241 99248 19fc4d 59 API calls 2 library calls 99126->99248 99249 19fb6e 61 API calls 2 library calls 99126->99249 99250 1a7621 59 API calls Mailbox 99126->99250 99128 1448bb GetFullPathNameW 99127->99128 99128->99068 99128->99069 99130 147f06 99129->99130 99131 147ef9 99129->99131 99132 160ff6 Mailbox 59 API calls 99130->99132 99131->99072 99132->99131 99134 1434d4 99133->99134 99138 1434f3 _memmove 99133->99138 99136 160ff6 Mailbox 59 API calls 99134->99136 99135 160ff6 Mailbox 59 API calls 99137 14350a 99135->99137 99136->99138 99137->99092 99138->99135 99139->99086 99141 17e847 99140->99141 99142 146c15 99140->99142 99324 19fcb1 89 API calls 4 library calls 99141->99324 99257 145906 60 API calls Mailbox 99142->99257 99145 17e85a 99325 19fcb1 89 API calls 4 library calls 99145->99325 99146 146c37 99258 145956 67 API calls 99146->99258 99148 146c4c 99148->99145 99150 146c54 99148->99150 99151 1477c7 59 API calls 99150->99151 99153 146c60 99151->99153 99152 17e876 99155 146cc1 99152->99155 99259 160b9b 60 API calls __ftell_nolock 99153->99259 99157 146ccf 99155->99157 99158 17e889 99155->99158 99156 146c6c 99159 1477c7 59 API calls 99156->99159 99161 1477c7 59 API calls 99157->99161 99160 145dcf CloseHandle 99158->99160 99162 146c78 99159->99162 99163 17e895 99160->99163 99164 146cd8 99161->99164 99165 1448ae 60 API calls 99162->99165 99166 144f3d 136 API calls 99163->99166 99167 1477c7 59 API calls 99164->99167 99169 146c86 99165->99169 99170 17e8b1 99166->99170 99168 146ce1 99167->99168 99262 1446f9 99168->99262 99260 1459b0 ReadFile SetFilePointerEx 99169->99260 99173 17e8da 99170->99173 99177 1a97e5 122 API calls 99170->99177 99326 19fcb1 89 API calls 4 library calls 99173->99326 99174 146cf8 99179 147c8e 59 API calls 99174->99179 99176 146cb2 99261 145c4e SetFilePointerEx SetFilePointerEx 99176->99261 99178 17e8cd 99177->99178 99182 17e8f6 99178->99182 99183 17e8d5 99178->99183 99184 146d09 SetCurrentDirectoryW 99179->99184 99180 17e8f1 99211 146e6c Mailbox 99180->99211 99186 144faa 84 API calls 99182->99186 99185 144faa 84 API calls 99183->99185 99189 146d1c Mailbox 99184->99189 99185->99173 99187 17e8fb 99186->99187 99188 160ff6 Mailbox 59 API calls 99187->99188 99195 17e92f 99188->99195 99191 160ff6 Mailbox 59 API calls 99189->99191 99193 146d2f 99191->99193 99192 143bcd 99192->98083 99192->98092 99194 14538e 59 API calls 99193->99194 99222 146d3a Mailbox __wsetenvp 99194->99222 99196 14766f 59 API calls 99195->99196 99224 17e978 Mailbox 99196->99224 99197 146e47 99320 145dcf 99197->99320 99198 17eb69 99331 1a7581 59 API calls Mailbox 99198->99331 99204 17eb8b 99332 1af835 59 API calls 2 library calls 99204->99332 99207 17eb98 99209 162f95 _free 58 API calls 99207->99209 99208 17ec02 99335 19fcb1 89 API calls 4 library calls 99208->99335 99209->99211 99252 145934 99211->99252 99213 14766f 59 API calls 99213->99224 99214 17ec1b 99214->99197 99216 17ebfa 99334 19fb07 59 API calls 4 library calls 99216->99334 99217 147f41 59 API calls 99217->99222 99222->99197 99222->99208 99222->99216 99222->99217 99313 1459cd 67 API calls _wcscpy 99222->99313 99314 1470bd GetStringTypeW 99222->99314 99315 14702c 60 API calls __wcsnicmp 99222->99315 99316 14710a GetStringTypeW __wsetenvp 99222->99316 99317 16387d GetStringTypeW _iswctype 99222->99317 99318 146a3c 165 API calls 3 library calls 99222->99318 99319 147373 59 API calls Mailbox 99222->99319 99223 147f41 59 API calls 99223->99224 99224->99198 99224->99213 99224->99223 99228 17ebbb 99224->99228 99327 19fc4d 59 API calls 2 library calls 99224->99327 99328 19fb6e 61 API calls 2 library calls 99224->99328 99329 1a7621 59 API calls Mailbox 99224->99329 99330 147373 59 API calls Mailbox 99224->99330 99333 19fcb1 89 API calls 4 library calls 99228->99333 99230 17ebd4 99231 162f95 _free 58 API calls 99230->99231 99232 17ebe7 99231->99232 99232->99211 99234 14770f 99233->99234 99237 147682 _memmove 99233->99237 99236 160ff6 Mailbox 59 API calls 99234->99236 99235 160ff6 Mailbox 59 API calls 99238 147689 99235->99238 99236->99237 99237->99235 99239 160ff6 Mailbox 59 API calls 99238->99239 99240 1476b2 99238->99240 99239->99240 99240->99126 99242 1474d0 99241->99242 99245 14757e 99241->99245 99243 160ff6 Mailbox 59 API calls 99242->99243 99246 147502 99242->99246 99243->99246 99244 160ff6 59 API calls Mailbox 99244->99246 99245->99126 99246->99244 99246->99245 99247->99111 99248->99126 99249->99126 99250->99126 99251->99120 99253 145dcf CloseHandle 99252->99253 99254 14593c Mailbox 99253->99254 99255 145dcf CloseHandle 99254->99255 99256 14594b 99255->99256 99256->99192 99257->99146 99258->99148 99259->99156 99260->99176 99261->99155 99263 1477c7 59 API calls 99262->99263 99264 14470f 99263->99264 99265 1477c7 59 API calls 99264->99265 99266 144717 99265->99266 99267 1477c7 59 API calls 99266->99267 99268 14471f 99267->99268 99269 1477c7 59 API calls 99268->99269 99270 144727 99269->99270 99271 17d8fb 99270->99271 99272 14475b 99270->99272 99273 1481a7 59 API calls 99271->99273 99274 1479ab 59 API calls 99272->99274 99275 17d904 99273->99275 99276 144769 99274->99276 99277 147eec 59 API calls 99275->99277 99278 147e8c 59 API calls 99276->99278 99280 14479e 99277->99280 99279 144773 99278->99279 99279->99280 99281 1479ab 59 API calls 99279->99281 99283 1447bd 99280->99283 99293 17d924 99280->99293 99299 1447de 99280->99299 99284 144794 99281->99284 99287 147b52 59 API calls 99283->99287 99286 147e8c 59 API calls 99284->99286 99285 17d9f4 99289 147d2c 59 API calls 99285->99289 99286->99280 99290 1447c7 99287->99290 99288 1447ef 99291 144801 99288->99291 99294 1481a7 59 API calls 99288->99294 99308 17d9b1 99289->99308 99298 1479ab 59 API calls 99290->99298 99290->99299 99292 144811 99291->99292 99295 1481a7 59 API calls 99291->99295 99297 144818 99292->99297 99300 1481a7 59 API calls 99292->99300 99293->99285 99296 17d9dd 99293->99296 99306 17d95b 99293->99306 99294->99291 99295->99292 99296->99285 99302 17d9c8 99296->99302 99301 1481a7 59 API calls 99297->99301 99310 14481f Mailbox 99297->99310 99298->99299 99336 1479ab 99299->99336 99300->99297 99301->99310 99305 147d2c 59 API calls 99302->99305 99303 17d9b9 99304 147d2c 59 API calls 99303->99304 99304->99308 99305->99308 99306->99303 99311 17d9a4 99306->99311 99307 147b52 59 API calls 99307->99308 99308->99299 99308->99307 99349 147a84 59 API calls 2 library calls 99308->99349 99310->99174 99312 147d2c 59 API calls 99311->99312 99312->99308 99313->99222 99314->99222 99315->99222 99316->99222 99317->99222 99318->99222 99319->99222 99321 145de8 99320->99321 99322 145dd9 SetCurrentDirectoryW 99320->99322 99321->99322 99323 145ded CloseHandle 99321->99323 99322->99211 99323->99322 99324->99145 99325->99152 99326->99180 99327->99224 99328->99224 99329->99224 99330->99224 99331->99204 99332->99207 99333->99230 99334->99208 99335->99214 99337 147a17 99336->99337 99338 1479ba 99336->99338 99340 147e8c 59 API calls 99337->99340 99338->99337 99339 1479c5 99338->99339 99342 1479e0 99339->99342 99343 17ef32 99339->99343 99341 1479e8 _memmove 99340->99341 99341->99288 99350 148087 59 API calls Mailbox 99342->99350 99344 148189 59 API calls 99343->99344 99346 17ef3c 99344->99346 99347 160ff6 Mailbox 59 API calls 99346->99347 99348 17ef5c 99347->99348 99349->99308 99350->99341 99352 146ef5 99351->99352 99356 147009 99351->99356 99353 160ff6 Mailbox 59 API calls 99352->99353 99352->99356 99355 146f1c 99353->99355 99354 160ff6 Mailbox 59 API calls 99360 146f91 99354->99360 99355->99354 99356->98230 99359 1474bd 59 API calls 99359->99360 99360->99356 99360->99359 99361 14766f 59 API calls 99360->99361 99364 1463a0 94 API calls 2 library calls 99360->99364 99365 196ac9 59 API calls Mailbox 99360->99365 99361->99360 99362->98233 99363->98235 99364->99360 99365->99360 99366->98248 99367->98249 99369 144227 99368->99369 99370 17d638 99368->99370 99369->98255 99394 1a3226 62 API calls _W_store_winword 99369->99394 99370->99369 99371 17d641 DestroyIcon 99370->99371 99371->99369 99373 144200 Mailbox 99372->99373 99374 144129 99372->99374 99373->98261 99395 147b76 99374->99395 99377 144144 99379 147d2c 59 API calls 99377->99379 99378 17d5dd LoadStringW 99381 17d5f7 99378->99381 99380 144159 99379->99380 99380->99381 99382 14416a 99380->99382 99383 147c8e 59 API calls 99381->99383 99384 144174 99382->99384 99385 144205 99382->99385 99388 17d601 99383->99388 99387 147c8e 59 API calls 99384->99387 99386 1481a7 59 API calls 99385->99386 99391 14417e _memset _wcscpy 99386->99391 99387->99391 99389 147e0b 59 API calls 99388->99389 99388->99391 99390 17d623 99389->99390 99393 147e0b 59 API calls 99390->99393 99392 1441e6 Shell_NotifyIconW 99391->99392 99392->99373 99393->99391 99394->98255 99396 160ff6 Mailbox 59 API calls 99395->99396 99397 147b9b 99396->99397 99398 148189 59 API calls 99397->99398 99399 144137 99398->99399 99399->99377 99399->99378 99401 14e835 99400->99401 99402 183ed3 99401->99402 99405 14e89f 99401->99405 99414 14e8f9 99401->99414 99472 14a000 99402->99472 99404 183ee8 99430 14ead0 Mailbox 99404->99430 99495 1aa0b5 89 API calls 4 library calls 99404->99495 99408 1477c7 59 API calls 99405->99408 99405->99414 99406 1477c7 59 API calls 99406->99414 99410 183f2e 99408->99410 99409 162f80 __cinit 67 API calls 99409->99414 99411 162f80 __cinit 67 API calls 99410->99411 99411->99414 99412 183f50 99412->98292 99413 148620 69 API calls 99413->99430 99414->99406 99414->99409 99414->99412 99416 14eaba 99414->99416 99414->99430 99416->99430 99496 1aa0b5 89 API calls 4 library calls 99416->99496 99417 148ea0 59 API calls 99417->99430 99418 14f2f5 99500 1aa0b5 89 API calls 4 library calls 99418->99500 99422 14a000 341 API calls 99422->99430 99423 18424f 99423->98292 99427 1aa0b5 89 API calls 99427->99430 99429 14ebd8 99429->98292 99430->99413 99430->99417 99430->99418 99430->99422 99430->99427 99430->99429 99471 1480d7 59 API calls 2 library calls 99430->99471 99497 197405 59 API calls 99430->99497 99498 1bc8d7 341 API calls 99430->99498 99499 1bb851 341 API calls Mailbox 99430->99499 99501 149df0 59 API calls Mailbox 99430->99501 99502 1b96db 341 API calls Mailbox 99430->99502 99432 14f7b0 99431->99432 99433 14f61a 99431->99433 99434 147f41 59 API calls 99432->99434 99435 184848 99433->99435 99436 14f626 99433->99436 99442 14f6ec Mailbox 99434->99442 99597 1bbf80 341 API calls Mailbox 99435->99597 99595 14f3f0 341 API calls 2 library calls 99436->99595 99439 184856 99443 14f790 99439->99443 99598 1aa0b5 89 API calls 4 library calls 99439->99598 99441 14f65d 99441->99439 99441->99442 99441->99443 99509 1be237 99442->99509 99512 1a3e73 99442->99512 99515 1acde5 99442->99515 99443->98292 99445 14f743 99445->99443 99596 149df0 59 API calls Mailbox 99445->99596 99449->98292 99450->98292 99451->98292 99452->98269 99453->98274 99454->98292 99455->98275 99456->98275 99457->98275 99458->98292 99459->98292 99460->98292 99461->98292 99462->98292 99463->98292 99464->98285 99465->98285 99466->98285 99467->98285 99468->98285 99469->98285 99470->98285 99471->99430 99473 14a01f 99472->99473 99490 14a04d Mailbox 99472->99490 99474 160ff6 Mailbox 59 API calls 99473->99474 99474->99490 99475 14b5d5 99476 1481a7 59 API calls 99475->99476 99488 14a1b7 99476->99488 99477 160ff6 59 API calls Mailbox 99477->99490 99480 162f80 67 API calls __cinit 99480->99490 99481 1481a7 59 API calls 99481->99490 99483 18047f 99505 1aa0b5 89 API calls 4 library calls 99483->99505 99484 1477c7 59 API calls 99484->99490 99487 18048e 99487->99404 99488->99404 99489 197405 59 API calls 99489->99490 99490->99475 99490->99477 99490->99480 99490->99481 99490->99483 99490->99484 99490->99488 99490->99489 99491 180e00 99490->99491 99493 14a6ba 99490->99493 99494 14b5da 99490->99494 99503 14ca20 341 API calls 2 library calls 99490->99503 99504 14ba60 60 API calls Mailbox 99490->99504 99507 1aa0b5 89 API calls 4 library calls 99491->99507 99506 1aa0b5 89 API calls 4 library calls 99493->99506 99508 1aa0b5 89 API calls 4 library calls 99494->99508 99495->99430 99496->99430 99497->99430 99498->99430 99499->99430 99500->99423 99501->99430 99502->99430 99503->99490 99504->99490 99505->99487 99506->99488 99507->99494 99508->99488 99599 1bcdf1 99509->99599 99511 1be247 99511->99445 99689 1a4696 GetFileAttributesW 99512->99689 99516 1477c7 59 API calls 99515->99516 99517 1ace1a 99516->99517 99518 1477c7 59 API calls 99517->99518 99519 1ace23 99518->99519 99520 1ace37 99519->99520 99802 149c9c 59 API calls 99519->99802 99522 149997 84 API calls 99520->99522 99523 1ace54 99522->99523 99524 1ace76 99523->99524 99525 1acf55 99523->99525 99530 1acf85 Mailbox 99523->99530 99526 149997 84 API calls 99524->99526 99527 144f3d 136 API calls 99525->99527 99528 1ace82 99526->99528 99529 1acf69 99527->99529 99531 1481a7 59 API calls 99528->99531 99532 1acf81 99529->99532 99535 144f3d 136 API calls 99529->99535 99530->99445 99534 1ace8e 99531->99534 99532->99530 99533 1477c7 59 API calls 99532->99533 99536 1acfb6 99533->99536 99539 1acea2 99534->99539 99540 1aced4 99534->99540 99535->99532 99537 1477c7 59 API calls 99536->99537 99538 1acfbf 99537->99538 99542 1477c7 59 API calls 99538->99542 99543 1481a7 59 API calls 99539->99543 99541 149997 84 API calls 99540->99541 99544 1acee1 99541->99544 99545 1acfc8 99542->99545 99546 1aceb2 99543->99546 99547 1481a7 59 API calls 99544->99547 99548 1477c7 59 API calls 99545->99548 99549 147e0b 59 API calls 99546->99549 99550 1aceed 99547->99550 99551 1acfd1 99548->99551 99552 1acebc 99549->99552 99803 1a4cd3 GetFileAttributesW 99550->99803 99555 149997 84 API calls 99551->99555 99553 149997 84 API calls 99552->99553 99556 1acec8 99553->99556 99558 1acfde 99555->99558 99559 147c8e 59 API calls 99556->99559 99557 1acef6 99560 1acf09 99557->99560 99563 147b52 59 API calls 99557->99563 99561 1446f9 59 API calls 99558->99561 99559->99540 99562 149997 84 API calls 99560->99562 99571 1acf0f 99560->99571 99564 1acff9 99561->99564 99565 1acf36 99562->99565 99563->99560 99566 147b52 59 API calls 99564->99566 99804 1a3a2b 75 API calls Mailbox 99565->99804 99568 1ad008 99566->99568 99569 1ad03c 99568->99569 99570 147b52 59 API calls 99568->99570 99572 1481a7 59 API calls 99569->99572 99573 1ad019 99570->99573 99571->99530 99574 1ad04a 99572->99574 99573->99569 99576 147d2c 59 API calls 99573->99576 99575 147c8e 59 API calls 99574->99575 99577 1ad058 99575->99577 99578 1ad02e 99576->99578 99579 147c8e 59 API calls 99577->99579 99580 147d2c 59 API calls 99578->99580 99581 1ad066 99579->99581 99580->99569 99582 147c8e 59 API calls 99581->99582 99583 1ad074 99582->99583 99584 149997 84 API calls 99583->99584 99585 1ad080 99584->99585 99693 1a42ad 99585->99693 99587 1ad091 99588 1a3e73 3 API calls 99587->99588 99589 1ad09b 99588->99589 99590 149997 84 API calls 99589->99590 99594 1ad0cc 99589->99594 99591 1ad0b9 99590->99591 99747 1a93df 99591->99747 99593 144faa 84 API calls 99593->99530 99594->99593 99595->99441 99596->99445 99597->99439 99598->99443 99600 149997 84 API calls 99599->99600 99601 1bce2e 99600->99601 99620 1bce75 Mailbox 99601->99620 99637 1bdab9 99601->99637 99603 1bd0cd 99604 1bd242 99603->99604 99608 1bd0db 99603->99608 99676 1bdbdc 92 API calls Mailbox 99604->99676 99607 1bd251 99607->99608 99610 1bd25d 99607->99610 99650 1bcc82 99608->99650 99609 149997 84 API calls 99628 1bcec6 Mailbox 99609->99628 99610->99620 99615 1bd114 99665 160e48 99615->99665 99618 1bd12e 99671 1aa0b5 89 API calls 4 library calls 99618->99671 99619 1bd147 99622 14942e 59 API calls 99619->99622 99620->99511 99624 1bd153 99622->99624 99623 1bd139 GetCurrentProcess TerminateProcess 99623->99619 99625 1491b0 59 API calls 99624->99625 99626 1bd169 99625->99626 99634 1bd190 99626->99634 99672 148ea0 59 API calls Mailbox 99626->99672 99628->99603 99628->99609 99628->99620 99669 1af835 59 API calls 2 library calls 99628->99669 99670 1bd2f3 61 API calls 2 library calls 99628->99670 99629 1bd2b8 99629->99620 99633 1bd2cc FreeLibrary 99629->99633 99630 1bd17f 99673 1bd95d 107 API calls _free 99630->99673 99633->99620 99634->99629 99674 148ea0 59 API calls Mailbox 99634->99674 99675 149e9c 60 API calls Mailbox 99634->99675 99677 1bd95d 107 API calls _free 99634->99677 99638 147faf 59 API calls 99637->99638 99639 1bdad4 CharLowerBuffW 99638->99639 99678 19f658 99639->99678 99643 1477c7 59 API calls 99644 1bdb0d 99643->99644 99645 1479ab 59 API calls 99644->99645 99646 1bdb24 99645->99646 99647 147e8c 59 API calls 99646->99647 99648 1bdb30 Mailbox 99647->99648 99649 1bdb6c Mailbox 99648->99649 99685 1bd2f3 61 API calls 2 library calls 99648->99685 99649->99628 99651 1bcc9d 99650->99651 99652 1bccf2 99650->99652 99653 160ff6 Mailbox 59 API calls 99651->99653 99656 1bdd64 99652->99656 99655 1bccbf 99653->99655 99654 160ff6 Mailbox 59 API calls 99654->99655 99655->99652 99655->99654 99657 1bdf8d Mailbox 99656->99657 99664 1bdd87 _strcat _wcscpy __wsetenvp 99656->99664 99657->99615 99658 149c9c 59 API calls 99658->99664 99659 149cf8 59 API calls 99659->99664 99660 149d46 59 API calls 99660->99664 99661 149997 84 API calls 99661->99664 99662 16594c 58 API calls _W_store_winword 99662->99664 99664->99657 99664->99658 99664->99659 99664->99660 99664->99661 99664->99662 99688 1a5b29 61 API calls 2 library calls 99664->99688 99666 160e5d 99665->99666 99667 160ef5 VirtualAlloc 99666->99667 99668 160ec3 99666->99668 99667->99668 99668->99618 99668->99619 99669->99628 99670->99628 99671->99623 99672->99630 99673->99634 99674->99634 99675->99634 99676->99607 99677->99634 99679 19f683 __wsetenvp 99678->99679 99680 19f6c2 99679->99680 99683 19f6b8 99679->99683 99684 19f769 99679->99684 99680->99643 99680->99648 99683->99680 99686 147a24 61 API calls 99683->99686 99684->99680 99687 147a24 61 API calls 99684->99687 99685->99649 99686->99683 99687->99684 99688->99664 99690 1a3e7a 99689->99690 99691 1a46b1 FindFirstFileW 99689->99691 99690->99445 99691->99690 99692 1a46c6 FindClose 99691->99692 99692->99690 99694 1a42c9 99693->99694 99695 1a42ce 99694->99695 99696 1a42dc 99694->99696 99697 1481a7 59 API calls 99695->99697 99698 1477c7 59 API calls 99696->99698 99699 1a42d7 Mailbox 99697->99699 99700 1a42e4 99698->99700 99699->99587 99701 1477c7 59 API calls 99700->99701 99702 1a42ec 99701->99702 99703 1477c7 59 API calls 99702->99703 99704 1a42f7 99703->99704 99705 1477c7 59 API calls 99704->99705 99706 1a42ff 99705->99706 99707 1477c7 59 API calls 99706->99707 99708 1a4307 99707->99708 99709 1477c7 59 API calls 99708->99709 99710 1a430f 99709->99710 99711 1477c7 59 API calls 99710->99711 99712 1a4317 99711->99712 99713 1477c7 59 API calls 99712->99713 99714 1a431f 99713->99714 99715 1446f9 59 API calls 99714->99715 99716 1a4336 99715->99716 99717 1446f9 59 API calls 99716->99717 99718 1a434f 99717->99718 99719 147b52 59 API calls 99718->99719 99720 1a435b 99719->99720 99721 1a436e 99720->99721 99722 147e8c 59 API calls 99720->99722 99723 147b52 59 API calls 99721->99723 99722->99721 99724 1a4377 99723->99724 99725 1a4387 99724->99725 99726 147e8c 59 API calls 99724->99726 99727 1481a7 59 API calls 99725->99727 99726->99725 99728 1a4393 99727->99728 99729 147c8e 59 API calls 99728->99729 99730 1a439f 99729->99730 99805 1a445f 59 API calls 99730->99805 99732 1a43ae 99806 1a445f 59 API calls 99732->99806 99734 1a43c1 99735 147b52 59 API calls 99734->99735 99736 1a43cb 99735->99736 99737 1a43e2 99736->99737 99738 1a43d0 99736->99738 99740 147b52 59 API calls 99737->99740 99739 147e0b 59 API calls 99738->99739 99741 1a43dd 99739->99741 99742 1a43eb 99740->99742 99746 147c8e 59 API calls 99741->99746 99743 1a4409 99742->99743 99745 147e0b 59 API calls 99742->99745 99744 147c8e 59 API calls 99743->99744 99744->99699 99745->99741 99746->99743 99748 1a93ec __ftell_nolock 99747->99748 99749 160ff6 Mailbox 59 API calls 99748->99749 99750 1a9449 99749->99750 99751 14538e 59 API calls 99750->99751 99752 1a9453 99751->99752 99753 1a91e9 GetSystemTimeAsFileTime 99752->99753 99754 1a945e 99753->99754 99755 145045 85 API calls 99754->99755 99756 1a9471 _wcscmp 99755->99756 99757 1a9542 99756->99757 99758 1a9495 99756->99758 99759 1a99be 96 API calls 99757->99759 99760 1a99be 96 API calls 99758->99760 99775 1a950e _wcscat 99759->99775 99761 1a949a 99760->99761 99764 1a954b 99761->99764 99824 16432e 58 API calls __wsplitpath_helper 99761->99824 99763 14506b 74 API calls 99765 1a9567 99763->99765 99764->99594 99766 14506b 74 API calls 99765->99766 99767 1a9577 99766->99767 99769 14506b 74 API calls 99767->99769 99768 1a94c3 _wcscat _wcscpy 99825 16432e 58 API calls __wsplitpath_helper 99768->99825 99771 1a9592 99769->99771 99772 14506b 74 API calls 99771->99772 99773 1a95a2 99772->99773 99774 14506b 74 API calls 99773->99774 99776 1a95bd 99774->99776 99775->99763 99775->99764 99777 14506b 74 API calls 99776->99777 99778 1a95cd 99777->99778 99779 14506b 74 API calls 99778->99779 99780 1a95dd 99779->99780 99781 14506b 74 API calls 99780->99781 99782 1a95ed 99781->99782 99807 1a9b6d GetTempPathW GetTempFileNameW 99782->99807 99784 1a95f9 99785 16548b 115 API calls 99784->99785 99796 1a960a 99785->99796 99786 1a96c4 99787 1655d6 __fcloseall 83 API calls 99786->99787 99788 1a96cf 99787->99788 99790 1a96e9 99788->99790 99791 1a96d5 DeleteFileW 99788->99791 99789 14506b 74 API calls 99789->99796 99792 1a978f CopyFileW 99790->99792 99797 1a96f3 _wcsncpy 99790->99797 99791->99764 99793 1a97b7 DeleteFileW 99792->99793 99794 1a97a5 DeleteFileW 99792->99794 99821 1a9b2c CreateFileW 99793->99821 99794->99764 99796->99764 99796->99786 99796->99789 99808 164a93 99796->99808 99826 1a8d90 116 API calls __fcloseall 99797->99826 99800 1a977a 99800->99793 99801 1a977e DeleteFileW 99800->99801 99801->99764 99802->99520 99803->99557 99804->99571 99805->99732 99806->99734 99807->99784 99809 164a9f __setmbcp 99808->99809 99810 164ad5 99809->99810 99811 164abd 99809->99811 99813 164acd __setmbcp 99809->99813 99814 166e4e __lock_file 59 API calls 99810->99814 99839 168d68 58 API calls __getptd_noexit 99811->99839 99813->99796 99815 164adb 99814->99815 99827 16493a 99815->99827 99816 164ac2 99840 168ff6 9 API calls __filbuf 99816->99840 99822 1a9b68 99821->99822 99823 1a9b52 SetFileTime CloseHandle 99821->99823 99822->99764 99823->99822 99824->99768 99825->99775 99826->99800 99829 164949 99827->99829 99834 164967 99827->99834 99828 164957 99842 168d68 58 API calls __getptd_noexit 99828->99842 99829->99828 99829->99834 99838 164981 _memmove 99829->99838 99831 16495c 99843 168ff6 9 API calls __filbuf 99831->99843 99841 164b0d LeaveCriticalSection LeaveCriticalSection _fprintf 99834->99841 99835 164c6d __flush 78 API calls 99835->99838 99836 164916 __filbuf 58 API calls 99836->99838 99837 16dac6 __write 78 API calls 99837->99838 99838->99834 99838->99835 99838->99836 99838->99837 99844 16b05e 78 API calls 7 library calls 99838->99844 99839->99816 99840->99813 99841->99813 99842->99831 99843->99834 99844->99838 99846 147dbf __wsetenvp 99845->99846 99847 147dd0 _memmove 99846->99847 99848 148189 59 API calls 99846->99848 99847->98354 99849 17f130 _memmove 99848->99849 99850 143633 99851 14366a 99850->99851 99852 1436e7 99851->99852 99853 143688 99851->99853 99889 1436e5 99851->99889 99855 1436ed 99852->99855 99856 17d31c 99852->99856 99857 143695 99853->99857 99858 14375d PostQuitMessage 99853->99858 99854 1436ca DefWindowProcW 99892 1436d8 99854->99892 99862 143715 SetTimer RegisterWindowMessageW 99855->99862 99863 1436f2 99855->99863 99900 1511d0 10 API calls Mailbox 99856->99900 99859 1436a0 99857->99859 99860 17d38f 99857->99860 99858->99892 99864 143767 99859->99864 99865 1436a8 99859->99865 99904 1a2a16 71 API calls _memset 99860->99904 99866 14373e CreatePopupMenu 99862->99866 99862->99892 99869 17d2bf 99863->99869 99870 1436f9 KillTimer 99863->99870 99898 144531 64 API calls _memset 99864->99898 99871 17d374 99865->99871 99872 1436b3 99865->99872 99866->99892 99868 17d343 99901 1511f3 341 API calls Mailbox 99868->99901 99876 17d2c4 99869->99876 99877 17d2f8 MoveWindow 99869->99877 99895 1444cb Shell_NotifyIconW _memset 99870->99895 99871->99854 99903 19817e 59 API calls Mailbox 99871->99903 99879 1436be 99872->99879 99880 14374b 99872->99880 99873 17d3a1 99873->99854 99873->99892 99882 17d2e7 SetFocus 99876->99882 99883 17d2c8 99876->99883 99877->99892 99879->99854 99902 1444cb Shell_NotifyIconW _memset 99879->99902 99897 1445df 81 API calls _memset 99880->99897 99881 14375b 99881->99892 99882->99892 99883->99879 99886 17d2d1 99883->99886 99884 14370c 99896 143114 DeleteObject DestroyWindow Mailbox 99884->99896 99899 1511d0 10 API calls Mailbox 99886->99899 99889->99854 99893 17d368 99894 1443db 68 API calls 99893->99894 99894->99889 99895->99884 99896->99892 99897->99881 99898->99881 99899->99892 99900->99868 99901->99879 99902->99893 99903->99889 99904->99873 99905 14107d 99910 1471eb 99905->99910 99907 14108c 99908 162f80 __cinit 67 API calls 99907->99908 99909 141096 99908->99909 99911 1471fb __ftell_nolock 99910->99911 99912 1477c7 59 API calls 99911->99912 99913 1472b1 99912->99913 99914 144864 61 API calls 99913->99914 99915 1472ba 99914->99915 99941 16074f 99915->99941 99918 147e0b 59 API calls 99919 1472d3 99918->99919 99920 143f84 59 API calls 99919->99920 99921 1472e2 99920->99921 99922 1477c7 59 API calls 99921->99922 99923 1472eb 99922->99923 99924 147eec 59 API calls 99923->99924 99925 1472f4 RegOpenKeyExW 99924->99925 99926 17ecda RegQueryValueExW 99925->99926 99931 147316 Mailbox 99925->99931 99927 17ecf7 99926->99927 99928 17ed6c RegCloseKey 99926->99928 99929 160ff6 Mailbox 59 API calls 99927->99929 99928->99931 99938 17ed7e _wcscat Mailbox __wsetenvp 99928->99938 99930 17ed10 99929->99930 99932 14538e 59 API calls 99930->99932 99931->99907 99933 17ed1b RegQueryValueExW 99932->99933 99934 17ed38 99933->99934 99937 17ed52 99933->99937 99935 147d2c 59 API calls 99934->99935 99935->99937 99936 147b52 59 API calls 99936->99938 99937->99928 99938->99931 99938->99936 99939 147f41 59 API calls 99938->99939 99940 143f84 59 API calls 99938->99940 99939->99938 99940->99938 99942 171b90 __ftell_nolock 99941->99942 99943 16075c GetFullPathNameW 99942->99943 99944 16077e 99943->99944 99945 147d2c 59 API calls 99944->99945 99946 1472c5 99945->99946 99946->99918 99947 1a8f97 99948 1a8faa 99947->99948 99949 1a8fa4 99947->99949 99951 1a8fbb 99948->99951 99952 162f95 _free 58 API calls 99948->99952 99950 162f95 _free 58 API calls 99949->99950 99950->99948 99953 1a8fcd 99951->99953 99954 162f95 _free 58 API calls 99951->99954 99952->99951 99954->99953 99955 180226 99962 14ade2 Mailbox 99955->99962 99956 14b6c1 99968 1aa0b5 89 API calls 4 library calls 99956->99968 99958 180c86 99969 1966f4 59 API calls Mailbox 99958->99969 99960 180c8f 99962->99956 99962->99958 99962->99960 99963 1800e0 VariantClear 99962->99963 99965 1be237 130 API calls 99962->99965 99966 149df0 59 API calls Mailbox 99962->99966 99967 197405 59 API calls 99962->99967 99963->99962 99965->99962 99966->99962 99967->99962 99968->99958 99969->99960

            Executed Functions

            Function 00143B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00143B7A
            • IsDebuggerPresent.KERNEL32 ref: 00143B8C
            • GetFullPathNameW.KERNEL32(00007FFF,?,?,002062F8,002062E0,?,?), ref: 00143BFD
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
              • Part of subcall function 00150A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00143C26,002062F8,?,?,?), ref: 00150ACE
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00143C81
            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,001F93F0,00000010), ref: 0017D4BC
            • SetCurrentDirectoryW.KERNEL32(?,002062F8,?,?,?), ref: 0017D4F4
            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,001F5D40,002062F8,?,?,?), ref: 0017D57A
            • ShellExecuteW.SHELL32(00000000,?,?), ref: 0017D581
              • Part of subcall function 00143A58: GetSysColorBrush.USER32(0000000F), ref: 00143A62
              • Part of subcall function 00143A58: LoadCursorW.USER32(00000000,00007F00), ref: 00143A71
              • Part of subcall function 00143A58: LoadIconW.USER32(00000063), ref: 00143A88
              • Part of subcall function 00143A58: LoadIconW.USER32(000000A4), ref: 00143A9A
              • Part of subcall function 00143A58: LoadIconW.USER32(000000A2), ref: 00143AAC
              • Part of subcall function 00143A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00143AD2
              • Part of subcall function 00143A58: RegisterClassExW.USER32(?), ref: 00143B28
              • Part of subcall function 001439E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00143A15
              • Part of subcall function 001439E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00143A36
              • Part of subcall function 001439E7: ShowWindow.USER32(00000000,?,?), ref: 00143A4A
              • Part of subcall function 001439E7: ShowWindow.USER32(00000000,?,?), ref: 00143A53
              • Part of subcall function 001443DB: _memset.LIBCMT ref: 00144401
              • Part of subcall function 001443DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 001444A6
            Strings
            • This is a third-party compiled AutoIt script., xrefs: 0017D4B4
            • runas, xrefs: 0017D575
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
            • String ID: This is a third-party compiled AutoIt script.$runas
            • API String ID: 529118366-3287110873
            • Opcode ID: 8574080a5cb79924e2392eb1db9b4c44e2d31e103cd8f743036e5ced4d2920c2
            • Instruction ID: d410ef53939f6ee2a76991cec09c0eadc4433b2ac285dfdadf62648c1fbba2a0
            • Opcode Fuzzy Hash: 8574080a5cb79924e2392eb1db9b4c44e2d31e103cd8f743036e5ced4d2920c2
            • Instruction Fuzzy Hash: 7C51F530904349AFCF11ABF4EC49EFD7B79AF55700B044169F865A21F2DB709656CB21
            Function 00144AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 996 144afe-144b5e call 1477c7 GetVersionExW call 147d2c 1001 144b64 996->1001 1002 144c69-144c6b 996->1002 1004 144b67-144b6c 1001->1004 1003 17db90-17db9c 1002->1003 1005 17db9d-17dba1 1003->1005 1006 144c70-144c71 1004->1006 1007 144b72 1004->1007 1009 17dba4-17dbb0 1005->1009 1010 17dba3 1005->1010 1008 144b73-144baa call 147e8c call 147886 1006->1008 1007->1008 1018 144bb0-144bb1 1008->1018 1019 17dc8d-17dc90 1008->1019 1009->1005 1012 17dbb2-17dbb7 1009->1012 1010->1009 1012->1004 1014 17dbbd-17dbc4 1012->1014 1014->1003 1016 17dbc6 1014->1016 1020 17dbcb-17dbce 1016->1020 1018->1020 1021 144bb7-144bc2 1018->1021 1022 17dc92 1019->1022 1023 17dca9-17dcad 1019->1023 1024 17dbd4-17dbf2 1020->1024 1025 144bf1-144c08 GetCurrentProcess IsWow64Process 1020->1025 1026 17dc13-17dc19 1021->1026 1027 144bc8-144bca 1021->1027 1028 17dc95 1022->1028 1030 17dcaf-17dcb8 1023->1030 1031 17dc98-17dca1 1023->1031 1024->1025 1029 17dbf8-17dbfe 1024->1029 1032 144c0d-144c1e 1025->1032 1033 144c0a 1025->1033 1038 17dc23-17dc29 1026->1038 1039 17dc1b-17dc1e 1026->1039 1034 144bd0-144bd3 1027->1034 1035 17dc2e-17dc3a 1027->1035 1028->1031 1036 17dc00-17dc03 1029->1036 1037 17dc08-17dc0e 1029->1037 1030->1028 1040 17dcba-17dcbd 1030->1040 1031->1023 1041 144c20-144c30 call 144c95 1032->1041 1042 144c89-144c93 GetSystemInfo 1032->1042 1033->1032 1043 17dc5a-17dc5d 1034->1043 1044 144bd9-144be8 1034->1044 1046 17dc44-17dc4a 1035->1046 1047 17dc3c-17dc3f 1035->1047 1036->1025 1037->1025 1038->1025 1039->1025 1040->1031 1053 144c32-144c3f call 144c95 1041->1053 1054 144c7d-144c87 GetSystemInfo 1041->1054 1045 144c56-144c66 1042->1045 1043->1025 1052 17dc63-17dc78 1043->1052 1049 17dc4f-17dc55 1044->1049 1050 144bee 1044->1050 1046->1025 1047->1025 1049->1025 1050->1025 1055 17dc82-17dc88 1052->1055 1056 17dc7a-17dc7d 1052->1056 1061 144c76-144c7b 1053->1061 1062 144c41-144c45 GetNativeSystemInfo 1053->1062 1057 144c47-144c4b 1054->1057 1055->1025 1056->1025 1057->1045 1059 144c4d-144c50 FreeLibrary 1057->1059 1059->1045 1061->1062 1062->1057
            APIs
            • GetVersionExW.KERNEL32(?), ref: 00144B2B
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            • GetCurrentProcess.KERNEL32(?,001CFAEC,00000000,00000000,?), ref: 00144BF8
            • IsWow64Process.KERNEL32(00000000), ref: 00144BFF
            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00144C45
            • FreeLibrary.KERNEL32(00000000), ref: 00144C50
            • GetSystemInfo.KERNEL32(00000000), ref: 00144C81
            • GetSystemInfo.KERNEL32(00000000), ref: 00144C8D
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
            • String ID:
            • API String ID: 1986165174-0
            • Opcode ID: 9aaa6954283b27d086ca2e2e9406a03fd3a8294566843cb5c6b8470b50453044
            • Instruction ID: a830e56a5a5826339848124468141a9dc6bb59db4bcd742f735bf4385d672dca
            • Opcode Fuzzy Hash: 9aaa6954283b27d086ca2e2e9406a03fd3a8294566843cb5c6b8470b50453044
            • Instruction Fuzzy Hash: D891023154A7C4DFC731CB6894A16AABFF5AF2A300B48899ED0CA83A11D321E948C719
            Function 00144FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1104 144fe9-145001 CreateStreamOnHGlobal 1105 145021-145026 1104->1105 1106 145003-14501a FindResourceExW 1104->1106 1107 145020 1106->1107 1108 17dd5c-17dd6b LoadResource 1106->1108 1107->1105 1108->1107 1109 17dd71-17dd7f SizeofResource 1108->1109 1109->1107 1110 17dd85-17dd90 LockResource 1109->1110 1110->1107 1111 17dd96-17ddb4 1110->1111 1111->1107
            APIs
            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00144EEE,?,?,00000000,00000000), ref: 00144FF9
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00144EEE,?,?,00000000,00000000), ref: 00145010
            • LoadResource.KERNEL32(?,00000000,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F), ref: 0017DD60
            • SizeofResource.KERNEL32(?,00000000,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F), ref: 0017DD75
            • LockResource.KERNEL32(00144EEE,?,?,00144EEE,?,?,00000000,00000000,?,?,?,?,?,?,00144F8F,00000000), ref: 0017DD88
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: fd37e01153b13b80d4c3ac7e03efc16eae9bd6b99cefbca432d6e01b22da4b07
            • Instruction ID: caf18e0488737fe0232655936c3069a923950a34df03016f04cd481fb3b5cb7f
            • Opcode Fuzzy Hash: fd37e01153b13b80d4c3ac7e03efc16eae9bd6b99cefbca432d6e01b22da4b07
            • Instruction Fuzzy Hash: 7F112A75240701AFE7218B65DC58F677BBEEBC9B51F20816CF406976A0DB61EC418660
            Function 0014E800 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: Dt $Dt $Dt $Dt $Variable must be of type 'Object'.
            • API String ID: 0-897441941
            • Opcode ID: 727252ec93853f10dfbffdae195910316bb697bd01a8bd1f4803cd97c6a48924
            • Instruction ID: 0a9ccd2e64f49bca4e3ab8a7941f07036bb4e2ce5b1cc586a8620f89982c5f9a
            • Opcode Fuzzy Hash: 727252ec93853f10dfbffdae195910316bb697bd01a8bd1f4803cd97c6a48924
            • Instruction Fuzzy Hash: 4DA28B74A04216CFCB24CF58C480AAEB7F2FF58314F658169E916AB362D771ED42CB91
            Function 001A4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNELBASE(?,0017E7C1), ref: 001A46A6
            • FindFirstFileW.KERNELBASE(?,?), ref: 001A46B7
            • FindClose.KERNEL32(00000000), ref: 001A46C7
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirst
            • String ID:
            • API String ID: 48322524-0
            • Opcode ID: d357c17af58643852f7096a463c0dc525e75c77c3b73d80266c50b12f7f486f7
            • Instruction ID: d79610b499294b30b63db9bad43ad4e08b7225862b5d272e9ed13c788ea2ba3f
            • Opcode Fuzzy Hash: d357c17af58643852f7096a463c0dc525e75c77c3b73d80266c50b12f7f486f7
            • Instruction Fuzzy Hash: 8EE0D8358108006B42106738EC4D8EA7B5D9F47335F100719F879C14E0E7F0D9948599
            Function 00150B30 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00150BBB
            • timeGetTime.WINMM ref: 00150E76
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00150FB3
            • TranslateMessage.USER32(?), ref: 00150FC7
            • DispatchMessageW.USER32(?), ref: 00150FD5
            • Sleep.KERNEL32(0000000A), ref: 00150FDF
            • LockWindowUpdate.USER32(00000000,?,?), ref: 0015105A
            • DestroyWindow.USER32 ref: 00151066
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00151080
            • Sleep.KERNEL32(0000000A,?,?), ref: 001852AD
            • TranslateMessage.USER32(?), ref: 0018608A
            • DispatchMessageW.USER32(?), ref: 00186098
            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 001860AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pr $pr $pr $pr
            • API String ID: 4003667617-2119928952
            • Opcode ID: 075ca4b1471739dcd4a42576de7c06fa3eea3682a5b84c2fe7dbe16de2b79284
            • Instruction ID: 4635fd79012f9bccf10196cd7fcdc641eae468e1527f4569e3d76f8cfb80b5c2
            • Opcode Fuzzy Hash: 075ca4b1471739dcd4a42576de7c06fa3eea3682a5b84c2fe7dbe16de2b79284
            • Instruction Fuzzy Hash: 4EB2B170608741DFD729DF24C885BAABBE6FF94304F14491DE8998B2A1DB70E949CF42
            Function 001A93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 001A91E9: __time64.LIBCMT ref: 001A91F3
              • Part of subcall function 00145045: _fseek.LIBCMT ref: 0014505D
            • __wsplitpath.LIBCMT ref: 001A94BE
              • Part of subcall function 0016432E: __wsplitpath_helper.LIBCMT ref: 0016436E
            • _wcscpy.LIBCMT ref: 001A94D1
            • _wcscat.LIBCMT ref: 001A94E4
            • __wsplitpath.LIBCMT ref: 001A9509
            • _wcscat.LIBCMT ref: 001A951F
            • _wcscat.LIBCMT ref: 001A9532
              • Part of subcall function 001A922F: _memmove.LIBCMT ref: 001A9268
              • Part of subcall function 001A922F: _memmove.LIBCMT ref: 001A9277
            • _wcscmp.LIBCMT ref: 001A9479
              • Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AAE
              • Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AC1
            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001A96DC
            • _wcsncpy.LIBCMT ref: 001A974F
            • DeleteFileW.KERNEL32(?,?), ref: 001A9785
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 001A979B
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A97AC
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 001A97BE
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
            • String ID:
            • API String ID: 1500180987-0
            • Opcode ID: c358c374e1b9dc2a001e08a4dab6e5bb5b3d7191430bdc8f1b5ddcc49f5a040d
            • Instruction ID: f7e3e26b2e55b88003876d78f5bda97d125d72572ec7a5a90062a83ee17c6031
            • Opcode Fuzzy Hash: c358c374e1b9dc2a001e08a4dab6e5bb5b3d7191430bdc8f1b5ddcc49f5a040d
            • Instruction Fuzzy Hash: 11C12CB5D00229ABDF21DFA4CC85EDEBBBDAF55310F1040AAF609E7151DB309A848F65
            Function 00143015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00143074
            • RegisterClassExW.USER32(00000030), ref: 0014309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
            • InitCommonControlsEx.COMCTL32(?), ref: 001430CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
            • LoadIconW.USER32(000000A9), ref: 001430F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: a216aaf64e4f487187b88f628d83e89abcf4076c6187f0e1691214382d19b9e2
            • Instruction ID: 2b02bd1736cfce650e8fd8b3defc56be2c44cd9c1918d34e502c9150f140b2b7
            • Opcode Fuzzy Hash: a216aaf64e4f487187b88f628d83e89abcf4076c6187f0e1691214382d19b9e2
            • Instruction Fuzzy Hash: 943158B1804309EFEB408FA4EC89AC9BFF1FB09310F10812EF550A62A1D7B545A6CF50
            Function 00143041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00143074
            • RegisterClassExW.USER32(00000030), ref: 0014309E
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
            • InitCommonControlsEx.COMCTL32(?), ref: 001430CC
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
            • LoadIconW.USER32(000000A9), ref: 001430F2
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: 9f6830f80e1083ed444b3ae3a45159da1aa3170ee08f547cd7adc9397541be4b
            • Instruction ID: 48a57b214480cdb6d94a395e9afb2e64bf3a37bbd2a686309b72f3d57215d4f8
            • Opcode Fuzzy Hash: 9f6830f80e1083ed444b3ae3a45159da1aa3170ee08f547cd7adc9397541be4b
            • Instruction Fuzzy Hash: 5221C5B5900318EFDB00DFA4E94DB9DBFF6FB08700F10812AF911A62A1D7B185958F95
            Function 001471EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 00144864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,002062F8,?,001437C0,?), ref: 00144882
              • Part of subcall function 0016074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,001472C5), ref: 00160771
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00147308
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0017ECF1
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0017ED32
            • RegCloseKey.ADVAPI32(?), ref: 0017ED70
            • _wcscat.LIBCMT ref: 0017EDC9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 2673923337-2727554177
            • Opcode ID: 6dd4434026cf8f64051e34dbd47290f35ad66fdfa43924464fb743c82e818884
            • Instruction ID: 1f7b2dd6c00a03843ef08a01d0a68417f5c176ef0f131fa0257ab74366a989cc
            • Opcode Fuzzy Hash: 6dd4434026cf8f64051e34dbd47290f35ad66fdfa43924464fb743c82e818884
            • Instruction Fuzzy Hash: DB7171719083019EC714EF65EC8599BBBF8FF68740F54492EF845931B2EB30A949CBA1
            Function 00143A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 00143A62
            • LoadCursorW.USER32(00000000,00007F00), ref: 00143A71
            • LoadIconW.USER32(00000063), ref: 00143A88
            • LoadIconW.USER32(000000A4), ref: 00143A9A
            • LoadIconW.USER32(000000A2), ref: 00143AAC
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00143AD2
            • RegisterClassExW.USER32(?), ref: 00143B28
              • Part of subcall function 00143041: GetSysColorBrush.USER32(0000000F), ref: 00143074
              • Part of subcall function 00143041: RegisterClassExW.USER32(00000030), ref: 0014309E
              • Part of subcall function 00143041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001430AF
              • Part of subcall function 00143041: InitCommonControlsEx.COMCTL32(?), ref: 001430CC
              • Part of subcall function 00143041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 001430DC
              • Part of subcall function 00143041: LoadIconW.USER32(000000A9), ref: 001430F2
              • Part of subcall function 00143041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00143101
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 9b719711baeb123f1ac06cc01274af2d5b4d52ad45769ca7cf2eeb4944bb6ff2
            • Instruction ID: 56ab99b4d102798e001fa36389f3d0516bfe70a3a72868838f83ffd7226c6cd2
            • Opcode Fuzzy Hash: 9b719711baeb123f1ac06cc01274af2d5b4d52ad45769ca7cf2eeb4944bb6ff2
            • Instruction Fuzzy Hash: 78211771900308EFEB109FA4FC0DB9D7FB6EB08721F10412AF904A62A2D3B656658F94
            Function 00143778 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267COMMON
            Download Yara Rule

            Control-flow Graph

            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$b
            • API String ID: 1825951767-1911826871
            • Opcode ID: 1820639c3506ef740de45a020de4be7f85b68321abdb1499a68ec2704902318a
            • Instruction ID: db858a884246f9245f9cae024529b3c0ece6646ff0146dbfe222c9dd4ebfeffb
            • Opcode Fuzzy Hash: 1820639c3506ef740de45a020de4be7f85b68321abdb1499a68ec2704902318a
            • Instruction Fuzzy Hash: 57A13F7191022D9EDF04EBA0DC96EEEB779BF24310F540529F416B71A2DF749A09CB60
            Function 00143633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 885 143633-143681 887 1436e1-1436e3 885->887 888 143683-143686 885->888 887->888 889 1436e5 887->889 890 1436e7 888->890 891 143688-14368f 888->891 892 1436ca-1436d2 DefWindowProcW 889->892 893 1436ed-1436f0 890->893 894 17d31c-17d34a call 1511d0 call 1511f3 890->894 895 143695-14369a 891->895 896 14375d-143765 PostQuitMessage 891->896 900 1436d8-1436de 892->900 902 143715-14373c SetTimer RegisterWindowMessageW 893->902 903 1436f2-1436f3 893->903 929 17d34f-17d356 894->929 897 1436a0-1436a2 895->897 898 17d38f-17d3a3 call 1a2a16 895->898 901 143711-143713 896->901 904 143767-143776 call 144531 897->904 905 1436a8-1436ad 897->905 898->901 921 17d3a9 898->921 901->900 902->901 906 14373e-143749 CreatePopupMenu 902->906 909 17d2bf-17d2c2 903->909 910 1436f9-14370c KillTimer call 1444cb call 143114 903->910 904->901 911 17d374-17d37b 905->911 912 1436b3-1436b8 905->912 906->901 916 17d2c4-17d2c6 909->916 917 17d2f8-17d317 MoveWindow 909->917 910->901 911->892 927 17d381-17d38a call 19817e 911->927 919 1436be-1436c4 912->919 920 14374b-14375b call 1445df 912->920 924 17d2e7-17d2f3 SetFocus 916->924 925 17d2c8-17d2cb 916->925 917->901 919->892 919->929 920->901 921->892 924->901 925->919 930 17d2d1-17d2e2 call 1511d0 925->930 927->892 929->892 935 17d35c-17d36f call 1444cb call 1443db 929->935 930->901 935->892
            APIs
            • DefWindowProcW.USER32(?,?,?,?), ref: 001436D2
            • KillTimer.USER32(?,00000001), ref: 001436FC
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0014371F
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0014372A
            • CreatePopupMenu.USER32 ref: 0014373E
            • PostQuitMessage.USER32(00000000), ref: 0014375F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 46206c48ee142142dc0e657a06e51483495479df520cf98e31e0c5d4a53e18ed
            • Instruction ID: d7ea5aafea430fa8994c0ec5801cd9404bb30c90f911f6f1d4e9ecd930511772
            • Opcode Fuzzy Hash: 46206c48ee142142dc0e657a06e51483495479df520cf98e31e0c5d4a53e18ed
            • Instruction Fuzzy Hash: DB4126B120030ABBDF186F28EC4DB793B66EB10351F150129F966862F3CB609E659771
            Function 00B125E0 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 942 b125e0-b1268e call b10000 945 b12695-b126bb call b134f0 CreateFileW 942->945 948 b126c2-b126d2 945->948 949 b126bd 945->949 957 b126d4 948->957 958 b126d9-b126f3 VirtualAlloc 948->958 950 b1280d-b12811 949->950 951 b12853-b12856 950->951 952 b12813-b12817 950->952 954 b12859-b12860 951->954 955 b12823-b12827 952->955 956 b12819-b1281c 952->956 961 b12862-b1286d 954->961 962 b128b5-b128ca 954->962 963 b12837-b1283b 955->963 964 b12829-b12833 955->964 956->955 957->950 959 b126f5 958->959 960 b126fa-b12711 ReadFile 958->960 959->950 965 b12713 960->965 966 b12718-b12758 VirtualAlloc 960->966 967 b12871-b1287d 961->967 968 b1286f 961->968 969 b128da-b128e2 962->969 970 b128cc-b128d7 VirtualFree 962->970 971 b1284b 963->971 972 b1283d-b12847 963->972 964->963 965->950 973 b1275a 966->973 974 b1275f-b1277a call b13740 966->974 975 b12891-b1289d 967->975 976 b1287f-b1288f 967->976 968->962 970->969 971->951 972->971 973->950 982 b12785-b1278f 974->982 979 b128aa-b128b0 975->979 980 b1289f-b128a8 975->980 978 b128b3 976->978 978->954 979->978 980->978 983 b12791-b127c0 call b13740 982->983 984 b127c2-b127d6 call b13550 982->984 983->982 989 b127d8 984->989 990 b127da-b127de 984->990 989->950 992 b127e0-b127e4 CloseHandle 990->992 993 b127ea-b127ee 990->993 992->993 994 b127f0-b127fb VirtualFree 993->994 995 b127fe-b12807 993->995 994->995 995->945 995->950
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00B126B1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B128D7
            Memory Dump Source
            • Source File: 00000000.00000002.1729452941.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_b10000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction ID: 38832f4294858d236510bdbed7298053530ca62001d83b989151f66d1d75b9a6
            • Opcode Fuzzy Hash: 014c9b5c74d83c0a726ef6016946af978a068631e2f3efa1e9065a42f07dad7c
            • Instruction Fuzzy Hash: 3AA10474E00209EBDB14CFA4C894BEEBBB5FF48704F608199E501BB280D7759E91CBA4
            Function 0014F8CF Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 168comCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 001603D3
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 001603DB
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 001603E6
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 001603F1
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 001603F9
              • Part of subcall function 001603A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 00160401
              • Part of subcall function 00156259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0014FA90), ref: 001562B4
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0014FB2D
            • OleInitialize.OLE32(00000000), ref: 0014FBAA
            • CloseHandle.KERNEL32(00000000), ref: 001849F2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID: <g $\d $c
            • API String ID: 1986988660-3401425438
            • Opcode ID: aa8d2e555aae9232844f1fb5e69f7efeed02b17aedb6d98d94ebdd0a04bc99a1
            • Instruction ID: c18d59899779ece2121eedde0aad1ad32cca100b6a81d0f12062dea4cf403486
            • Opcode Fuzzy Hash: aa8d2e555aae9232844f1fb5e69f7efeed02b17aedb6d98d94ebdd0a04bc99a1
            • Instruction Fuzzy Hash: FB81A9B09113508EC3A4DF69FD9C615BAE5FB69708750816EE418CB3B3EB318465CF61
            Function 00169D26 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1114 169d26-169d32 call 1633c7 call 169f7c 1119 169d34-169d3b call 169d9c 1114->1119 1120 169d3c-169d4f call 169fca 1114->1120 1120->1119 1125 169d51-169d59 call 168a15 1120->1125 1127 169d5e-169d64 1125->1127 1128 169d66-169d76 call 16a026 1127->1128 1129 169d93-169d9b call 169d9c 1127->1129 1128->1129 1134 169d78-169d92 call 169c73 GetCurrentThreadId 1128->1134
            APIs
            • __init_pointers.LIBCMT ref: 00169D26
              • Part of subcall function 001633C7: EncodePointer.KERNEL32(00000000), ref: 001633CA
              • Part of subcall function 001633C7: __initp_misc_winsig.LIBCMT ref: 001633E5
              • Part of subcall function 001633C7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0016A0E0
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0016A0F4
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0016A107
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0016A11A
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0016A12D
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0016A140
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0016A153
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0016A166
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 0016A179
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0016A18C
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0016A19F
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0016A1B2
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0016A1C5
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0016A1D8
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0016A1EB
              • Part of subcall function 001633C7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0016A1FE
            • __mtinitlocks.LIBCMT ref: 00169D2B
            • __mtterm.LIBCMT ref: 00169D34
              • Part of subcall function 00169D9C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00169D39,00167F0D,001FBD38,00000014), ref: 00169E96
              • Part of subcall function 00169D9C: _free.LIBCMT ref: 00169E9D
              • Part of subcall function 00169D9C: DeleteCriticalSection.KERNEL32(0B ,?,?,00169D39,00167F0D,001FBD38,00000014), ref: 00169EBF
            • __calloc_crt.LIBCMT ref: 00169D59
            • __initptd.LIBCMT ref: 00169D7B
            • GetCurrentThreadId.KERNEL32 ref: 00169D82
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
            • String ID:
            • API String ID: 3567560977-0
            • Opcode ID: d1bf151b90f1b7886d495abda760fe446de1d2d18503de708cb4f31d3ba46775
            • Instruction ID: 6c47a1b4044e3df6eb99d9523891d203f681b57bcdeb891c88ec5ed9f26cf26b
            • Opcode Fuzzy Hash: d1bf151b90f1b7886d495abda760fe446de1d2d18503de708cb4f31d3ba46775
            • Instruction Fuzzy Hash: 60F090325197126BEA347BF4BC0376A2A99EF11730F21463AF464D95E2EF7088614590
            Function 001439E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1137 1439e7-143a57 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00143A15
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00143A36
            • ShowWindow.USER32(00000000,?,?), ref: 00143A4A
            • ShowWindow.USER32(00000000,?,?), ref: 00143A53
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: d53d438b2084c38d7ea75b9a6df721233ac68f4c6c600572e9a2c8e4e1ddd352
            • Instruction ID: 057a07a0f93af01a09557812b1796e7d24d0a11e46906040d340fe574bb93490
            • Opcode Fuzzy Hash: d53d438b2084c38d7ea75b9a6df721233ac68f4c6c600572e9a2c8e4e1ddd352
            • Instruction Fuzzy Hash: 6AF0B271641390BEEA211B27BC4DE673E7EE7C6F50B00412EBD04A21A1C6A65862DAB0
            Function 00B123B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 1138 b123b0-b124d5 call b10000 call b122a0 CreateFileW 1145 b124d7 1138->1145 1146 b124dc-b124ec 1138->1146 1147 b1258c-b12591 1145->1147 1149 b124f3-b1250d VirtualAlloc 1146->1149 1150 b124ee 1146->1150 1151 b12511-b12528 ReadFile 1149->1151 1152 b1250f 1149->1152 1150->1147 1153 b1252a 1151->1153 1154 b1252c-b12566 call b122e0 call b112a0 1151->1154 1152->1147 1153->1147 1159 b12582-b1258a ExitProcess 1154->1159 1160 b12568-b1257d call b12330 1154->1160 1159->1147 1160->1159
            APIs
              • Part of subcall function 00B122A0: Sleep.KERNELBASE(000001F4), ref: 00B122B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00B124CB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729452941.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_b10000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 5RQ37DQCF5
            • API String ID: 2694422964-1946335759
            • Opcode ID: 0241d1407be0344f7efe922677fdb63c83abb8cf8e59d62c293aae01abd71a3d
            • Instruction ID: 3352e8029d866349e18f6511ec678806a8a10b072a12befad658ecded81f01b8
            • Opcode Fuzzy Hash: 0241d1407be0344f7efe922677fdb63c83abb8cf8e59d62c293aae01abd71a3d
            • Instruction Fuzzy Hash: 66519330D14249DBEF14DBE4C855BEEBBB9EF54300F104199E608BB2C0D6B91B85CBA5
            Function 0014410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 0017D5EC
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            • _memset.LIBCMT ref: 0014418D
            • _wcscpy.LIBCMT ref: 001441E1
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001441F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
            • String ID: Line:
            • API String ID: 3942752672-1585850449
            • Opcode ID: 0225c493664dcdaaeff846196102ea500f719762b269f87490348833a64c90d7
            • Instruction ID: 9a82275d0f50eaadd8d89061fa1080c3a77e720c1de3d301ba5dc2fe1b7d790a
            • Opcode Fuzzy Hash: 0225c493664dcdaaeff846196102ea500f719762b269f87490348833a64c90d7
            • Instruction Fuzzy Hash: A931D471008314AFE721EB60EC8AFDB77E8AF64710F10451EF585920F2EB74A658C792
            Function 001469CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00144F3D: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144F6F
            • _free.LIBCMT ref: 0017E68C
            • _free.LIBCMT ref: 0017E6D3
              • Part of subcall function 00146BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00146D0D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$CurrentDirectoryLibraryLoad
            • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
            • API String ID: 2861923089-1757145024
            • Opcode ID: 3434ec2d5e23c5c0d3be2526bbd36836d08cb52473b26a042443ef0ac6af69dd
            • Instruction ID: 537251c09e6d4eed3ad4ce50653fc2c07fdb584c2694dde2306deeabc5793e80
            • Opcode Fuzzy Hash: 3434ec2d5e23c5c0d3be2526bbd36836d08cb52473b26a042443ef0ac6af69dd
            • Instruction Fuzzy Hash: FF914071910219AFCF04EFA4CC919EDB7F5FF29314F148469F81AAB2A1EB309915CB60
            Function 001435B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
            Download Yara Rule
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,001435A1,SwapMouseButtons,00000004,?), ref: 001435D4
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,001435A1,SwapMouseButtons,00000004,?,?,?,?,00142754), ref: 001435F5
            • RegCloseKey.KERNELBASE(00000000,?,?,001435A1,SwapMouseButtons,00000004,?,?,?,?,00142754), ref: 00143617
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 8b84dcf91302994fc694a00a123c2009e6ba09aeed63435e457576d1a1bd0668
            • Instruction ID: d0948de279adfe1e4d8c9c018db867087109609119d1b3b7c50f2ddc4f32c43b
            • Opcode Fuzzy Hash: 8b84dcf91302994fc694a00a123c2009e6ba09aeed63435e457576d1a1bd0668
            • Instruction Fuzzy Hash: 3C115775610209BFDB209FA4DC80EEEBBB9EF04740F128469F805D7220E3719F519BA0
            Function 00B112A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00B11A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B11AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00B11B13
            Memory Dump Source
            • Source File: 00000000.00000002.1729452941.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_b10000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction ID: b955d0ad096c7f4d19fcc99e6c8682b8526edfc170db9702bebb7de50862e0d1
            • Opcode Fuzzy Hash: cc658a0e6010fd3573e63fe9dffc1f366d2843c5c23e1a249a06af30add5367b
            • Instruction Fuzzy Hash: 7A622B30A14258DBEB24CFA4C840BDEB376EF58700F5095A9D20DEB394E7799E81CB59
            Function 001A97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00145045: _fseek.LIBCMT ref: 0014505D
              • Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AAE
              • Part of subcall function 001A99BE: _wcscmp.LIBCMT ref: 001A9AC1
            • _free.LIBCMT ref: 001A992C
            • _free.LIBCMT ref: 001A9933
            • _free.LIBCMT ref: 001A999E
              • Part of subcall function 00162F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00169C64), ref: 00162FA9
              • Part of subcall function 00162F95: GetLastError.KERNEL32(00000000,?,00169C64), ref: 00162FBB
            • _free.LIBCMT ref: 001A99A6
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
            • String ID:
            • API String ID: 1552873950-0
            • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction ID: 69d425b7a28c532f37cd6811ccdc718d459e0bb7a035288f7ac6f2a0bf7e8d8b
            • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
            • Instruction Fuzzy Hash: AB517FB5D04218AFDF249F64CC81A9EBBBAEF49300F1004AEF209A7251DB355E90CF58
            Function 0016493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
            • String ID:
            • API String ID: 2782032738-0
            • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction ID: fa74040151d5b66ee3e43b83b9914cd7defe7a3a677eb53bfbb7d86a6d97e4cd
            • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
            • Instruction Fuzzy Hash: 6741E334A80606AFDF28CEA9CC909BF7BA6EF84364B24813DE856C7640D7709D60CB44
            Function 001473E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0017EE62
            • GetOpenFileNameW.COMDLG32(?), ref: 0017EEAC
              • Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE
              • Part of subcall function 001609D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001609F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen_memset
            • String ID: X
            • API String ID: 3777226403-3081909835
            • Opcode ID: 3f3c8462a79343c04aeb3b86af7109cf196e0cdd06d2e8a2df4d42fabc944280
            • Instruction ID: 617b1a16efef64f5d8b5af65723783c4c2d1137342cb84d1b0f8a8674d3a4fb2
            • Opcode Fuzzy Hash: 3f3c8462a79343c04aeb3b86af7109cf196e0cdd06d2e8a2df4d42fabc944280
            • Instruction Fuzzy Hash: 8021D170A102889BCB059F94C805BEE7BF99F49304F00805AE408B7281DBB449898BA1
            Function 001A9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?), ref: 001A9B82
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 001A9B99
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: 95b339481dff12f8301763503bfc77d00631bd1cee4416ebeed3e96959246f75
            • Instruction ID: e5fc9aa652bc765828830b2275a8b2ed0c8daf8e51cf2dc88fd78b24eb914e77
            • Opcode Fuzzy Hash: 95b339481dff12f8301763503bfc77d00631bd1cee4416ebeed3e96959246f75
            • Instruction Fuzzy Hash: 9FD05E7A54030DABDB109B90DC0EFAABB3CEB04700F0042A1BF55920A1DEB4D5DA8B91
            Function 001BCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6093b9ae17212609c68a8a839783f6b67d2ed3beecdb28a651b7819f68ee4f21
            • Instruction ID: b40f8bfa4f086b642bc77a620bad08eb4d2cddaedb5f2897de21e5cc31d1fe6f
            • Opcode Fuzzy Hash: 6093b9ae17212609c68a8a839783f6b67d2ed3beecdb28a651b7819f68ee4f21
            • Instruction Fuzzy Hash: 66F14A706083419FCB18DF28C484A6ABBE5FF98314F54896EF8999B351E731E945CF82
            Function 001443DB Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00144401
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 001444A6
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 001444C3
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconNotifyShell_$_memset
            • String ID:
            • API String ID: 1505330794-0
            • Opcode ID: db16940ff0285cfdcca2045bc1486fcaf0bf4df0c278aef7e6db75f1c03bbebe
            • Instruction ID: 35ce613f93e961cc4c3954636ae62deb62d20088017696215630d6cf3715fae4
            • Opcode Fuzzy Hash: db16940ff0285cfdcca2045bc1486fcaf0bf4df0c278aef7e6db75f1c03bbebe
            • Instruction Fuzzy Hash: 5D3194B06057018FD720DF34E888B9BBBF8FB59314F04092EF99A83251D775A948CB92
            Function 0016594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • __FF_MSGBANNER.LIBCMT ref: 00165963
              • Part of subcall function 0016A3AB: __NMSG_WRITE.LIBCMT ref: 0016A3D2
              • Part of subcall function 0016A3AB: __NMSG_WRITE.LIBCMT ref: 0016A3DC
            • __NMSG_WRITE.LIBCMT ref: 0016596A
              • Part of subcall function 0016A408: GetModuleFileNameW.KERNEL32(00000000,002043BA,00000104,?,00000001,00000000), ref: 0016A49A
              • Part of subcall function 0016A408: ___crtMessageBoxW.LIBCMT ref: 0016A548
              • Part of subcall function 001632DF: ___crtCorExitProcess.LIBCMT ref: 001632E5
              • Part of subcall function 001632DF: ExitProcess.KERNEL32 ref: 001632EE
              • Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68
            • RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,00000000,?,?,?,00161013,?), ref: 0016598F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
            • String ID:
            • API String ID: 1372826849-0
            • Opcode ID: 0b969518f4ff45a16bcc972db32255a679d5c21b263c0a17112048a77924c5a8
            • Instruction ID: 92d7a996fb254f24d42a2f9d6eadb8f714bb1cd9394ad98e5de7f98b860cac8a
            • Opcode Fuzzy Hash: 0b969518f4ff45a16bcc972db32255a679d5c21b263c0a17112048a77924c5a8
            • Instruction Fuzzy Hash: C501F132340B15DEE7253B74EC42A2E729A9F62738F51012AFA01AB2C2DF709D618670
            Function 001A9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,001A97D2,?,?,?,?,?,00000004), ref: 001A9B45
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,001A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 001A9B5B
            • CloseHandle.KERNEL32(00000000,?,001A97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 001A9B62
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 4fe8c44011e4c98475b3ef4b0893e47656825bc06873360ef4c8da291fed73ee
            • Instruction ID: d1e1099e772b992bb4ca6d10e581e700cc9b3fa25b56cffcc773b1ad28da57c2
            • Opcode Fuzzy Hash: 4fe8c44011e4c98475b3ef4b0893e47656825bc06873360ef4c8da291fed73ee
            • Instruction Fuzzy Hash: D0E08632180214B7D7212B54EC09FCE7F19AB05761F144124FB14690E087B165529798
            Function 001A8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 001A8FA5
              • Part of subcall function 00162F95: RtlFreeHeap.NTDLL(00000000,00000000,?,00169C64), ref: 00162FA9
              • Part of subcall function 00162F95: GetLastError.KERNEL32(00000000,?,00169C64), ref: 00162FBB
            • _free.LIBCMT ref: 001A8FB6
            • _free.LIBCMT ref: 001A8FC8
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction ID: cfc758f9dcf6a449e9aa543df3a2c59ac6c22adaa4308e501787b24dd7a6e340
            • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
            • Instruction Fuzzy Hash: 6EE012A1B09B024ECA24A578AD44A9357EE5F49351B18085DF409DB142DF34EC518124
            Function 0014AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: CALL
            • API String ID: 0-4196123274
            • Opcode ID: 4468e3dc7219e818b3a187e66cb34a0f77a28905be10097bfa168f8d0fdfe77e
            • Instruction ID: c936aaded331585efdd9221cbfc049a029b6805964d25c9dc9876e965ab2ad2c
            • Opcode Fuzzy Hash: 4468e3dc7219e818b3a187e66cb34a0f77a28905be10097bfa168f8d0fdfe77e
            • Instruction Fuzzy Hash: 82224770508251DFCB29DF14C494B6ABBE1BF98300F56895DF89A8B262D731ED85CB82
            Function 00144DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID: EA06
            • API String ID: 4104443479-3962188686
            • Opcode ID: 3ea279003b4ef18099d918e2344760c22a77f9c3d51ff395bbbe12e0a4d7a01d
            • Instruction ID: 0f209934873a2461a90ddda50679e98b052d2462ca5771c924810793a26c7d4f
            • Opcode Fuzzy Hash: 3ea279003b4ef18099d918e2344760c22a77f9c3d51ff395bbbe12e0a4d7a01d
            • Instruction Fuzzy Hash: 2D416A71A041586BDF259F68C8517BE7FB6BF15300F294075F882BB2A3C7299D8493E1
            Function 00147BB1 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
            • Instruction ID: ea3a9ae7e996115916d66bcf2c0c6fa950b50a10d865e402a8215b07ec18d89d
            • Opcode Fuzzy Hash: 888ce228c65e5e126e2c0d83d6bef63a0f4650b727a1fb86e52d4496ebb79edc
            • Instruction Fuzzy Hash: AB3184B1604607AFC714DF68D9D1E6AF3A9FF58320715862DF919CB2A1DB70E860CB90
            Function 0014492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • IsThemeActive.UXTHEME ref: 00144992
              • Part of subcall function 001635AC: __lock.LIBCMT ref: 001635B2
              • Part of subcall function 001635AC: DecodePointer.KERNEL32(00000001,?,001449A7,001981BC), ref: 001635BE
              • Part of subcall function 001635AC: EncodePointer.KERNEL32(?,?,001449A7,001981BC), ref: 001635C9
              • Part of subcall function 00144A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00144A73
              • Part of subcall function 00144A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00144A88
              • Part of subcall function 00143B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00143B7A
              • Part of subcall function 00143B4C: IsDebuggerPresent.KERNEL32 ref: 00143B8C
              • Part of subcall function 00143B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,002062F8,002062E0,?,?), ref: 00143BFD
              • Part of subcall function 00143B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00143C81
            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 001449D2
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
            • String ID:
            • API String ID: 1438897964-0
            • Opcode ID: bb1ab677bf911bb50b56937449a80a8c01e2b4803f6626359044bedd6fd10ec6
            • Instruction ID: c809500b5d7004f83ccdc71a921c54fa68499208cd51b9df7028efdb01a061a3
            • Opcode Fuzzy Hash: bb1ab677bf911bb50b56937449a80a8c01e2b4803f6626359044bedd6fd10ec6
            • Instruction Fuzzy Hash: EB113A719183119FC700EF29EC4990AFFF8EBA9710F10452EF455872B2DBB09665CB96
            Function 00160FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 0016594C: __FF_MSGBANNER.LIBCMT ref: 00165963
              • Part of subcall function 0016594C: __NMSG_WRITE.LIBCMT ref: 0016596A
              • Part of subcall function 0016594C: RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,00000000,?,?,?,00161013,?), ref: 0016598F
            • std::exception::exception.LIBCMT ref: 0016102C
            • __CxxThrowException@8.LIBCMT ref: 00161041
              • Part of subcall function 001687DB: RaiseException.KERNEL32(?,?,?,001FBAF8,00000000,?,?,?,?,00161046,?,001FBAF8,?,00000001), ref: 00168830
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
            • String ID:
            • API String ID: 3902256705-0
            • Opcode ID: 0b4fe5a4f04d086a4f6e6a21592c42dfe18aaa1751e877808ff9703f3f32eb0a
            • Instruction ID: b0ec3a3eee1e2fc63cc4700832e6de54140d620ff4fcb877c6d69e91b8a441b7
            • Opcode Fuzzy Hash: 0b4fe5a4f04d086a4f6e6a21592c42dfe18aaa1751e877808ff9703f3f32eb0a
            • Instruction Fuzzy Hash: 8EF0283550021DB7CF20BB98ED019DF7BAD9F20351F240466F814A2281EFB08AA082E0
            Function 001655D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68
            • __lock_file.LIBCMT ref: 0016561B
              • Part of subcall function 00166E4E: __lock.LIBCMT ref: 00166E71
            • __fclose_nolock.LIBCMT ref: 00165626
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
            • String ID:
            • API String ID: 2800547568-0
            • Opcode ID: 55a13e6fa47e06564eae466df685258cbfe6cecb0b22ae882340873c49d12f73
            • Instruction ID: 96c78f0887f6d108f1c191b14c367030289743546d87a562b098a20b829dd3b7
            • Opcode Fuzzy Hash: 55a13e6fa47e06564eae466df685258cbfe6cecb0b22ae882340873c49d12f73
            • Instruction Fuzzy Hash: F9F0BE71801A159ADB20AF79CC0276E7BA26F61334F668209A425AB1C1CF7C8A61DB95
            Function 00B1129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00B11A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00B11AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00B11B13
            Memory Dump Source
            • Source File: 00000000.00000002.1729452941.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_b10000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction ID: 05aee5d4469b4ac19f5d2e12e9eeb655b8e28c7dd8858d730eafec66ab600555
            • Opcode Fuzzy Hash: d88754d343c0358fec48bb39518f6d050a5efe1528146ba10a354079ac39ca1d
            • Instruction Fuzzy Hash: 6712EE24E24658C6EB24DF64D8507DEB272EF68300F1094E9910DEB7A4E77A4F81CF5A
            Function 001800D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: a64f6f27cdad26705d130436b427a5a17bf2bb5e72213763f2b5a095a4a108f3
            • Instruction ID: afd64e75fa039e617f46a48676cb971c1e986e19e72b491f13c10feb6796c4b3
            • Opcode Fuzzy Hash: a64f6f27cdad26705d130436b427a5a17bf2bb5e72213763f2b5a095a4a108f3
            • Instruction Fuzzy Hash: A3411674508351DFDB25DF14C484B1ABBE0BF49318F19889CE9994B762C332E889CF52
            Function 00147CB3 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: 2c36a2295a592de3e039a44d5b31ef502be16aae9e7cb4f69fce3a2ea84522a3
            • Instruction ID: f7fc2b43d972e55a1ccb80ed4a3c35a0e0dddc83a4c6eabea444d1d032fc4e99
            • Opcode Fuzzy Hash: 2c36a2295a592de3e039a44d5b31ef502be16aae9e7cb4f69fce3a2ea84522a3
            • Instruction Fuzzy Hash: E721F171608A09EBDB148F24EC9177A7BB8FF14350F22C46EF48AC55A1EB3094E1C745
            Function 00144F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00144D13: FreeLibrary.KERNEL32(00000000,?), ref: 00144D4D
              • Part of subcall function 0016548B: __wfsopen.LIBCMT ref: 00165496
            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144F6F
              • Part of subcall function 00144CC8: FreeLibrary.KERNEL32(00000000), ref: 00144D02
              • Part of subcall function 00144DD0: _memmove.LIBCMT ref: 00144E1A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Library$Free$Load__wfsopen_memmove
            • String ID:
            • API String ID: 1396898556-0
            • Opcode ID: d1a4a9e83ff96b8081072c85609e7f92feaa813e3faf359dc841abf69144c017
            • Instruction ID: 42d25e1df0ebfe6dbe84ef27f617c014c398e4db257bbe71ddb360de493b96ce
            • Opcode Fuzzy Hash: d1a4a9e83ff96b8081072c85609e7f92feaa813e3faf359dc841abf69144c017
            • Instruction Fuzzy Hash: 1C11E731600609ABCB14AFB4DC52FAE77A59F60710F11842DF541A71D1DF719A159760
            Function 001801AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID:
            • API String ID: 1473721057-0
            • Opcode ID: 2f7554b21027f6f745c194b5f7fb350c2b4a8ea9bbea63a16b894a41e32f8a98
            • Instruction ID: 49d4bb2a93bab871d1e2fd2f10adfd1a91735475c3efafd5642f5de2e15be24e
            • Opcode Fuzzy Hash: 2f7554b21027f6f745c194b5f7fb350c2b4a8ea9bbea63a16b894a41e32f8a98
            • Instruction Fuzzy Hash: F32130B4508341DFCB24DF54C884B1ABBE1BF88314F0A896CF89A5B761C731E859CB92
            Function 00160941 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001609F4
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LongNamePath
            • String ID:
            • API String ID: 82841172-0
            • Opcode ID: f86a96366a37c178c69555b4444f018880071d893a91903bbc658304eeedbc32
            • Instruction ID: 8fa4da5c4301ebdceb2764dd58c0ee9191fd2343003f77de335e53324f8fffdb
            • Opcode Fuzzy Hash: f86a96366a37c178c69555b4444f018880071d893a91903bbc658304eeedbc32
            • Instruction Fuzzy Hash: E601843A08E3C18FC7138BB4D8D6AA07FF4DE0312432905EED8C48B466D596096EDB22
            Function 00164A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            • __lock_file.LIBCMT ref: 00164AD6
              • Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __getptd_noexit__lock_file
            • String ID:
            • API String ID: 2597487223-0
            • Opcode ID: c96aa36e17f774e56f59eb295182e6c3fe7378c3245286633a4ddf26aa2a4242
            • Instruction ID: 0d452b7a984465ed7ae0e0f32844fb72ec2b5438c171ce62e4ca4fb177d1c589
            • Opcode Fuzzy Hash: c96aa36e17f774e56f59eb295182e6c3fe7378c3245286633a4ddf26aa2a4242
            • Instruction Fuzzy Hash: 21F0C231980209ABDF61AFB4CC063AF36A1AF20325F058614F424AB1D1CB788A71DF55
            Function 00144FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144FDE
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: 9bddca2951c90a2358f4bf2a4d3edf6dfb943c7c3b3947d0821ca7c948740eeb
            • Instruction ID: 6ec731c1ca138b55d49440ecd16ebda37f93801a0e1fea1e8a85c9615add9613
            • Opcode Fuzzy Hash: 9bddca2951c90a2358f4bf2a4d3edf6dfb943c7c3b3947d0821ca7c948740eeb
            • Instruction Fuzzy Hash: C4F06571105711CFC7349F68E494912BBF1BF143253258A3EE5D782620C731A859DF40
            Function 001609D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 001609F4
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LongNamePath_memmove
            • String ID:
            • API String ID: 2514874351-0
            • Opcode ID: cdc2e477a3eab68c2e3001903f965d767f5fa1f59cd982e9c8ad13ad0dcd61a4
            • Instruction ID: 6f3897158170b3ff8db6bc0a6a3ef80bd8b02f12639e6cc5c725f22c2ffdab1e
            • Opcode Fuzzy Hash: cdc2e477a3eab68c2e3001903f965d767f5fa1f59cd982e9c8ad13ad0dcd61a4
            • Instruction Fuzzy Hash: FAE0863690422857C720D6989C05FFA77AEDF886A0F0441B5FC0CD7254DA609C818690
            Function 0016548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wfsopen
            • String ID:
            • API String ID: 197181222-0
            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction ID: 89ee202baeef66a9a295db37ec47f9434306f0b9d96d4fbf3a395e94b69285ca
            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
            • Instruction Fuzzy Hash: 18B0927684020C77DF012E82EC02A593B1A9B50678F808060FF0C18162AA73A6B09689
            Function 00160E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 380a813e0d442a9a8ce3a373e1c401b653956086f47329d99fd25bee1ead62f9
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 0A31C471A00115DFC71ADF58D88096AF7A6FF5D300B658AA9E40ACB651D732EEE1CBC0
            Function 00B122A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 00B122B1
            Memory Dump Source
            • Source File: 00000000.00000002.1729452941.0000000000B10000.00000040.00001000.00020000.00000000.sdmp, Offset: 00B10000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_b10000_Salary_Receipt.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: c190f021220d04500f270c76638c58667a4dbe5d68bba48709aab80e743f5501
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: E1E0BF7494010E9FDB00EFA4D54969E7BB4EF04301F1001A1FD0192280D63099608A62

            Non-executed Functions

            Function 001CCDAC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 637windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 001CCE50
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001CCE91
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 001CCED6
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001CCF00
            • SendMessageW.USER32 ref: 001CCF29
            • _wcsncpy.LIBCMT ref: 001CCFA1
            • GetKeyState.USER32(00000011), ref: 001CCFC2
            • GetKeyState.USER32(00000009), ref: 001CCFCF
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 001CCFE5
            • GetKeyState.USER32(00000010), ref: 001CCFEF
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 001CD018
            • SendMessageW.USER32 ref: 001CD03F
            • SendMessageW.USER32(?,00001030,?,001CB602), ref: 001CD145
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 001CD15B
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 001CD16E
            • SetCapture.USER32(?), ref: 001CD177
            • ClientToScreen.USER32(?,?), ref: 001CD1DC
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 001CD1E9
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001CD203
            • ReleaseCapture.USER32 ref: 001CD20E
            • GetCursorPos.USER32(?), ref: 001CD248
            • ScreenToClient.USER32(?,?), ref: 001CD255
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 001CD2B1
            • SendMessageW.USER32 ref: 001CD2DF
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 001CD31C
            • SendMessageW.USER32 ref: 001CD34B
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 001CD36C
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 001CD37B
            • GetCursorPos.USER32(?), ref: 001CD39B
            • ScreenToClient.USER32(?,?), ref: 001CD3A8
            • GetParent.USER32(?), ref: 001CD3C8
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 001CD431
            • SendMessageW.USER32 ref: 001CD462
            • ClientToScreen.USER32(?,?), ref: 001CD4C0
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 001CD4F0
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 001CD51A
            • SendMessageW.USER32 ref: 001CD53D
            • ClientToScreen.USER32(?,?), ref: 001CD58F
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 001CD5C3
              • Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC
            • GetWindowLongW.USER32(?,000000F0), ref: 001CD65F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
            • String ID: @GUI_DRAGID$F$pr
            • API String ID: 3977979337-1942473040
            • Opcode ID: 4a6e08970e67ad05cd38b1991eab98a035b158e800f98296c7de3b0d8278e7b3
            • Instruction ID: d1fe55acfd7154f5b286e5246e0beac372f0bd4f8259fd0bc8a304388755a84d
            • Opcode Fuzzy Hash: 4a6e08970e67ad05cd38b1991eab98a035b158e800f98296c7de3b0d8278e7b3
            • Instruction Fuzzy Hash: FE428670204241AFC725CF68D888FAABFE6EF59314F14052DF699876A1C731EC95CB92
            Function 001C804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 001C873F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: %d/%02d/%02d
            • API String ID: 3850602802-328681919
            • Opcode ID: b6ee1f93a3cdbe15ee3c893c01081f78cee76cc29c1c28c3d0c6f18a6522383f
            • Instruction ID: d51c63f5d59df2c80926ca3464d69f483f222e2a7becc5ce51ec4c4170a292ed
            • Opcode Fuzzy Hash: b6ee1f93a3cdbe15ee3c893c01081f78cee76cc29c1c28c3d0c6f18a6522383f
            • Instruction Fuzzy Hash: 0412CF71500214ABEB258F28CC89FAB7BB9EF99710F24416DF915EA2E1EF70D941CB10
            Function 0015710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$_memset
            • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
            • API String ID: 1357608183-1798697756
            • Opcode ID: 174c8a4f41956de7328ff807dced99952d60fa79eef99ab9a9c77c390c0a0df4
            • Instruction ID: 903db3ebca623cc0c6a143401ca67d86569659d68b5cbfabd335f5cd605bd8b6
            • Opcode Fuzzy Hash: 174c8a4f41956de7328ff807dced99952d60fa79eef99ab9a9c77c390c0a0df4
            • Instruction Fuzzy Hash: CD938075A04216DFDF28CF98D881BADB7B1FF48710F25816AE955EB280E7709E81CB50
            Function 00144A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,?), ref: 00144A3D
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0017DA8E
            • IsIconic.USER32(?), ref: 0017DA97
            • ShowWindow.USER32(?,00000009), ref: 0017DAA4
            • SetForegroundWindow.USER32(?), ref: 0017DAAE
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0017DAC4
            • GetCurrentThreadId.KERNEL32 ref: 0017DACB
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0017DAD7
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0017DAE8
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 0017DAF0
            • AttachThreadInput.USER32(00000000,?,00000001), ref: 0017DAF8
            • SetForegroundWindow.USER32(?), ref: 0017DAFB
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB10
            • keybd_event.USER32(00000012,00000000), ref: 0017DB1B
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB25
            • keybd_event.USER32(00000012,00000000), ref: 0017DB2A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB33
            • keybd_event.USER32(00000012,00000000), ref: 0017DB38
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 0017DB42
            • keybd_event.USER32(00000012,00000000), ref: 0017DB47
            • SetForegroundWindow.USER32(?), ref: 0017DB4A
            • AttachThreadInput.USER32(?,?,00000000), ref: 0017DB71
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: 3b4a986a37bfbaed78045d552a3d0340c9be5c1958cb7e033cd0edc0f6931b81
            • Instruction ID: 38b4b614ee774448f3e213f933c9ecff19c1bec7e1a5751647ee518a6107e906
            • Opcode Fuzzy Hash: 3b4a986a37bfbaed78045d552a3d0340c9be5c1958cb7e033cd0edc0f6931b81
            • Instruction Fuzzy Hash: D1315371A8031CBFEB216F619C4AF7E3E7DEF44B50F114029FA05E71D0C6B09951AAA1
            Function 00198858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00198CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
              • Part of subcall function 00198CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
              • Part of subcall function 00198CC3: GetLastError.KERNEL32 ref: 00198D47
            • _memset.LIBCMT ref: 0019889B
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 001988ED
            • CloseHandle.KERNEL32(?), ref: 001988FE
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00198915
            • GetProcessWindowStation.USER32 ref: 0019892E
            • SetProcessWindowStation.USER32(00000000), ref: 00198938
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00198952
              • Part of subcall function 00198713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00198851), ref: 00198728
              • Part of subcall function 00198713: CloseHandle.KERNEL32(?,?,00198851), ref: 0019873A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
            • String ID: $default$winsta0
            • API String ID: 2063423040-1027155976
            • Opcode ID: 7e3fb17d2f21f80f2ff33638a12be8bbe985c17f05773777f79d4fac1b98c0d5
            • Instruction ID: 40039b5fb9d1bf88b27a6de53f27afdd7ab9c019321da7e71f683f88bc24f17a
            • Opcode Fuzzy Hash: 7e3fb17d2f21f80f2ff33638a12be8bbe985c17f05773777f79d4fac1b98c0d5
            • Instruction Fuzzy Hash: 1E816571900249AFDF11DFA4CC49EEEBBB9EF09314F08416AF910A72A1DB318E55DB61
            Function 001B425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(001CF910), ref: 001B4284
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 001B4292
            • GetClipboardData.USER32(0000000D), ref: 001B429A
            • CloseClipboard.USER32 ref: 001B42A6
            • GlobalLock.KERNEL32(00000000), ref: 001B42C2
            • CloseClipboard.USER32 ref: 001B42CC
            • GlobalUnlock.KERNEL32(00000000), ref: 001B42E1
            • IsClipboardFormatAvailable.USER32(00000001), ref: 001B42EE
            • GetClipboardData.USER32(00000001), ref: 001B42F6
            • GlobalLock.KERNEL32(00000000), ref: 001B4303
            • GlobalUnlock.KERNEL32(00000000), ref: 001B4337
            • CloseClipboard.USER32 ref: 001B4447
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
            • String ID:
            • API String ID: 3222323430-0
            • Opcode ID: 0cc6ad4e60a7c867d1b83d649192f236451bcdb522d6dd3f90db754d3c3938a0
            • Instruction ID: 3058556797a2696bfd09d1e3cde9e4b94aec7a209f13f047fe54b4e8e5085256
            • Opcode Fuzzy Hash: 0cc6ad4e60a7c867d1b83d649192f236451bcdb522d6dd3f90db754d3c3938a0
            • Instruction Fuzzy Hash: 2051AF71204301ABD701AF64EC86FAE7BA9AF94B01F10852DF596D21F2DF70D946CB62
            Function 001AC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 001AC9F8
            • FindClose.KERNEL32(00000000), ref: 001ACA4C
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ACA71
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 001ACA88
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 001ACAAF
            • __swprintf.LIBCMT ref: 001ACAFB
            • __swprintf.LIBCMT ref: 001ACB3E
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
            • __swprintf.LIBCMT ref: 001ACB92
              • Part of subcall function 001638D8: __woutput_l.LIBCMT ref: 00163931
            • __swprintf.LIBCMT ref: 001ACBE0
              • Part of subcall function 001638D8: __flsbuf.LIBCMT ref: 00163953
              • Part of subcall function 001638D8: __flsbuf.LIBCMT ref: 0016396B
            • __swprintf.LIBCMT ref: 001ACC2F
            • __swprintf.LIBCMT ref: 001ACC7E
            • __swprintf.LIBCMT ref: 001ACCCD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
            • API String ID: 3953360268-2428617273
            • Opcode ID: 3d9824c2a3c6a3fb00a997e2184e3e2f726ab1f730190528248dbaa104be65a8
            • Instruction ID: 3e869c718b0c25d3787817c846b57be46771a2ec4a62bde61d82b71e2b4e6435
            • Opcode Fuzzy Hash: 3d9824c2a3c6a3fb00a997e2184e3e2f726ab1f730190528248dbaa104be65a8
            • Instruction Fuzzy Hash: 82A10EB2508314ABC714EF64C886DAFB7ECFFA5700F404929B595C71A1EB34DA49CB62
            Function 001AF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001AF221
            • _wcscmp.LIBCMT ref: 001AF236
            • _wcscmp.LIBCMT ref: 001AF24D
            • GetFileAttributesW.KERNEL32(?), ref: 001AF25F
            • SetFileAttributesW.KERNEL32(?,?), ref: 001AF279
            • FindNextFileW.KERNEL32(00000000,?), ref: 001AF291
            • FindClose.KERNEL32(00000000), ref: 001AF29C
            • FindFirstFileW.KERNEL32(*.*,?), ref: 001AF2B8
            • _wcscmp.LIBCMT ref: 001AF2DF
            • _wcscmp.LIBCMT ref: 001AF2F6
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001AF308
            • SetCurrentDirectoryW.KERNEL32(001FA5A0), ref: 001AF326
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 001AF330
            • FindClose.KERNEL32(00000000), ref: 001AF33D
            • FindClose.KERNEL32(00000000), ref: 001AF34F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1803514871-438819550
            • Opcode ID: 5b7da43af12b74f7bdb2d6add6462fd0b5787603c5c1b596e0ed2c36b1a08474
            • Instruction ID: e6b5527f4250e8d8515a8fc755aec7a0f3b8092299f95c4ea2f75f3631cf01c6
            • Opcode Fuzzy Hash: 5b7da43af12b74f7bdb2d6add6462fd0b5787603c5c1b596e0ed2c36b1a08474
            • Instruction Fuzzy Hash: 7931C27A5002196ADF10DBF4DC58EEE77ADAF4A361F10427EE914D30A0EB30DE86CA50
            Function 001C0AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0BDE
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,001CF910,00000000,?,00000000,?,?), ref: 001C0C4C
            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 001C0C94
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 001C0D1D
            • RegCloseKey.ADVAPI32(?), ref: 001C103D
            • RegCloseKey.ADVAPI32(00000000), ref: 001C104A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$ConnectCreateRegistryValue
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 536824911-966354055
            • Opcode ID: 1a53e16b6e882380d25d19c985ee7219375cbb207dc9e5779d1ce4fe90ffdc6b
            • Instruction ID: e8faf26afdce4638072c2869e4a1994d193d5481252b11940a73f9cc99be13ea
            • Opcode Fuzzy Hash: 1a53e16b6e882380d25d19c985ee7219375cbb207dc9e5779d1ce4fe90ffdc6b
            • Instruction Fuzzy Hash: E90259752046119FCB14EF24C895E2ABBE5FF99714F04885DF89A9B3A2CB30ED41CB81
            Function 001AF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 001AF37E
            • _wcscmp.LIBCMT ref: 001AF393
            • _wcscmp.LIBCMT ref: 001AF3AA
              • Part of subcall function 001A45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 001A45DC
            • FindNextFileW.KERNEL32(00000000,?), ref: 001AF3D9
            • FindClose.KERNEL32(00000000), ref: 001AF3E4
            • FindFirstFileW.KERNEL32(*.*,?), ref: 001AF400
            • _wcscmp.LIBCMT ref: 001AF427
            • _wcscmp.LIBCMT ref: 001AF43E
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001AF450
            • SetCurrentDirectoryW.KERNEL32(001FA5A0), ref: 001AF46E
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 001AF478
            • FindClose.KERNEL32(00000000), ref: 001AF485
            • FindClose.KERNEL32(00000000), ref: 001AF497
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 1824444939-438819550
            • Opcode ID: 947596c2638253298b5a70c3c7bf999c5d434861774e16bf5299e7a744f0208d
            • Instruction ID: 2828a1a022eeb45d4c98a78414d8d33e3f90270435735adaae0d4589e26a34df
            • Opcode Fuzzy Hash: 947596c2638253298b5a70c3c7bf999c5d434861774e16bf5299e7a744f0208d
            • Instruction Fuzzy Hash: A631D5795012196FCF109FA4EC88EEE77ADAF4A360F10027DE814A30A0DB34DE86CA54
            Function 001981F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
              • Part of subcall function 0019874A: GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
              • Part of subcall function 0019874A: GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
              • Part of subcall function 0019874A: HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
              • Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D
              • Part of subcall function 001987E7: GetProcessHeap.KERNEL32(00000008,00198240,00000000,00000000,?,00198240,?), ref: 001987F3
              • Part of subcall function 001987E7: HeapAlloc.KERNEL32(00000000,?,00198240,?), ref: 001987FA
              • Part of subcall function 001987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00198240,?), ref: 0019880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0019825B
            • _memset.LIBCMT ref: 00198270
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0019828F
            • GetLengthSid.ADVAPI32(?), ref: 001982A0
            • GetAce.ADVAPI32(?,00000000,?), ref: 001982DD
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001982F9
            • GetLengthSid.ADVAPI32(?), ref: 00198316
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00198325
            • HeapAlloc.KERNEL32(00000000), ref: 0019832C
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0019834D
            • CopySid.ADVAPI32(00000000), ref: 00198354
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00198385
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001983AB
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001983BF
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 3afc2cba1914727cca9a080247efe082afe8e54fba5ccda1036e7ea9959176f5
            • Instruction ID: aca30840a74a7db54ec11f075ae90e299cbb7c3d73154f3ac07fbccd96fa06d4
            • Opcode Fuzzy Hash: 3afc2cba1914727cca9a080247efe082afe8e54fba5ccda1036e7ea9959176f5
            • Instruction Fuzzy Hash: 45614671904209AFDF009FA5DC84EEEBBBAFF05700F14816AF815A6291DB35DA56CB60
            Function 00156843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
            • API String ID: 0-4052911093
            • Opcode ID: ba4987567392419a9e6bb2f0a3b5135b6b6070da3e02e7196cce5637978b63a4
            • Instruction ID: a692d91695ebc4ccf66ebb1b3096062a0644a9c8b83ecf708551ba2926b358a5
            • Opcode Fuzzy Hash: ba4987567392419a9e6bb2f0a3b5135b6b6070da3e02e7196cce5637978b63a4
            • Instruction Fuzzy Hash: 14727075E0021ADBDF18CF98C8807AEB7B5FF58310F55816AE859EB280DB709D85CB90
            Function 001C0665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0737
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 001C07D6
            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 001C086E
            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 001C0AAD
            • RegCloseKey.ADVAPI32(00000000), ref: 001C0ABA
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
            • String ID:
            • API String ID: 1240663315-0
            • Opcode ID: ff7150505f3641800f2a8913e14c87a19d71515a3bcba8d427e360db66b0ad23
            • Instruction ID: 06c81a2981d112c8a120e22f0dde5c2603b46c86e6d11f9cb305ae7b154135fe
            • Opcode Fuzzy Hash: ff7150505f3641800f2a8913e14c87a19d71515a3bcba8d427e360db66b0ad23
            • Instruction Fuzzy Hash: 54E14C31204310EFCB15DF24C895E6BBBE5EF99714B04896DF88ADB262DB30E945CB51
            Function 001A0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 001A0241
            • GetAsyncKeyState.USER32(000000A0), ref: 001A02C2
            • GetKeyState.USER32(000000A0), ref: 001A02DD
            • GetAsyncKeyState.USER32(000000A1), ref: 001A02F7
            • GetKeyState.USER32(000000A1), ref: 001A030C
            • GetAsyncKeyState.USER32(00000011), ref: 001A0324
            • GetKeyState.USER32(00000011), ref: 001A0336
            • GetAsyncKeyState.USER32(00000012), ref: 001A034E
            • GetKeyState.USER32(00000012), ref: 001A0360
            • GetAsyncKeyState.USER32(0000005B), ref: 001A0378
            • GetKeyState.USER32(0000005B), ref: 001A038A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: ff89f896f22953637793e4858a13a7140185d4a5972b1d7a80df64b6648e2402
            • Instruction ID: e1b4bc7d2710385b69f969c37ba41a2192075ad97f8e14692424c2bae8f2a767
            • Opcode Fuzzy Hash: ff89f896f22953637793e4858a13a7140185d4a5972b1d7a80df64b6648e2402
            • Instruction Fuzzy Hash: 4E419C3C9047C96EFF339A6488087B5BEA17F1B344F08805ED6C5465C2D7E599C4C792
            Function 001B4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 13957485392f2c99c43716656219ed00761ba125f60cfa471c6d5f2486730993
            • Instruction ID: fc5149c2a1c20a9cb5227dd4af81f15d92e51d222e3e31d51de18442eaa7fbf0
            • Opcode Fuzzy Hash: 13957485392f2c99c43716656219ed00761ba125f60cfa471c6d5f2486730993
            • Instruction Fuzzy Hash: A8219C352006209FDB10AF24EC49FAE7BA9EF14711F10806AF946DB2B2CB30EC41CB55
            Function 001A3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE
              • Part of subcall function 001A4CD3: GetFileAttributesW.KERNEL32(?,001A3947), ref: 001A4CD4
            • FindFirstFileW.KERNEL32(?,?), ref: 001A3ADF
            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 001A3B87
            • MoveFileW.KERNEL32(?,?), ref: 001A3B9A
            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 001A3BB7
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 001A3BD9
            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 001A3BF5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 4002782344-1173974218
            • Opcode ID: 5ddebc5556e06b1335995d67192416fd845bf38bed495f50427ba6d90bbc52b8
            • Instruction ID: 8a9983b329f73e849635b7bccc1b90e02fce28d1a516c678d24d33242924eebf
            • Opcode Fuzzy Hash: 5ddebc5556e06b1335995d67192416fd845bf38bed495f50427ba6d90bbc52b8
            • Instruction Fuzzy Hash: 3B5190358011499FCF05EBA0CD92AEDB77AAF66300F644169F456770A2DF316F09CB60
            Function 001AF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 001AF6AB
            • Sleep.KERNEL32(0000000A), ref: 001AF6DB
            • _wcscmp.LIBCMT ref: 001AF6EF
            • _wcscmp.LIBCMT ref: 001AF70A
            • FindNextFileW.KERNEL32(?,?), ref: 001AF7A8
            • FindClose.KERNEL32(00000000), ref: 001AF7BE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
            • String ID: *.*
            • API String ID: 713712311-438819550
            • Opcode ID: 2473ac448c764a9a28bbf91717a5abc71c3b3e0251b9e9ff13d8c66e27efe4c5
            • Instruction ID: 1df9d75f1479fb08a7ee64fc3516cbe9592559f1c2e6932b7ebb8a776840c24b
            • Opcode Fuzzy Hash: 2473ac448c764a9a28bbf91717a5abc71c3b3e0251b9e9ff13d8c66e27efe4c5
            • Instruction Fuzzy Hash: E441A17590021A9FCF15DFA4CC85EEEBBB4FF16310F14456AE819A31A1DB309E85CBA0
            Function 00154140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: b53f16dddcde7eb3e873bfe525e038dbc3f3c0f395a37968661aacd6f27705ad
            • Instruction ID: c17a7e8f07eaf85425fa94c1764be644170f930396482f247916c428d0a1f5d9
            • Opcode Fuzzy Hash: b53f16dddcde7eb3e873bfe525e038dbc3f3c0f395a37968661aacd6f27705ad
            • Instruction Fuzzy Hash: 35A27074E0421ACBDF28DF58C9907ADB7B1BB54319F2581A9DC69AB280D7309EC9CF50
            Function 001558C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove
            • String ID:
            • API String ID: 4104443479-0
            • Opcode ID: a4db8b941b3b3dd1a5c6d3aa1dc242e1cfe08d6c9fd3ad7969b3d26455ade22d
            • Instruction ID: 68c9bdddf6bfdee6534ccef9a4deec372dad5afc6f35040acb10f41fe1c14275
            • Opcode Fuzzy Hash: a4db8b941b3b3dd1a5c6d3aa1dc242e1cfe08d6c9fd3ad7969b3d26455ade22d
            • Instruction Fuzzy Hash: 7F129A70A00609EFDF14DFA4D991AAEB7F6FF58300F104169E816EB291EB35AD25CB50
            Function 001A545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00198CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
              • Part of subcall function 00198CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
              • Part of subcall function 00198CC3: GetLastError.KERNEL32 ref: 00198D47
            • ExitWindowsEx.USER32(?,00000000), ref: 001A549B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $@$SeShutdownPrivilege
            • API String ID: 2234035333-194228
            • Opcode ID: 6501cbda66f37b26362e7564646e2035a52abb38b2036766700086d1dbc9e0b9
            • Instruction ID: 14aa5b0ccb1ac5c9f6d5b99abd148e0d5d5bbb674759685ab0fe1b903ecdb14b
            • Opcode Fuzzy Hash: 6501cbda66f37b26362e7564646e2035a52abb38b2036766700086d1dbc9e0b9
            • Instruction Fuzzy Hash: 4A01477965CA012AE72C5274EC4AFBA725AEB0B352F200024FD06D20C2FB544C8181A0
            Function 001B6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006), ref: 001B65EF
            • WSAGetLastError.WSOCK32(00000000), ref: 001B65FE
            • bind.WSOCK32(00000000,?,00000010), ref: 001B661A
            • listen.WSOCK32(00000000,00000005), ref: 001B6629
            • WSAGetLastError.WSOCK32(00000000), ref: 001B6643
            • closesocket.WSOCK32(00000000), ref: 001B6657
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketlistensocket
            • String ID:
            • API String ID: 1279440585-0
            • Opcode ID: b17d91d4a520301b5eb978d7edad54406ca1b9f928d2b4c426287e51a0a888a9
            • Instruction ID: 8f55bd02cd0c5240c5382ae0f24152669416e7334c8c97410f6cb613711eff81
            • Opcode Fuzzy Hash: b17d91d4a520301b5eb978d7edad54406ca1b9f928d2b4c426287e51a0a888a9
            • Instruction Fuzzy Hash: 1F218D316002149FCB10EF64C885FAEB7AAEF58720F158169F956E73E1CB74AD41CB51
            Function 00155680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
              • Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041
            • _memmove.LIBCMT ref: 0019062F
            • _memmove.LIBCMT ref: 00190744
            • _memmove.LIBCMT ref: 001907EB
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throwstd::exception::exception
            • String ID:
            • API String ID: 1300846289-0
            • Opcode ID: 4eea7b3da8d2a6d50251244e54d30e5c8615900d73ca23f0bbf3d08b3e97cfc0
            • Instruction ID: 95a4e2b44981a02c337c51351b86dab9ca68886173e23c7a8818b3b7e69701d4
            • Opcode Fuzzy Hash: 4eea7b3da8d2a6d50251244e54d30e5c8615900d73ca23f0bbf3d08b3e97cfc0
            • Instruction Fuzzy Hash: F302B0B0E00205EFDF09DF64D991ABEBBB5EF58300F1580A9E806DB255EB31DA54CB91
            Function 00141287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 001419FA
            • GetSysColor.USER32(0000000F), ref: 00141A4E
            • SetBkColor.GDI32(?,00000000), ref: 00141A61
              • Part of subcall function 00141290: DefDlgProcW.USER32(?,00000020,?), ref: 001412D8
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ColorProc$LongWindow
            • String ID:
            • API String ID: 3744519093-0
            • Opcode ID: f8a4e8e383f0ee24a2878e0c7769b1b98a5047b7a4cf31738b4a599450f1d2dd
            • Instruction ID: d363683235c1174e9a2df2271f59d0b9ff7e7b54e241bc6a381b5dd24b07f2a4
            • Opcode Fuzzy Hash: f8a4e8e383f0ee24a2878e0c7769b1b98a5047b7a4cf31738b4a599450f1d2dd
            • Instruction Fuzzy Hash: 80A159B1109584BEE62CAF289C98FBF39ADDB51385B358119F406D71B2CF20DDC192B6
            Function 001B6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001B80A0: inet_addr.WSOCK32(00000000), ref: 001B80CB
            • socket.WSOCK32(00000002,00000002,00000011), ref: 001B6AB1
            • WSAGetLastError.WSOCK32(00000000), ref: 001B6ADA
            • bind.WSOCK32(00000000,?,00000010), ref: 001B6B13
            • WSAGetLastError.WSOCK32(00000000), ref: 001B6B20
            • closesocket.WSOCK32(00000000), ref: 001B6B34
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$bindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 99427753-0
            • Opcode ID: b29c4ebe3923b7ac2ae52d5bb597ac04d8b1532155e0656ddcd348217cbcdf0e
            • Instruction ID: 4ec249f83269684802365c5fddf57af8de3faac170df958416adf059ef00ea27
            • Opcode Fuzzy Hash: b29c4ebe3923b7ac2ae52d5bb597ac04d8b1532155e0656ddcd348217cbcdf0e
            • Instruction Fuzzy Hash: B641A375700210AFEB10BF64DC86F6EB7A9DB58B24F04805CF95AAB3E2DB749D018791
            Function 001C55FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: 244470c19ecc142dcaf491608c5e41d2a719eeea5b829e1f91c41b7a8b9332cc
            • Instruction ID: 88d33fe052be9d90e000ffe7b5964a06b09c30177295b2e6b55a1ee4f0d51cfb
            • Opcode Fuzzy Hash: 244470c19ecc142dcaf491608c5e41d2a719eeea5b829e1f91c41b7a8b9332cc
            • Instruction Fuzzy Hash: 2E110431300A306FE7215F26DC44F6FBB9BEF64760B85402CF806D3251CB30E9828AA4
            Function 001AC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 001AC69D
            • CoCreateInstance.OLE32(001D2D6C,00000000,00000001,001D2BDC,?), ref: 001AC6B5
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
            • CoUninitialize.OLE32 ref: 001AC922
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_memmove
            • String ID: .lnk
            • API String ID: 2683427295-24824748
            • Opcode ID: f9f4aa493aa01eca38908c94fcc880930dabaf8ddf80d16bebb6573d3ebf1f2d
            • Instruction ID: 539ce8ad5620d393c0040022d0bee4a589a7115e6be4bc089630d5e85da5f1cf
            • Opcode Fuzzy Hash: f9f4aa493aa01eca38908c94fcc880930dabaf8ddf80d16bebb6573d3ebf1f2d
            • Instruction Fuzzy Hash: 87A13D71104205AFD700EF64C891EABB7ECFFA5714F00496DF196972A2DB70EA49CB62
            Function 001BC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00181D88,?), ref: 001BC312
            • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 001BC324
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetSystemWow64DirectoryW$kernel32.dll
            • API String ID: 2574300362-1816364905
            • Opcode ID: 7ffe16f35d1e82777b99787900b00a9721eb7c5407f93f9c78fc29dd0ee7a117
            • Instruction ID: 4041069ed3bf039c8aeb4227b878fea6ed96a1d05385f8ec71889c64cf9d53a5
            • Opcode Fuzzy Hash: 7ffe16f35d1e82777b99787900b00a9721eb7c5407f93f9c78fc29dd0ee7a117
            • Instruction Fuzzy Hash: EAE0EC74600713CFDB204B65D844F967AE5FB18755B84C43DE896D6660E770D885CAA0
            Function 00153190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __itow__swprintf
            • String ID:
            • API String ID: 674341424-0
            • Opcode ID: 1785e6826373a0ff3758a0f73fbb3f685351d1c16c80a0ebf63e4a53eda65f67
            • Instruction ID: e7f413f2686d8ffb8f75892003f7dfa1b4ea3517f2e3900e434340d6b2aeb00f
            • Opcode Fuzzy Hash: 1785e6826373a0ff3758a0f73fbb3f685351d1c16c80a0ebf63e4a53eda65f67
            • Instruction Fuzzy Hash: 30227A71508301DFC724EF24C891B6BB7E5BF94754F14491DF8AA9B291EB70EA08CB92
            Function 001BF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 001BF151
            • Process32FirstW.KERNEL32(00000000,?), ref: 001BF15F
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
            • Process32NextW.KERNEL32(00000000,?), ref: 001BF21F
            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 001BF22E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
            • String ID:
            • API String ID: 2576544623-0
            • Opcode ID: 72079ae2295e6b2369096d98fd53ead552e4a3070aa1e6ff58f77828bd8511fc
            • Instruction ID: 2231c617212b0ca0377ebef34b249d2b8c524f3b50673a179a254755f8098d81
            • Opcode Fuzzy Hash: 72079ae2295e6b2369096d98fd53ead552e4a3070aa1e6ff58f77828bd8511fc
            • Instruction Fuzzy Hash: F0515D71504311AFD310EF24DC85EABBBE8EFA8710F54482DF595972A1EB70D905CB92
            Function 0019EB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 0019EB19
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 93395deda5648cd6208b17aa99c9f24fce9abbca52e7a0c53dc953cacf4faae0
            • Instruction ID: 1043d49686d9353d7b4b423f44bbe3c7c30ae017f71aef429e543f88a0039dac
            • Opcode Fuzzy Hash: 93395deda5648cd6208b17aa99c9f24fce9abbca52e7a0c53dc953cacf4faae0
            • Instruction Fuzzy Hash: 99322675A007059FDB28DF19C481A6AB7F1FF48320B15C56EE89ADB7A1EB70E941CB40
            Function 001B25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,001B1AFE,00000000), ref: 001B26D5
            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 001B270C
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$AvailableDataFileQueryRead
            • String ID:
            • API String ID: 599397726-0
            • Opcode ID: ae5d6b410a72bf6fae6948e2df3850492da0b540b8ddec91ddcb09acd2f6c31c
            • Instruction ID: 6b5114e8e8b659307da3e8381314d09a7bb90fb47171f3901549b5c0df4680ba
            • Opcode Fuzzy Hash: ae5d6b410a72bf6fae6948e2df3850492da0b540b8ddec91ddcb09acd2f6c31c
            • Instruction Fuzzy Hash: 3641F271A00309BFEB20DE94DC85EFBB7BCEB50724F10406EFA05A6140EB71AE499664
            Function 001AB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 001AB5AE
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 001AB608
            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 001AB655
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 305b9ee1ca3324ca8cfc8183abcb10951f48e5292e292ea72da9ed862d0da21c
            • Instruction ID: 3a044e105ac7e732c81363642f3b82a71fc9118c42c1b5ae78c9bdebda7b8cfd
            • Opcode Fuzzy Hash: 305b9ee1ca3324ca8cfc8183abcb10951f48e5292e292ea72da9ed862d0da21c
            • Instruction Fuzzy Hash: 86217135A00118EFCB00EF65D881EAEBBF9FF59310F1480A9E805AB361DB31A956CB51
            Function 00198CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
              • Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00198D0D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00198D3A
            • GetLastError.KERNEL32 ref: 00198D47
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
            • String ID:
            • API String ID: 1922334811-0
            • Opcode ID: d21405c0e8c076aa3ce2a202110608ce131a6a9b12b9c2f5610d71c6bdab3d9d
            • Instruction ID: 8923b8ce49e80009246978befbb9bb2d4c06683826fa6e1b10ef0861ade2866d
            • Opcode Fuzzy Hash: d21405c0e8c076aa3ce2a202110608ce131a6a9b12b9c2f5610d71c6bdab3d9d
            • Instruction Fuzzy Hash: 861191B2414209AFDB28DF58DC85D6BBBFDFB44710B20852EF45693641EB30EC518A60
            Function 001A4021 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001A404B
            • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 001A4088
            • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 001A4091
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: 0e1082c0c807887e40860e82062cdb518471fb80331c9e52812a6c791f42b292
            • Instruction ID: aa45be1f236a54f3e3cff2049641ef5472f6c71f990cd507c173c938eb25973d
            • Opcode Fuzzy Hash: 0e1082c0c807887e40860e82062cdb518471fb80331c9e52812a6c791f42b292
            • Instruction Fuzzy Hash: 121182B1D00228BFE7109BE8DD48FAFBBBCEB49710F00065ABA04E7191C3B49D4587A1
            Function 001A4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 001A4C2C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 001A4C43
            • FreeSid.ADVAPI32(?), ref: 001A4C53
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: f9bdc649d890dbf7882bf6f5261114ff9e1c1da5a1b0702cb2c41057cd54f6ac
            • Instruction ID: ed37814b830c15804c45ec2f033f82b79687f6f4d88c217c830ba823441e40e9
            • Opcode Fuzzy Hash: f9bdc649d890dbf7882bf6f5261114ff9e1c1da5a1b0702cb2c41057cd54f6ac
            • Instruction Fuzzy Hash: F8F04975A5130CBFDF04DFF0DC89EAEBBBDEF08611F1044A9A901E2581E770AA548B50
            Function 001A8B13 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • __time64.LIBCMT ref: 001A8B25
              • Part of subcall function 0016543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,001A91F8,00000000,?,?,?,?,001A93A9,00000000,?), ref: 00165443
              • Part of subcall function 0016543A: __aulldiv.LIBCMT ref: 00165463
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Time$FileSystem__aulldiv__time64
            • String ID: 0u
            • API String ID: 2893107130-2987168249
            • Opcode ID: ebe166298830a27065f9a7caa42a8f352c030cedcf8abbb7701ffdbf155b6db8
            • Instruction ID: b5050ea2ab55a4ba17e8011491e484e7fe18320b49496a07868133e8451418e8
            • Opcode Fuzzy Hash: ebe166298830a27065f9a7caa42a8f352c030cedcf8abbb7701ffdbf155b6db8
            • Instruction Fuzzy Hash: A521D2726356108BC729CF29D841A52B7E1EBA5311B288E6CD4E9CB2D1CA34B905CB94
            Function 0014E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3be0ee07c08419f16a9b279bb060e8c4db69fcef998a40f26f12035e0ae8e017
            • Instruction ID: 37b9ef982ad24019efd5d7f2d4cb5b091d9178ccfb7b44ecbecb58ae856e5b3a
            • Opcode Fuzzy Hash: 3be0ee07c08419f16a9b279bb060e8c4db69fcef998a40f26f12035e0ae8e017
            • Instruction Fuzzy Hash: B322B074A00215DFDB24DF58C490ABEB7F0FF18310F188569E856AB361E774AE85CB91
            Function 001AC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 001AC966
            • FindClose.KERNEL32(00000000), ref: 001AC996
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 9636cf6ca8f4a3cd8d324dd1d75887ff6b5aa83763fb42095c8e1a95843d45c5
            • Instruction ID: 33d0197d82a58293853077a40049290c7db51df4ce1a41f2e57e58450981d0fa
            • Opcode Fuzzy Hash: 9636cf6ca8f4a3cd8d324dd1d75887ff6b5aa83763fb42095c8e1a95843d45c5
            • Instruction Fuzzy Hash: FE113C766106109FDB10AF29D845A2AB7E9EF95324F10855EF8A9D72A1DB30A801CB91
            Function 001AA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,001B977D,?,001CFB84,?), ref: 001AA302
            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,001B977D,?,001CFB84,?), ref: 001AA314
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: c70b5f6a063085f0169859577c5d3ed665b31586771f1f6c50cdef702c7a0b0d
            • Instruction ID: b33a6e9217b0f71821d71dd5cfa72dcb5c395f0bfb65965f6bfa6927eccfd435
            • Opcode Fuzzy Hash: c70b5f6a063085f0169859577c5d3ed665b31586771f1f6c50cdef702c7a0b0d
            • Instruction Fuzzy Hash: 59F0823554422DBBDB109FA4CC48FEA7B6DBF09761F008169B918D7191D730D944CBA1
            Function 00198713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00198851), ref: 00198728
            • CloseHandle.KERNEL32(?,?,00198851), ref: 0019873A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 16bdb01418734e645d287e8e806e62232d2699dc89edda1cb8641100f785d954
            • Instruction ID: 28e74e5beece37bc276efb51cfbeb3744128533c539abc88c303470d69f12233
            • Opcode Fuzzy Hash: 16bdb01418734e645d287e8e806e62232d2699dc89edda1cb8641100f785d954
            • Instruction Fuzzy Hash: 2CE0B676010650FEEB252B60EC09D777BAAEB04750724882EB49680870DB62ACE1DB50
            Function 0016A395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00168F97,?,?,?,00000001), ref: 0016A39A
            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 0016A3A3
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: a5a9a0867139a6181b2571848adf6b3b9a9792fb859844c84090f6515a46a6a1
            • Instruction ID: dd52521cd557cedf2b63a23b7456ab8c559a877c5c91c4bb6ba0e5be21c17877
            • Opcode Fuzzy Hash: a5a9a0867139a6181b2571848adf6b3b9a9792fb859844c84090f6515a46a6a1
            • Instruction Fuzzy Hash: 63B09231054288BBCA002B91EC09F883F6AFB84AA2F405024FA0D84860CB629692CA91
            Function 0016F419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: ba371b8127d225094c5367c3121f76e9a0e156903f2435603015175898f4fae5
            • Instruction ID: 03c922e8ed65ab8b32f515e76f0056af690ab085cbe0d98d3621d8f1ec811d37
            • Opcode Fuzzy Hash: ba371b8127d225094c5367c3121f76e9a0e156903f2435603015175898f4fae5
            • Instruction Fuzzy Hash: 7F32DF26D6AF014DD7239634EC32336A349AFB63C5F55D73BE81AB5DA6EB2884C34100
            Function 0017267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 80c981bbbf627d4cf36f9c2647ba1ef8402d3e8416794e5af754b6ce48985d05
            • Instruction ID: 0a8f1cc5edfb74bf834c652d8b3a8ee5edc1b41b969026b530a1f950a909a8d2
            • Opcode Fuzzy Hash: 80c981bbbf627d4cf36f9c2647ba1ef8402d3e8416794e5af754b6ce48985d05
            • Instruction Fuzzy Hash: D7B1DD20E2BF514DD62396398831336BB5CAFBB2D5B96D71BFC2A74D22EB2185C34141
            Function 001B41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 001B4218
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: fde55a3764e66455d843ccdc3b42851f8498389e20637028516c010c5149e5de
            • Instruction ID: 095b5c1082b974705ba869b1ef73f6f6cd0a2c1677c599b45a0bdba680336f1d
            • Opcode Fuzzy Hash: fde55a3764e66455d843ccdc3b42851f8498389e20637028516c010c5149e5de
            • Instruction Fuzzy Hash: 1DE04F752402149FC710EF5AE844E9BFBE8AFA4760F01C06AFC49C7362DB70E8418BA1
            Function 001A4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 001A4EEC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: mouse_event
            • String ID:
            • API String ID: 2434400541-0
            • Opcode ID: 6a5ec2d92b42a3d1882bc34c956e294853929be9ef69dace9f539496d58f8949
            • Instruction ID: 602f4a751032ade7fbda27fea8ce79ae2a379f27a0c2df0d6721b501dca06164
            • Opcode Fuzzy Hash: 6a5ec2d92b42a3d1882bc34c956e294853929be9ef69dace9f539496d58f8949
            • Instruction Fuzzy Hash: 4BD05EDC1607043BEC6C4B289C5FF770149F383781FE0414AB142890C1DBD86C555030
            Function 00198C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,001988D1), ref: 00198CB3
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LogonUser
            • String ID:
            • API String ID: 1244722697-0
            • Opcode ID: f9a785327abdee99f7bd82effc7dd733cdd7d89fafd2868b5a1e20645d7f3697
            • Instruction ID: 4272d0b0e121f78bb8efb39d358f5adff2babd5cd653b01440c9f7dd08bd53b2
            • Opcode Fuzzy Hash: f9a785327abdee99f7bd82effc7dd733cdd7d89fafd2868b5a1e20645d7f3697
            • Instruction Fuzzy Hash: 67D05E3226050EABEF018EA4DC05EAE3B6AEB04B01F408111FE15C50A1C775D835AB60
            Function 00182230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 00182242
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: NameUser
            • String ID:
            • API String ID: 2645101109-0
            • Opcode ID: 485fb3ba8d38ab71fbb17ecf235d1e94492bdfe9aa4159f2e02c4a6c55d713ee
            • Instruction ID: 468d6f25946e1ae59adaabd5cbc380fd0ece74e0b99ba6f831628634410adadb
            • Opcode Fuzzy Hash: 485fb3ba8d38ab71fbb17ecf235d1e94492bdfe9aa4159f2e02c4a6c55d713ee
            • Instruction Fuzzy Hash: 9AC04CF2801109DBDB05DB90D988DEE77BDAB04305F114066A102F2100D7749B458F71
            Function 0016A364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0016A36A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: 71e928bb9f6d61deab50a2ab8389a5e4a3033bd5b7caae0143c76d1603ae9ea6
            • Instruction ID: fba32e783ba5f0d8f472bb79c1dbac939db3f27c6d1d702ea4f61651fb1dfa2e
            • Opcode Fuzzy Hash: 71e928bb9f6d61deab50a2ab8389a5e4a3033bd5b7caae0143c76d1603ae9ea6
            • Instruction Fuzzy Hash: BEA0123000014CB78A001B41EC048447F5DE7401907004020F40C40421873295518580
            Function 00158A0E Relevance: .6, Instructions: 608COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1ee146eea59a35817052c670ff59f72671c1ad44caf9133fe8a4093b0e552835
            • Instruction ID: 56f2ac693857aacc7c1330e6f033c53754bcf173536689f35dc1e59643baf478
            • Opcode Fuzzy Hash: 1ee146eea59a35817052c670ff59f72671c1ad44caf9133fe8a4093b0e552835
            • Instruction Fuzzy Hash: F2223730901616CBDF2DCB28C4946BD77A2FB41346F69846ADC72BF691DB309D89CB60
            Function 00162405 Relevance: .3, Instructions: 345COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction ID: 264a7e2619b49de51cbab6a0074a283bba625b400831a95972337f00f50203e6
            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
            • Instruction Fuzzy Hash: E7C16F3220559309DB2D8639DC3453EBAE15BA27B131A07ADE8B3DB5D4EF20D578E620
            Function 0016283A Relevance: .3, Instructions: 341COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction ID: cb0f3356cbc77c7bc6afba354b17d6363e22860ff70fed0d2cc6f59f7eefbc71
            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
            • Instruction Fuzzy Hash: 35C172322055A309DB6D463A9C3413FBBE15BA27B131E07ADE4B2DB5D5EF20D538E620
            Function 00161BB8 Relevance: .3, Instructions: 323COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction ID: 2c6c58097c2a3ee5e61c1d4a0cbcbda50c02caec615e13015b9602a0b1798d4c
            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
            • Instruction Fuzzy Hash: 12C1633220519319DF6D463A983413FBAE15BA27B131E17ADE8B3CB5D4EF20D578E620
            Function 001B7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 001B7B70
            • DeleteObject.GDI32(00000000), ref: 001B7B82
            • DestroyWindow.USER32 ref: 001B7B90
            • GetDesktopWindow.USER32 ref: 001B7BAA
            • GetWindowRect.USER32(00000000), ref: 001B7BB1
            • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 001B7CF2
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 001B7D02
            • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7D4A
            • GetClientRect.USER32(00000000,?), ref: 001B7D56
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 001B7D90
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7DB2
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7DC5
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7DD0
            • GlobalLock.KERNEL32(00000000), ref: 001B7DD9
            • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7DE8
            • GlobalUnlock.KERNEL32(00000000), ref: 001B7DF1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7DF8
            • GlobalFree.KERNEL32(00000000), ref: 001B7E03
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7E15
            • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,001D2CAC,00000000), ref: 001B7E2B
            • GlobalFree.KERNEL32(00000000), ref: 001B7E3B
            • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 001B7E61
            • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 001B7E80
            • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B7EA2
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 001B808F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: 057b30b8ede30aa0334a1763483e81381623c190ae2e1b2738cb614220d000a6
            • Instruction ID: a05293204124e6e38b9c1759aa92fa8f785550a2b805377761af575b136a6301
            • Opcode Fuzzy Hash: 057b30b8ede30aa0334a1763483e81381623c190ae2e1b2738cb614220d000a6
            • Instruction Fuzzy Hash: 1C025B71900219EFDB14DFA4DC89EAE7BB9EB48310F14855DF915AB2A1CB70ED41CB60
            Function 001C37F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,001CF910), ref: 001C38AF
            • IsWindowVisible.USER32(?), ref: 001C38D3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpperVisibleWindow
            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
            • API String ID: 4105515805-45149045
            • Opcode ID: 26bf1675dcbc59b431101a27c5bbd6cb4fdc989253c63106e1498afd0721034f
            • Instruction ID: bb525c2e91f7bba332179db7b0953f78fbaf292c241099d104ae92943c47ac0e
            • Opcode Fuzzy Hash: 26bf1675dcbc59b431101a27c5bbd6cb4fdc989253c63106e1498afd0721034f
            • Instruction Fuzzy Hash: D9D191302043059BCB14EF50C991F6E77A5AFB8354F11C55CB9966B3A2CB31EE0ACB82
            Function 001CA849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 001CA89F
            • GetSysColorBrush.USER32(0000000F), ref: 001CA8D0
            • GetSysColor.USER32(0000000F), ref: 001CA8DC
            • SetBkColor.GDI32(?,000000FF), ref: 001CA8F6
            • SelectObject.GDI32(?,?), ref: 001CA905
            • InflateRect.USER32(?,000000FF,000000FF), ref: 001CA930
            • GetSysColor.USER32(00000010), ref: 001CA938
            • CreateSolidBrush.GDI32(00000000), ref: 001CA93F
            • FrameRect.USER32(?,?,00000000), ref: 001CA94E
            • DeleteObject.GDI32(00000000), ref: 001CA955
            • InflateRect.USER32(?,000000FE,000000FE), ref: 001CA9A0
            • FillRect.USER32(?,?,?), ref: 001CA9D2
            • GetWindowLongW.USER32(?,000000F0), ref: 001CA9FD
              • Part of subcall function 001CAB60: GetSysColor.USER32(00000012), ref: 001CAB99
              • Part of subcall function 001CAB60: SetTextColor.GDI32(?,?), ref: 001CAB9D
              • Part of subcall function 001CAB60: GetSysColorBrush.USER32(0000000F), ref: 001CABB3
              • Part of subcall function 001CAB60: GetSysColor.USER32(0000000F), ref: 001CABBE
              • Part of subcall function 001CAB60: GetSysColor.USER32(00000011), ref: 001CABDB
              • Part of subcall function 001CAB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 001CABE9
              • Part of subcall function 001CAB60: SelectObject.GDI32(?,00000000), ref: 001CABFA
              • Part of subcall function 001CAB60: SetBkColor.GDI32(?,00000000), ref: 001CAC03
              • Part of subcall function 001CAB60: SelectObject.GDI32(?,?), ref: 001CAC10
              • Part of subcall function 001CAB60: InflateRect.USER32(?,000000FF,000000FF), ref: 001CAC2F
              • Part of subcall function 001CAB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001CAC46
              • Part of subcall function 001CAB60: GetWindowLongW.USER32(00000000,000000F0), ref: 001CAC5B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 509b521e738192d9b1bc32f97a157866d1b1ea408776efe6bcf155ec8f567c8a
            • Instruction ID: d078423750e343dfe144b3d6041e0391e9c84599845953006f0361ad1f139dfe
            • Opcode Fuzzy Hash: 509b521e738192d9b1bc32f97a157866d1b1ea408776efe6bcf155ec8f567c8a
            • Instruction Fuzzy Hash: 63A19E72008305EFD7119F64DC08F6B7BAAFF88325F544A2DFA62965A0D730D886CB52
            Function 00142C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?), ref: 00142CA2
            • DeleteObject.GDI32(00000000), ref: 00142CE8
            • DeleteObject.GDI32(00000000), ref: 00142CF3
            • DestroyIcon.USER32(00000000,?,?,?), ref: 00142CFE
            • DestroyWindow.USER32(00000000,?,?,?), ref: 00142D09
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 0017C68B
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0017C6C4
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0017CAED
              • Part of subcall function 00141B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00142036,?,00000000,?,?,?,?,001416CB,00000000,?), ref: 00141B9A
            • SendMessageW.USER32(?,00001053), ref: 0017CB2A
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0017CB41
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0017CB57
            • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 0017CB62
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 464785882-4108050209
            • Opcode ID: c857a426cb505343376ad499672ccdfaf9f2c9e7d4130458f3f3abb4d1e395b7
            • Instruction ID: f30fd356abc956342f188c9320e1b8dd1d229bb5f4027eb826fe9f64d6ef7a02
            • Opcode Fuzzy Hash: c857a426cb505343376ad499672ccdfaf9f2c9e7d4130458f3f3abb4d1e395b7
            • Instruction Fuzzy Hash: FE128B30604201EFDB24CF24C884BA9BBF5BF55315F54856DF999DB662CB31E882CB91
            Function 001B77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 001B77F1
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 001B78B0
            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 001B78EE
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 001B7900
            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 001B7946
            • GetClientRect.USER32(00000000,?), ref: 001B7952
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 001B7996
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 001B79A5
            • GetStockObject.GDI32(00000011), ref: 001B79B5
            • SelectObject.GDI32(00000000,00000000), ref: 001B79B9
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 001B79C9
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001B79D2
            • DeleteDC.GDI32(00000000), ref: 001B79DB
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 001B7A07
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 001B7A1E
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 001B7A59
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 001B7A6D
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 001B7A7E
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 001B7AAE
            • GetStockObject.GDI32(00000011), ref: 001B7AB9
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 001B7AC4
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 001B7ACE
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: a43bf15f2be3020ad228376f27798b9ff5ab82d3edcb2e1ad2824681d4aa786a
            • Instruction ID: 4d9cda156a80c230500fd31329b7cfe2c20b640a5f7f95600b7c12eb58193466
            • Opcode Fuzzy Hash: a43bf15f2be3020ad228376f27798b9ff5ab82d3edcb2e1ad2824681d4aa786a
            • Instruction Fuzzy Hash: 8CA160B1A40215BFEB14DBA4DC4AFAE7BBAEB44714F004118FA15A72E1C770AD51CB60
            Function 001AAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 001AAF89
            • GetDriveTypeW.KERNEL32(?,001CFAC0,?,\\.\,001CF910), ref: 001AB066
            • SetErrorMode.KERNEL32(00000000,001CFAC0,?,\\.\,001CF910), ref: 001AB1C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: 6e9519acaebb1f6343ad6fcb8c8fd8a58522cbf12ba6124f91ff8d940416c5dd
            • Instruction ID: 38a82fea5dc59c8cb03cc6e35cae00804927bf55a69a68188dd30bc47b06bab5
            • Opcode Fuzzy Hash: 6e9519acaebb1f6343ad6fcb8c8fd8a58522cbf12ba6124f91ff8d940416c5dd
            • Instruction Fuzzy Hash: E9512878688389EBCB08EB10DAD2C7D77B1EF66341B604115F50EE7292C73AAD41DB42
            Function 00146A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 1038674560-86951937
            • Opcode ID: 29edc61d495f0b1ede9e98b3a510e884519af8d64b37f32fff378da37088d226
            • Instruction ID: 40213fed2b424219c1b75aad9b575b2be7b69f3aaa93fe273218c77a97a38919
            • Opcode Fuzzy Hash: 29edc61d495f0b1ede9e98b3a510e884519af8d64b37f32fff378da37088d226
            • Instruction Fuzzy Hash: A1811D70740215B7CB24AF60CC82FAE77A8EF36704F148025FD49AB1E2EB70DA55D292
            Function 001CAB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 001CAB99
            • SetTextColor.GDI32(?,?), ref: 001CAB9D
            • GetSysColorBrush.USER32(0000000F), ref: 001CABB3
            • GetSysColor.USER32(0000000F), ref: 001CABBE
            • CreateSolidBrush.GDI32(?), ref: 001CABC3
            • GetSysColor.USER32(00000011), ref: 001CABDB
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 001CABE9
            • SelectObject.GDI32(?,00000000), ref: 001CABFA
            • SetBkColor.GDI32(?,00000000), ref: 001CAC03
            • SelectObject.GDI32(?,?), ref: 001CAC10
            • InflateRect.USER32(?,000000FF,000000FF), ref: 001CAC2F
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 001CAC46
            • GetWindowLongW.USER32(00000000,000000F0), ref: 001CAC5B
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 001CACA7
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 001CACCE
            • InflateRect.USER32(?,000000FD,000000FD), ref: 001CACEC
            • DrawFocusRect.USER32(?,?), ref: 001CACF7
            • GetSysColor.USER32(00000011), ref: 001CAD05
            • SetTextColor.GDI32(?,00000000), ref: 001CAD0D
            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 001CAD21
            • SelectObject.GDI32(?,001CA869), ref: 001CAD38
            • DeleteObject.GDI32(?), ref: 001CAD43
            • SelectObject.GDI32(?,?), ref: 001CAD49
            • DeleteObject.GDI32(?), ref: 001CAD4E
            • SetTextColor.GDI32(?,?), ref: 001CAD54
            • SetBkColor.GDI32(?,?), ref: 001CAD5E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 6a2e094b48b8b82bacca996fc3be976e36ae00e85c6b5493ead5347dc4797b7a
            • Instruction ID: f94784bd49edbc69443fb5722737ccb1469f40b9a1a264e48d1de6fb97cb1931
            • Opcode Fuzzy Hash: 6a2e094b48b8b82bacca996fc3be976e36ae00e85c6b5493ead5347dc4797b7a
            • Instruction Fuzzy Hash: 73615C71900218AFDB119FA8DC48FAE7F7AEF08320F144129F915AB2A1D771DD81DB90
            Function 001C8C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 001C8D34
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C8D45
            • CharNextW.USER32(0000014E), ref: 001C8D74
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 001C8DB5
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 001C8DCB
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C8DDC
            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 001C8DF9
            • SetWindowTextW.USER32(?,0000014E), ref: 001C8E45
            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 001C8E5B
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 001C8E8C
            • _memset.LIBCMT ref: 001C8EB1
            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 001C8EFA
            • _memset.LIBCMT ref: 001C8F59
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 001C8F83
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 001C8FDB
            • SendMessageW.USER32(?,0000133D,?,?), ref: 001C9088
            • InvalidateRect.USER32(?,00000000,00000001), ref: 001C90AA
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001C90F4
            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001C9121
            • DrawMenuBar.USER32(?), ref: 001C9130
            • SetWindowTextW.USER32(?,0000014E), ref: 001C9158
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
            • String ID: 0
            • API String ID: 1073566785-4108050209
            • Opcode ID: f3abaf4e961ee200a3e4d944daf6a858395742d2fb401df5129a2faa8ee8c6e1
            • Instruction ID: 64c2f67bed71050a892ef9973a221fd5b9730e1336aa3f7b62b82c103c68fc08
            • Opcode Fuzzy Hash: f3abaf4e961ee200a3e4d944daf6a858395742d2fb401df5129a2faa8ee8c6e1
            • Instruction Fuzzy Hash: CEE17070900219ABDF209F54CC89FEE7BB9EF25720F14815DF916AA291DB70CA85DF60
            Function 001C4B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 001C4C51
            • GetDesktopWindow.USER32 ref: 001C4C66
            • GetWindowRect.USER32(00000000), ref: 001C4C6D
            • GetWindowLongW.USER32(?,000000F0), ref: 001C4CCF
            • DestroyWindow.USER32(?), ref: 001C4CFB
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 001C4D24
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001C4D42
            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 001C4D68
            • SendMessageW.USER32(?,00000421,?,?), ref: 001C4D7D
            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 001C4D90
            • IsWindowVisible.USER32(?), ref: 001C4DB0
            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 001C4DCB
            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 001C4DDF
            • GetWindowRect.USER32(?,?), ref: 001C4DF7
            • MonitorFromPoint.USER32(?,?,00000002), ref: 001C4E1D
            • GetMonitorInfoW.USER32(00000000,?), ref: 001C4E37
            • CopyRect.USER32(?,?), ref: 001C4E4E
            • SendMessageW.USER32(?,00000412,00000000), ref: 001C4EB9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 97f2b83223c84c681585a938af0a7ab78f4c902534265004bfdf8bc2cff6446d
            • Instruction ID: 4ea86932338967d9c5b17943b54726d9a6aaaa1d6ba7ac544bb276a346d177d0
            • Opcode Fuzzy Hash: 97f2b83223c84c681585a938af0a7ab78f4c902534265004bfdf8bc2cff6446d
            • Instruction Fuzzy Hash: 66B17871608340AFDB04DF64C899F6ABBE5BF98310F00891CF5999B2A1DB71EC45CB96
            Function 001427D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001428BC
            • GetSystemMetrics.USER32(00000007), ref: 001428C4
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 001428EF
            • GetSystemMetrics.USER32(00000008), ref: 001428F7
            • GetSystemMetrics.USER32(00000004), ref: 0014291C
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00142939
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00142949
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0014297C
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00142990
            • GetClientRect.USER32(00000000,000000FF), ref: 001429AE
            • GetStockObject.GDI32(00000011), ref: 001429CA
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 001429D5
              • Part of subcall function 00142344: GetCursorPos.USER32(?), ref: 00142357
              • Part of subcall function 00142344: ScreenToClient.USER32(002067B0,?), ref: 00142374
              • Part of subcall function 00142344: GetAsyncKeyState.USER32(00000001), ref: 00142399
              • Part of subcall function 00142344: GetAsyncKeyState.USER32(00000002), ref: 001423A7
            • SetTimer.USER32(00000000,00000000,00000028,00141256), ref: 001429FC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: 86afbe2aae546b13b99cc539b9f7f6477f5541ed81f7634ae74a846180820160
            • Instruction ID: 336359fc973ae203ef527b8fae9732e53102d17bbff3afda257e8bbf17be7894
            • Opcode Fuzzy Hash: 86afbe2aae546b13b99cc539b9f7f6477f5541ed81f7634ae74a846180820160
            • Instruction Fuzzy Hash: 11B14E7160020AAFDB14DFA8DC49FAE7BB5FB08714F118229FA15E72A0DB74D991CB50
            Function 001C4069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 001C40F6
            • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001C41B6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
            • API String ID: 3974292440-719923060
            • Opcode ID: 30a2f7eb4198e7094661f234588bd852f5001c2fa8dc37b9c066d293cb011d93
            • Instruction ID: c34da63dbd7cf066456ca42b6ad72d07614710e8ae71a99a5f3feb8349fe0631
            • Opcode Fuzzy Hash: 30a2f7eb4198e7094661f234588bd852f5001c2fa8dc37b9c066d293cb011d93
            • Instruction Fuzzy Hash: 77A1A2702183159BCB14EF50C9A2F7AB3A5BFA4314F14896CB8969B7E2DB30EC05CB51
            Function 001B52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • LoadCursorW.USER32(00000000,00007F89), ref: 001B5309
            • LoadCursorW.USER32(00000000,00007F8A), ref: 001B5314
            • LoadCursorW.USER32(00000000,00007F00), ref: 001B531F
            • LoadCursorW.USER32(00000000,00007F03), ref: 001B532A
            • LoadCursorW.USER32(00000000,00007F8B), ref: 001B5335
            • LoadCursorW.USER32(00000000,00007F01), ref: 001B5340
            • LoadCursorW.USER32(00000000,00007F81), ref: 001B534B
            • LoadCursorW.USER32(00000000,00007F88), ref: 001B5356
            • LoadCursorW.USER32(00000000,00007F80), ref: 001B5361
            • LoadCursorW.USER32(00000000,00007F86), ref: 001B536C
            • LoadCursorW.USER32(00000000,00007F83), ref: 001B5377
            • LoadCursorW.USER32(00000000,00007F85), ref: 001B5382
            • LoadCursorW.USER32(00000000,00007F82), ref: 001B538D
            • LoadCursorW.USER32(00000000,00007F84), ref: 001B5398
            • LoadCursorW.USER32(00000000,00007F04), ref: 001B53A3
            • LoadCursorW.USER32(00000000,00007F02), ref: 001B53AE
            • GetCursorInfo.USER32(?), ref: 001B53BE
            • GetLastError.KERNEL32(00000001,00000000), ref: 001B53E9
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Cursor$Load$ErrorInfoLast
            • String ID:
            • API String ID: 3215588206-0
            • Opcode ID: f7b54a7ba1f3a9af91c12278b6570cbba3273b64a4a7690ad1447f91d87cff6e
            • Instruction ID: 158f81aa06350addf2d7832bcf8deff994e5ee27bcf8d576ab5fad333ac67fc8
            • Opcode Fuzzy Hash: f7b54a7ba1f3a9af91c12278b6570cbba3273b64a4a7690ad1447f91d87cff6e
            • Instruction Fuzzy Hash: 4F415270E043196ADB109FBA8C49D6FFEB9EF51B50B10452FE509E7290DBB894018E61
            Function 0019AA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 0019AAA5
            • __swprintf.LIBCMT ref: 0019AB46
            • _wcscmp.LIBCMT ref: 0019AB59
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0019ABAE
            • _wcscmp.LIBCMT ref: 0019ABEA
            • GetClassNameW.USER32(?,?,00000400), ref: 0019AC21
            • GetDlgCtrlID.USER32(?), ref: 0019AC73
            • GetWindowRect.USER32(?,?), ref: 0019ACA9
            • GetParent.USER32(?), ref: 0019ACC7
            • ScreenToClient.USER32(00000000), ref: 0019ACCE
            • GetClassNameW.USER32(?,?,00000100), ref: 0019AD48
            • _wcscmp.LIBCMT ref: 0019AD5C
            • GetWindowTextW.USER32(?,?,00000400), ref: 0019AD82
            • _wcscmp.LIBCMT ref: 0019AD96
              • Part of subcall function 0016386C: _iswctype.LIBCMT ref: 00163874
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
            • String ID: %s%u
            • API String ID: 3744389584-679674701
            • Opcode ID: c71c7bad8510ae06f35a1f5d5b9865d93632605ea977d5c7eb9034351ec3528b
            • Instruction ID: 554758baa7c1001b8d887f0fbdc0dfee6870655401aa6728e04b648b3779e5f4
            • Opcode Fuzzy Hash: c71c7bad8510ae06f35a1f5d5b9865d93632605ea977d5c7eb9034351ec3528b
            • Instruction Fuzzy Hash: DBA1CE71204306AFDB18DF60C884FAABBE8FF14315F504629F9A9C6590DB30E959CBD2
            Function 0019B397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(00000008,?,00000400), ref: 0019B3DB
            • _wcscmp.LIBCMT ref: 0019B3EC
            • GetWindowTextW.USER32(00000001,?,00000400), ref: 0019B414
            • CharUpperBuffW.USER32(?,00000000), ref: 0019B431
            • _wcscmp.LIBCMT ref: 0019B44F
            • _wcsstr.LIBCMT ref: 0019B460
            • GetClassNameW.USER32(00000018,?,00000400), ref: 0019B498
            • _wcscmp.LIBCMT ref: 0019B4A8
            • GetWindowTextW.USER32(00000002,?,00000400), ref: 0019B4CF
            • GetClassNameW.USER32(00000018,?,00000400), ref: 0019B518
            • _wcscmp.LIBCMT ref: 0019B528
            • GetClassNameW.USER32(00000010,?,00000400), ref: 0019B550
            • GetWindowRect.USER32(00000004,?), ref: 0019B5B9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
            • String ID: @$ThumbnailClass
            • API String ID: 1788623398-1539354611
            • Opcode ID: cd624d1b68543a0c35c4b725ae7ac1ac7fa5fbc2bfb1c760184a0638722d7971
            • Instruction ID: 44c0329dc2059f4ee1f4f1299eb30b5e10ac8e50fe9948b09b4ff269216896a1
            • Opcode Fuzzy Hash: cd624d1b68543a0c35c4b725ae7ac1ac7fa5fbc2bfb1c760184a0638722d7971
            • Instruction Fuzzy Hash: 01817E710083099BEF04DF10EAC5FAA7BE8EF54314F048569FD859A0A2DB34EE46CB61
            Function 001CC8EE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • DragQueryPoint.SHELL32(?,?), ref: 001CC917
              • Part of subcall function 001CADF1: ClientToScreen.USER32(?,?), ref: 001CAE1A
              • Part of subcall function 001CADF1: GetWindowRect.USER32(?,?), ref: 001CAE90
              • Part of subcall function 001CADF1: PtInRect.USER32(?,?,001CC304), ref: 001CAEA0
            • SendMessageW.USER32(?,000000B0,?,?), ref: 001CC980
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 001CC98B
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 001CC9AE
            • _wcscat.LIBCMT ref: 001CC9DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 001CC9F5
            • SendMessageW.USER32(?,000000B0,?,?), ref: 001CCA0E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 001CCA25
            • SendMessageW.USER32(?,000000B1,?,?), ref: 001CCA47
            • DragFinish.SHELL32(?), ref: 001CCA4E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 001CCB41
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pr
            • API String ID: 169749273-3901186176
            • Opcode ID: 241175d033268300ae394fbde1b75c87d7e4e9d92b48e397a44dac318bba8b87
            • Instruction ID: 2ad8ca316c8dc04ba0da0bf2e6932d28f3ef76ab6ff5a51aa5efb69c392a88a3
            • Opcode Fuzzy Hash: 241175d033268300ae394fbde1b75c87d7e4e9d92b48e397a44dac318bba8b87
            • Instruction Fuzzy Hash: 09612871108311AFC701DF64DC89E9BBBE9EFA8750F00092EF595961B1DB70DA49CB92
            Function 0019B1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
            • API String ID: 1038674560-1810252412
            • Opcode ID: 8402dc6f57688b5f501eda2d98057cd621363b095fae0826e0a5df0a72efeac0
            • Instruction ID: 82423c1874bece654b43a33295c5cc63eddc20f17fbab1d5c7cc93c54c881497
            • Opcode Fuzzy Hash: 8402dc6f57688b5f501eda2d98057cd621363b095fae0826e0a5df0a72efeac0
            • Instruction Fuzzy Hash: 03315E35A48209A6DF14FBA0DE83FFEB7A4AF30760F600125B555B20E2EF617E04C951
            Function 0019C4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 0019C4D4
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0019C4E6
            • SetWindowTextW.USER32(?,?), ref: 0019C4FD
            • GetDlgItem.USER32(?,000003EA), ref: 0019C512
            • SetWindowTextW.USER32(00000000,?), ref: 0019C518
            • GetDlgItem.USER32(?,000003E9), ref: 0019C528
            • SetWindowTextW.USER32(00000000,?), ref: 0019C52E
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0019C54F
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0019C569
            • GetWindowRect.USER32(?,?), ref: 0019C572
            • SetWindowTextW.USER32(?,?), ref: 0019C5DD
            • GetDesktopWindow.USER32 ref: 0019C5E3
            • GetWindowRect.USER32(00000000), ref: 0019C5EA
            • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0019C636
            • GetClientRect.USER32(?,?), ref: 0019C643
            • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0019C668
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0019C693
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
            • String ID:
            • API String ID: 3869813825-0
            • Opcode ID: c62c027b47d72e67d87c71ddfe2c91e1f97acf3f786b9bd5d0564e6a83a51b54
            • Instruction ID: b7d037d2b99e9cf6e45dbd07c34a2911475bd338f43ad99ef2c28f08939ea589
            • Opcode Fuzzy Hash: c62c027b47d72e67d87c71ddfe2c91e1f97acf3f786b9bd5d0564e6a83a51b54
            • Instruction Fuzzy Hash: 8E513E71A00709AFEB20DFA8DD89F6EBBB5FF04705F00492CE686A25A0D774E945CB50
            Function 001CA428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001CA4C8
            • DestroyWindow.USER32(?,?), ref: 001CA542
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 001CA5BC
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 001CA5DE
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001CA5F1
            • DestroyWindow.USER32(00000000), ref: 001CA613
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00140000,00000000), ref: 001CA64A
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 001CA663
            • GetDesktopWindow.USER32 ref: 001CA67C
            • GetWindowRect.USER32(00000000), ref: 001CA683
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 001CA69B
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 001CA6B3
              • Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
            • String ID: 0$tooltips_class32
            • API String ID: 1297703922-3619404913
            • Opcode ID: 2cc87f2222b6c40af7120172f8cc6f36e0adb2a49d614bdb3695ac217e5e4f5c
            • Instruction ID: 5afb48d860b846b75d466f84a73bdf060b2d07ca6ab06fcc1252854e56f9deac
            • Opcode Fuzzy Hash: 2cc87f2222b6c40af7120172f8cc6f36e0adb2a49d614bdb3695ac217e5e4f5c
            • Instruction Fuzzy Hash: 13719970140309AFD721CF28DC49F6A7BE6EFA8308F48452DF985872A1C770E956DB12
            Function 001C4619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 001C46AB
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 001C46F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharMessageSendUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 3974292440-4258414348
            • Opcode ID: 24d215658d9a63b2a4628543de1de1ec3bb2e076039b505b856dd4b8e60ce7ce
            • Instruction ID: 46228bca0a23f0a54e4aa6d743bca52ed000379d72148e6785726d4198757118
            • Opcode Fuzzy Hash: 24d215658d9a63b2a4628543de1de1ec3bb2e076039b505b856dd4b8e60ce7ce
            • Instruction Fuzzy Hash: D89171742083159FCB14EF50C861F6EB7A1AFA8314F14845CF9966B7A2CB30ED5ACB81
            Function 001CBAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 001CBB6E
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,001C6D80,?), ref: 001CBBCA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001CBC03
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 001CBC46
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 001CBC7D
            • FreeLibrary.KERNEL32(?), ref: 001CBC89
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 001CBC99
            • DestroyIcon.USER32(?), ref: 001CBCA8
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 001CBCC5
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 001CBCD1
              • Part of subcall function 0016313D: __wcsicmp_l.LIBCMT ref: 001631C6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
            • String ID: .dll$.exe$.icl
            • API String ID: 1212759294-1154884017
            • Opcode ID: 5b3fdf2cda888b95296801eb2b3cac0c4dc493e54d8f0473b099588c535d2e54
            • Instruction ID: 0d78c402cf5517b44b9ef8d25625fbcd39861217d8c06d69fc176b4c6395f2cb
            • Opcode Fuzzy Hash: 5b3fdf2cda888b95296801eb2b3cac0c4dc493e54d8f0473b099588c535d2e54
            • Instruction Fuzzy Hash: A461F071A04619BAEB14DF64CC82FBE7BA8EF28710F104219F915D61D0DB74EE90CBA0
            Function 001AA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • CharLowerBuffW.USER32(?,?), ref: 001AA636
            • GetDriveTypeW.KERNEL32 ref: 001AA683
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA6CB
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA702
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001AA730
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
            • API String ID: 2698844021-4113822522
            • Opcode ID: 73e0613c65f1aedc386fbd9f37b8762a23376a77f6d6c4b3b70ca986d2be281e
            • Instruction ID: 2893a9719eb986f23f8b9732b755638a6c44e06edc431dd3e6ffe6cfdb6c4c0b
            • Opcode Fuzzy Hash: 73e0613c65f1aedc386fbd9f37b8762a23376a77f6d6c4b3b70ca986d2be281e
            • Instruction Fuzzy Hash: D5512AB51043059FC700EF20C98196AB7F5FFA8718F54496DF89A972A1DB31EE0ACB52
            Function 001AA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 001AA47A
            • __swprintf.LIBCMT ref: 001AA49C
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 001AA4D9
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 001AA4FE
            • _memset.LIBCMT ref: 001AA51D
            • _wcsncpy.LIBCMT ref: 001AA559
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 001AA58E
            • CloseHandle.KERNEL32(00000000), ref: 001AA599
            • RemoveDirectoryW.KERNEL32(?), ref: 001AA5A2
            • CloseHandle.KERNEL32(00000000), ref: 001AA5AC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
            • String ID: :$\$\??\%s
            • API String ID: 2733774712-3457252023
            • Opcode ID: dbe7cf14f1a51150031ac3cddb0112b6028ccbec07e6a966748b2eb8bbfb517e
            • Instruction ID: f7898a8dc8fb6200f996781ebea5013876fa5cad62a5404806068a66f4d7fbee
            • Opcode Fuzzy Hash: dbe7cf14f1a51150031ac3cddb0112b6028ccbec07e6a966748b2eb8bbfb517e
            • Instruction Fuzzy Hash: C131B2B5900209ABDB219FA0DC48FEB37BDEF89701F5041BAF908D2150E7709685CB25
            Function 0017AB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
            • String ID:
            • API String ID: 884005220-0
            • Opcode ID: 61d7f93b13d249f66d71a95b25f4ec72a013b1c999d275ea9f82d7c4d0953e5c
            • Instruction ID: 6627885ae24573b4538d08bfb19947aef912190316272edd37d6c1208abec87c
            • Opcode Fuzzy Hash: 61d7f93b13d249f66d71a95b25f4ec72a013b1c999d275ea9f82d7c4d0953e5c
            • Instruction Fuzzy Hash: 01613672900301EFDB216F64EC42B6D77B9EFA1322F50C255E8099B1D1DB35D980C792
            Function 001ADB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • __wsplitpath.LIBCMT ref: 001ADC7B
            • _wcscat.LIBCMT ref: 001ADC93
            • _wcscat.LIBCMT ref: 001ADCA5
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 001ADCBA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001ADCCE
            • GetFileAttributesW.KERNEL32(?), ref: 001ADCE6
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 001ADD00
            • SetCurrentDirectoryW.KERNEL32(?), ref: 001ADD12
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
            • String ID: *.*
            • API String ID: 34673085-438819550
            • Opcode ID: 1374338a28dd8a49c060e1bad73a891ec81c4a3d1844b1a2b0575ca2dac236ef
            • Instruction ID: a2b1cc86360d2fcf997f8c5ba905ae1bd94bc734bafac3ea8df2176a27310423
            • Opcode Fuzzy Hash: 1374338a28dd8a49c060e1bad73a891ec81c4a3d1844b1a2b0575ca2dac236ef
            • Instruction Fuzzy Hash: EA81D5795047019FCB24DF64D8459ABB7E9BF9A310F15882EF88AC7650E730DD44CB62
            Function 001CC49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 001CC4EC
            • GetFocus.USER32 ref: 001CC4FC
            • GetDlgCtrlID.USER32(00000000), ref: 001CC507
            • _memset.LIBCMT ref: 001CC632
            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 001CC65D
            • GetMenuItemCount.USER32(?), ref: 001CC67D
            • GetMenuItemID.USER32(?,00000000), ref: 001CC690
            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 001CC6C4
            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 001CC70C
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001CC744
            • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 001CC779
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
            • String ID: 0
            • API String ID: 1296962147-4108050209
            • Opcode ID: d860f720a118a1772043a90c1efafe6f0d2d0cb14d3207a6867bbfbd91cf92d6
            • Instruction ID: 9ab8d92594d351c0694b6c57a17dd9d4ff2f6333e32b1ba1cac7308455fb9497
            • Opcode Fuzzy Hash: d860f720a118a1772043a90c1efafe6f0d2d0cb14d3207a6867bbfbd91cf92d6
            • Instruction Fuzzy Hash: 77814970208311AFDB10CF24D985F6BBBE9EBA8314F10492DF99997291D770DD45CBA2
            Function 001983F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
              • Part of subcall function 0019874A: GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
              • Part of subcall function 0019874A: GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
              • Part of subcall function 0019874A: HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
              • Part of subcall function 0019874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D
              • Part of subcall function 001987E7: GetProcessHeap.KERNEL32(00000008,00198240,00000000,00000000,?,00198240,?), ref: 001987F3
              • Part of subcall function 001987E7: HeapAlloc.KERNEL32(00000000,?,00198240,?), ref: 001987FA
              • Part of subcall function 001987E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00198240,?), ref: 0019880B
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00198458
            • _memset.LIBCMT ref: 0019846D
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0019848C
            • GetLengthSid.ADVAPI32(?), ref: 0019849D
            • GetAce.ADVAPI32(?,00000000,?), ref: 001984DA
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 001984F6
            • GetLengthSid.ADVAPI32(?), ref: 00198513
            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00198522
            • HeapAlloc.KERNEL32(00000000), ref: 00198529
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0019854A
            • CopySid.ADVAPI32(00000000), ref: 00198551
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00198582
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 001985A8
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 001985BC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
            • String ID:
            • API String ID: 3996160137-0
            • Opcode ID: 8cd7dee553d95a299ea2bcb0ef19baeb6a5b11dfea3756262f134d227f6533e7
            • Instruction ID: 44abcecb1dcbabd668723edb10d6577e148d1a4c4f277ed65b39aed3ec76bff3
            • Opcode Fuzzy Hash: 8cd7dee553d95a299ea2bcb0ef19baeb6a5b11dfea3756262f134d227f6533e7
            • Instruction Fuzzy Hash: DA61367190020AABDF00DFA4DC45EAEBBBAFF05700F14826AF915A7291DB31DA55CF60
            Function 001B762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 001B76A2
            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 001B76AE
            • CreateCompatibleDC.GDI32(?), ref: 001B76BA
            • SelectObject.GDI32(00000000,?), ref: 001B76C7
            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 001B771B
            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 001B7757
            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 001B777B
            • SelectObject.GDI32(00000006,?), ref: 001B7783
            • DeleteObject.GDI32(?), ref: 001B778C
            • DeleteDC.GDI32(00000006), ref: 001B7793
            • ReleaseDC.USER32(00000000,?), ref: 001B779E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 60e472246b53266248f01d440d29b7861db8a9c21bd9c32d8cdee2d6a070ae7d
            • Instruction ID: 386dc7b2c57ce1f58f455ed60da0e9fff215d4a183ae951256ffa8d40e994e6c
            • Opcode Fuzzy Hash: 60e472246b53266248f01d440d29b7861db8a9c21bd9c32d8cdee2d6a070ae7d
            • Instruction Fuzzy Hash: 69514975904209EFDB15CFA8CC88EAEBBBAEF48710F14852DF94A97250D731A941CB60
            Function 001AA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,001CFB78), ref: 001AA0FC
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
            • LoadStringW.USER32(?,?,00000FFF,?), ref: 001AA11E
            • __swprintf.LIBCMT ref: 001AA177
            • __swprintf.LIBCMT ref: 001AA190
            • _wprintf.LIBCMT ref: 001AA246
            • _wprintf.LIBCMT ref: 001AA264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LoadString__swprintf_wprintf$_memmove
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 311963372-2391861430
            • Opcode ID: 7ab2ba3bfee6cc223ed2f915b826de39a029f58016b981fa59b0a0661c8179e7
            • Instruction ID: 296efdef385a1dec02511cf70270ca6854f0eb8f53327e63af50b3c1e413dc83
            • Opcode Fuzzy Hash: 7ab2ba3bfee6cc223ed2f915b826de39a029f58016b981fa59b0a0661c8179e7
            • Instruction Fuzzy Hash: 44518F72900219BBCF15EBE0CD86EEEB779AF25300F500165F515B21A2EB316F58DB61
            Function 00146BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00160B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00146C6C,?,00008000), ref: 00160BB7
              • Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00146D0D
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00146E5A
              • Part of subcall function 001459CD: _wcscpy.LIBCMT ref: 00145A05
              • Part of subcall function 0016387D: _iswctype.LIBCMT ref: 00163885
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
            • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
            • API String ID: 537147316-1018226102
            • Opcode ID: 58f535170de168f64c8c0dc6a5385d50781a25a6dd048f29855344bc0c68ad91
            • Instruction ID: 7e070bd9edc20e41660e58c4375bd8740839601f35241bde30a6b11af60de1de
            • Opcode Fuzzy Hash: 58f535170de168f64c8c0dc6a5385d50781a25a6dd048f29855344bc0c68ad91
            • Instruction Fuzzy Hash: 1A027C715083419FCB24EF24C881AAFBBF5AFA9314F14491DF48A972A2DB30D949CB53
            Function 001445DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001445F9
            • GetMenuItemCount.USER32(00206890), ref: 0017D7CD
            • GetMenuItemCount.USER32(00206890), ref: 0017D87D
            • GetCursorPos.USER32(?), ref: 0017D8C1
            • SetForegroundWindow.USER32(00000000), ref: 0017D8CA
            • TrackPopupMenuEx.USER32(00206890,00000000,?,00000000,00000000,00000000), ref: 0017D8DD
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 0017D8E9
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
            • String ID:
            • API String ID: 2751501086-0
            • Opcode ID: 758b9ef55d9c6f33986e655cbdd8f3bf7e70bcfd199d12af6270a835521ed0f8
            • Instruction ID: bbaadac044344293e671b7dc9b83af216ad858f9d3d1dc7701b91aa2c4e389a5
            • Opcode Fuzzy Hash: 758b9ef55d9c6f33986e655cbdd8f3bf7e70bcfd199d12af6270a835521ed0f8
            • Instruction Fuzzy Hash: 61713870601209BFEB249F54EC49FAABF75FF05368F204216F519661E0C7B1AC60DB91
            Function 001C10A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 3964851224-909552448
            • Opcode ID: b08ecf475f43b1bb1c3e11f834fd772e1c50d476ed21a9fd453fbb78d929c93e
            • Instruction ID: 559880cf3da7adb54fb73e88137f7dbc41b0aa0b9eae8efc019eead8bf53ef11
            • Opcode Fuzzy Hash: b08ecf475f43b1bb1c3e11f834fd772e1c50d476ed21a9fd453fbb78d929c93e
            • Instruction Fuzzy Hash: E0414F3418424EABCF11EF90DD91AEB3725AF36350F644558FE915B292DB30ED2AC750
            Function 001A5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
              • Part of subcall function 00147A84: _memmove.LIBCMT ref: 00147B0D
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 001A55D2
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 001A55E8
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 001A55F9
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 001A560B
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 001A561C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: SendString$_memmove
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2279737902-1007645807
            • Opcode ID: c0507f726f5ae6a376f9ffb821648837071242ac7c8246c85a5e170c357bc04e
            • Instruction ID: 9ac230b6a2c049ee0ad91f3d38423e628a6d522e51debdd3a6185ca1f6d0d379
            • Opcode Fuzzy Hash: c0507f726f5ae6a376f9ffb821648837071242ac7c8246c85a5e170c357bc04e
            • Instruction Fuzzy Hash: BE11B2A495426D79D720A761CC8ADFF7B7DFFA2B00F800429B509A30E1DF640D05C5A1
            Function 001A48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
            • String ID: 0.0.0.0
            • API String ID: 208665112-3771769585
            • Opcode ID: 8df889a6672a22e4330c6c36110f0d176e43851019a965250f59dce8901cbf55
            • Instruction ID: 676f1f6b67b458973b8294fa1b6efa89ccc8898d4974e7c99d71b381359f111e
            • Opcode Fuzzy Hash: 8df889a6672a22e4330c6c36110f0d176e43851019a965250f59dce8901cbf55
            • Instruction Fuzzy Hash: 35110A35904114AFCB24EB74DC06EEB77BCDF56714F0441BAF40596091EFB1DAD28691
            Function 001A5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 001A521C
              • Part of subcall function 00160719: timeGetTime.WINMM(?,75C0B400,00150FF9), ref: 0016071D
            • Sleep.KERNEL32(0000000A), ref: 001A5248
            • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 001A526C
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 001A528E
            • SetActiveWindow.USER32 ref: 001A52AD
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 001A52BB
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 001A52DA
            • Sleep.KERNEL32(000000FA), ref: 001A52E5
            • IsWindow.USER32 ref: 001A52F1
            • EndDialog.USER32(00000000), ref: 001A5302
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: cb64d3807eb7b70a75eef998fdd32d8c28baec5428bba1f81ec806ae189b45fe
            • Instruction ID: 38f2b7bfa70547d485fef84f621c51817d6008a65f9a057b74273f6fbe172ef0
            • Opcode Fuzzy Hash: cb64d3807eb7b70a75eef998fdd32d8c28baec5428bba1f81ec806ae189b45fe
            • Instruction Fuzzy Hash: 3321CF74208704AFE7015B30FC8DF763F6BEB96356F441028F901815B2CBA1AC918B21
            Function 001AD7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • CoInitialize.OLE32(00000000), ref: 001AD855
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 001AD8E8
            • SHGetDesktopFolder.SHELL32(?), ref: 001AD8FC
            • CoCreateInstance.OLE32(001D2D7C,00000000,00000001,001FA89C,?), ref: 001AD948
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 001AD9B7
            • CoTaskMemFree.OLE32(?,?), ref: 001ADA0F
            • _memset.LIBCMT ref: 001ADA4C
            • SHBrowseForFolderW.SHELL32(?), ref: 001ADA88
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 001ADAAB
            • CoTaskMemFree.OLE32(00000000), ref: 001ADAB2
            • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 001ADAE9
            • CoUninitialize.OLE32(00000001,00000000), ref: 001ADAEB
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
            • String ID:
            • API String ID: 1246142700-0
            • Opcode ID: cbb0efea5a1deccfe62f6f0fd856fdeba2bf3245654d859546205f9b1179387b
            • Instruction ID: 0ba10d5a6bd7f678ac1e47e01cec4ac8d834e26e411549303142fc6aa404709b
            • Opcode Fuzzy Hash: cbb0efea5a1deccfe62f6f0fd856fdeba2bf3245654d859546205f9b1179387b
            • Instruction Fuzzy Hash: 3FB11E75A00119AFDB04DFA4D889DAEBBF9FF49304B148469F90AEB261DB30ED45CB50
            Function 001A052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 001A05A7
            • SetKeyboardState.USER32(?), ref: 001A0612
            • GetAsyncKeyState.USER32(000000A0), ref: 001A0632
            • GetKeyState.USER32(000000A0), ref: 001A0649
            • GetAsyncKeyState.USER32(000000A1), ref: 001A0678
            • GetKeyState.USER32(000000A1), ref: 001A0689
            • GetAsyncKeyState.USER32(00000011), ref: 001A06B5
            • GetKeyState.USER32(00000011), ref: 001A06C3
            • GetAsyncKeyState.USER32(00000012), ref: 001A06EC
            • GetKeyState.USER32(00000012), ref: 001A06FA
            • GetAsyncKeyState.USER32(0000005B), ref: 001A0723
            • GetKeyState.USER32(0000005B), ref: 001A0731
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: aafa5ef34c90bbf4855ce8b6c214e84750e771cb27f875eb03b3768b0c415302
            • Instruction ID: 17ff052ca430500399391aa71df7f15fc701a4d4caa0760033b7e6c765e85c7c
            • Opcode Fuzzy Hash: aafa5ef34c90bbf4855ce8b6c214e84750e771cb27f875eb03b3768b0c415302
            • Instruction Fuzzy Hash: DD511B68E0478429FB36DBB088547EABFB59F17380F08459DC5C25B1C2DB64AB8CCB51
            Function 0019C72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 0019C746
            • GetWindowRect.USER32(00000000,?), ref: 0019C758
            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0019C7B6
            • GetDlgItem.USER32(?,00000002), ref: 0019C7C1
            • GetWindowRect.USER32(00000000,?), ref: 0019C7D3
            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0019C827
            • GetDlgItem.USER32(?,000003E9), ref: 0019C835
            • GetWindowRect.USER32(00000000,?), ref: 0019C846
            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0019C889
            • GetDlgItem.USER32(?,000003EA), ref: 0019C897
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0019C8B4
            • InvalidateRect.USER32(?,00000000,00000001), ref: 0019C8C1
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: c80477ae42bb7b9983f79bbdb30febac4ad64e755144fdf638eaa8baef28ce1a
            • Instruction ID: 5b9ed0fca750bca07e05e80c2a16b1cd1c6987f0534a3cfc4752abdfa9332679
            • Opcode Fuzzy Hash: c80477ae42bb7b9983f79bbdb30febac4ad64e755144fdf638eaa8baef28ce1a
            • Instruction Fuzzy Hash: BA513D71B00205ABDF18CFA9DD99EAEBBBAEB88310F14812DF516D7290D770DD418B50
            Function 0014201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00141B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00142036,?,00000000,?,?,?,?,001416CB,00000000,?), ref: 00141B9A
            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 001420D3
            • KillTimer.USER32(-00000001,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0014216E
            • DestroyAcceleratorTable.USER32(00000000), ref: 0017BEF6
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF27
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF3E
            • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,001416CB,00000000,?,?,00141AE2,?,?), ref: 0017BF5A
            • DeleteObject.GDI32(00000000), ref: 0017BF6C
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 2eca5fa056cf6f22483030f0e95f74d5ee2422b430bb6a617eaaab75b3dc519b
            • Instruction ID: bfe36ecdf123a7fdd76f5c31b865afd9db4527dcd3cd5c507d408473232fb4b5
            • Opcode Fuzzy Hash: 2eca5fa056cf6f22483030f0e95f74d5ee2422b430bb6a617eaaab75b3dc519b
            • Instruction Fuzzy Hash: 92615631104710DFCB299F14E988B2ABBF2FB50B16F508529F1468BAB1C775A8E5DF90
            Function 001421A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001425DB: GetWindowLongW.USER32(?,000000EB), ref: 001425EC
            • GetSysColor.USER32(0000000F), ref: 001421D3
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: 7e2b7b7fa1aa8b2a4f4e640f63a728154c521119d56d8c39a279524ed8c72556
            • Instruction ID: f4260d642d2a8494ae1a63bb7033b3341330ea5405405b04c00a276c7d9daa66
            • Opcode Fuzzy Hash: 7e2b7b7fa1aa8b2a4f4e640f63a728154c521119d56d8c39a279524ed8c72556
            • Instruction Fuzzy Hash: 64416F35100550DEDB255F28EC88FB93B66EB06331FA88269FD658A1F6C7718CC2DB61
            Function 001AAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,001CF910), ref: 001AAB76
            • GetDriveTypeW.KERNEL32(00000061,001FA620,00000061), ref: 001AAC40
            • _wcscpy.LIBCMT ref: 001AAC6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharDriveLowerType_wcscpy
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2820617543-1000479233
            • Opcode ID: eeadb55adc9723e2b66143df2429c03988f0826910c85c87cdbe0b3b3764e810
            • Instruction ID: d26abb26828bb895a6bf8ac1df77f2128324174e3b8bc06eda553953ddb0de95
            • Opcode Fuzzy Hash: eeadb55adc9723e2b66143df2429c03988f0826910c85c87cdbe0b3b3764e810
            • Instruction Fuzzy Hash: 2151C0341083059BC714EF54C891AAFB7A6EFA5310F94882DF596972A2DB31DD0ACB53
            Function 001CC27C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 149windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
              • Part of subcall function 00142344: GetCursorPos.USER32(?), ref: 00142357
              • Part of subcall function 00142344: ScreenToClient.USER32(002067B0,?), ref: 00142374
              • Part of subcall function 00142344: GetAsyncKeyState.USER32(00000001), ref: 00142399
              • Part of subcall function 00142344: GetAsyncKeyState.USER32(00000002), ref: 001423A7
            • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 001CC2E4
            • ImageList_EndDrag.COMCTL32 ref: 001CC2EA
            • ReleaseCapture.USER32 ref: 001CC2F0
            • SetWindowTextW.USER32(?,00000000), ref: 001CC39A
            • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 001CC3AD
            • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 001CC48F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
            • String ID: @GUI_DRAGFILE$@GUI_DROPID$pr $pr
            • API String ID: 1924731296-888126259
            • Opcode ID: acf8d68388e5efbe1fe88fb408d8cf840b29841e1bf40e71deee6c353888ca87
            • Instruction ID: 3a96953396d63e156c96e5092a1dbd2bb511df0c0f032f326099f16ff670fd1f
            • Opcode Fuzzy Hash: acf8d68388e5efbe1fe88fb408d8cf840b29841e1bf40e71deee6c353888ca87
            • Instruction Fuzzy Hash: BA519C70204304AFD704DF24D89AF6A7BE5EBA8314F10852DF5958B2F2CB30E959CB52
            Function 00149997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __i64tow__itow__swprintf
            • String ID: %.15g$0x%p$False$True
            • API String ID: 421087845-2263619337
            • Opcode ID: 646b4edad101b90375baf24ed47c94327dafc56f3e3956058f4c7d805ff57287
            • Instruction ID: 7c8e24fd8c4f312f1d648b05730529dabaa124a7729a6b7a0ec740e6712b9830
            • Opcode Fuzzy Hash: 646b4edad101b90375baf24ed47c94327dafc56f3e3956058f4c7d805ff57287
            • Instruction Fuzzy Hash: F0419071604205ABDB28DB38DC42E7B73F8EB58314F2484AEF64DD72A1EB719942CB51
            Function 001C73C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001C73D9
            • CreateMenu.USER32 ref: 001C73F4
            • SetMenu.USER32(?,00000000), ref: 001C7403
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C7490
            • IsMenu.USER32(?), ref: 001C74A6
            • CreatePopupMenu.USER32 ref: 001C74B0
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C74DD
            • DrawMenuBar.USER32 ref: 001C74E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
            • String ID: 0$F
            • API String ID: 176399719-3044882817
            • Opcode ID: f27040cac3628e58aa036beadd89afecd7498a259405e5194376e50deb40400c
            • Instruction ID: a526cc217f768101a90b9c555dab51f8bdf553cfad628d52db5e8482fd6a7cac
            • Opcode Fuzzy Hash: f27040cac3628e58aa036beadd89afecd7498a259405e5194376e50deb40400c
            • Instruction Fuzzy Hash: 86411575A00209EFDB14DF64E888F9ABBB9FF59310F144029EA55973A0D771E924CF50
            Function 001C772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 001C77CD
            • CreateCompatibleDC.GDI32(00000000), ref: 001C77D4
            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 001C77E7
            • SelectObject.GDI32(00000000,00000000), ref: 001C77EF
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 001C77FA
            • DeleteDC.GDI32(00000000), ref: 001C7803
            • GetWindowLongW.USER32(?,000000EC), ref: 001C780D
            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 001C7821
            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 001C782D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
            • String ID: static
            • API String ID: 2559357485-2160076837
            • Opcode ID: 0c9b842fc76d278e45091f3d724006d1bbc0b4a10124faf4b3fcf722ec3c0dd1
            • Instruction ID: 7e4742d5578fa16671b18eda8826120cbd34472edd5e309ccd09494ac48e7b3e
            • Opcode Fuzzy Hash: 0c9b842fc76d278e45091f3d724006d1bbc0b4a10124faf4b3fcf722ec3c0dd1
            • Instruction Fuzzy Hash: 58316B32105219BBDF119FA4DC09FDA3F6AFF19724F110229FA15A61E0C771D862DBA4
            Function 00167040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 0016707B
              • Part of subcall function 00168D68: __getptd_noexit.LIBCMT ref: 00168D68
            • __gmtime64_s.LIBCMT ref: 00167114
            • __gmtime64_s.LIBCMT ref: 0016714A
            • __gmtime64_s.LIBCMT ref: 00167167
            • __allrem.LIBCMT ref: 001671BD
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 001671D9
            • __allrem.LIBCMT ref: 001671F0
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0016720E
            • __allrem.LIBCMT ref: 00167225
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00167243
            • __invoke_watson.LIBCMT ref: 001672B4
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
            • String ID:
            • API String ID: 384356119-0
            • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction ID: 902e5011c8ca56bf1429e6211857f25baae1fd18bfb7d03b3863b0a2a1b26503
            • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
            • Instruction Fuzzy Hash: 8B71DA71A04716ABD714AE79CC51B6AB3B8AF15728F14822AF914D72C1E770DA6087E0
            Function 001A2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001A2A31
            • GetMenuItemInfoW.USER32(00206890,000000FF,00000000,00000030), ref: 001A2A92
            • SetMenuItemInfoW.USER32(00206890,00000004,00000000,00000030), ref: 001A2AC8
            • Sleep.KERNEL32(000001F4), ref: 001A2ADA
            • GetMenuItemCount.USER32(?), ref: 001A2B1E
            • GetMenuItemID.USER32(?,00000000), ref: 001A2B3A
            • GetMenuItemID.USER32(?,-00000001), ref: 001A2B64
            • GetMenuItemID.USER32(?,?), ref: 001A2BA9
            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 001A2BEF
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A2C03
            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A2C24
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
            • String ID:
            • API String ID: 4176008265-0
            • Opcode ID: 09ee6cbbd33460955dd5d18352588db1557f384b2e3c90c6adcb08ff311b8443
            • Instruction ID: 28d4430dcdcbcd7bb8663ebdf742cb937b7245a84f77da6d511525cb0a3308f3
            • Opcode Fuzzy Hash: 09ee6cbbd33460955dd5d18352588db1557f384b2e3c90c6adcb08ff311b8443
            • Instruction Fuzzy Hash: E061B1B8900249AFDB21CF68DD88EBEBBB9EB06314F140559F84197251D731EE46DB21
            Function 001C7192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 001C7214
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 001C7217
            • GetWindowLongW.USER32(?,000000F0), ref: 001C723B
            • _memset.LIBCMT ref: 001C724C
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001C725E
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 001C72D6
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$LongWindow_memset
            • String ID:
            • API String ID: 830647256-0
            • Opcode ID: 3dadbca817a6c6304d6a71313112575d6ad04aafba34c5eea9326a12c8cd226d
            • Instruction ID: a130bc9de4733b4d1a1ca8b8b04ffd6a6725d4c263844f3ac155a1e029d28a58
            • Opcode Fuzzy Hash: 3dadbca817a6c6304d6a71313112575d6ad04aafba34c5eea9326a12c8cd226d
            • Instruction Fuzzy Hash: 84615771A00248AFDB10DFA4CC85EEEB7F8AB19710F144159FA14A72E2C7B0AE55DF60
            Function 0019710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00197135
            • SafeArrayAllocData.OLEAUT32(?), ref: 0019718E
            • VariantInit.OLEAUT32(?), ref: 001971A0
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 001971C0
            • VariantCopy.OLEAUT32(?,?), ref: 00197213
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00197227
            • VariantClear.OLEAUT32(?), ref: 0019723C
            • SafeArrayDestroyData.OLEAUT32(?), ref: 00197249
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00197252
            • VariantClear.OLEAUT32(?), ref: 00197264
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0019726F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: db39df60887453cdc7c9626675d30a79744e6f326db68d7efe07d7e39277e5ea
            • Instruction ID: 017bdd5c3998f3fa6b6857aa3e5aa775ccde11b607ce6041f90cea48c2945ccd
            • Opcode Fuzzy Hash: db39df60887453cdc7c9626675d30a79744e6f326db68d7efe07d7e39277e5ea
            • Instruction Fuzzy Hash: DE415F35A10219AFCF04DFA4D848DAEBBB9FF58354F008069F915A7661CB30E946CB90
            Function 001B86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • CoInitialize.OLE32 ref: 001B8718
            • CoUninitialize.OLE32 ref: 001B8723
            • CoCreateInstance.OLE32(?,00000000,00000017,001D2BEC,?), ref: 001B8783
            • IIDFromString.OLE32(?,?), ref: 001B87F6
            • VariantInit.OLEAUT32(?), ref: 001B8890
            • VariantClear.OLEAUT32(?), ref: 001B88F1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 834269672-1287834457
            • Opcode ID: de0925af2063a3d34cf1e4f37a68c2f676238d7b2493b06068a54e400693352a
            • Instruction ID: 83cd953f2881698144ef6f210ac1eb01560ffc4a72b0ef382beb09b19c7358fa
            • Opcode Fuzzy Hash: de0925af2063a3d34cf1e4f37a68c2f676238d7b2493b06068a54e400693352a
            • Instruction Fuzzy Hash: 2561AF70608301AFD714DF64C848FABBBE8AF59B14F54481DF9859B2A1CB70ED45CB92
            Function 001B5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 001B5AA6
            • inet_addr.WSOCK32(?), ref: 001B5AEB
            • gethostbyname.WSOCK32(?), ref: 001B5AF7
            • IcmpCreateFile.IPHLPAPI ref: 001B5B05
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 001B5B75
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 001B5B8B
            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 001B5C00
            • WSACleanup.WSOCK32 ref: 001B5C06
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: 62a74991aa08751285ac4bff108308819a3cd994784ab84acc151d80334f48b5
            • Instruction ID: 62388a4a4a2ac11d6df772eb9392e416fe894fcf1798b1fb337685f62babd8cd
            • Opcode Fuzzy Hash: 62a74991aa08751285ac4bff108308819a3cd994784ab84acc151d80334f48b5
            • Instruction Fuzzy Hash: 2B517F316047009FDB11AF24CD89B6ABBE6EF48710F14896AF556DB2A1DB70E840CB52
            Function 001AB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 001AB73B
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 001AB7B1
            • GetLastError.KERNEL32 ref: 001AB7BB
            • SetErrorMode.KERNEL32(00000000,READY), ref: 001AB828
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: 5a6134de519cef2fcef9eadad08fd65c584c439e08e386acbba82ff4faad8dac
            • Instruction ID: ccd9964d34606d2d5aae6e219d9416f6777ab6b03675e1de693088b1199949ed
            • Opcode Fuzzy Hash: 5a6134de519cef2fcef9eadad08fd65c584c439e08e386acbba82ff4faad8dac
            • Instruction Fuzzy Hash: E031C439A042499FDB00EFA8C8C5EBEBBB4FF96740F144029E505D72E2DBB59942C751
            Function 00199471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 001994F6
            • GetDlgCtrlID.USER32 ref: 00199501
            • GetParent.USER32 ref: 0019951D
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00199520
            • GetDlgCtrlID.USER32(?), ref: 00199529
            • GetParent.USER32(?), ref: 00199545
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00199548
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: 5a11f4b81045dde84514a5c747cdc879cdada681bc80962210938408fd05fdc5
            • Instruction ID: 04fb3a03992a0ebcf7b55510390ff485bcbec60a192162c8ac5b009052637dc3
            • Opcode Fuzzy Hash: 5a11f4b81045dde84514a5c747cdc879cdada681bc80962210938408fd05fdc5
            • Instruction Fuzzy Hash: 0121C170900208BBDF05AB64CC85EFEBB75EF59300F10012AB961972E2DB759959DB20
            Function 0019955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 001995DF
            • GetDlgCtrlID.USER32 ref: 001995EA
            • GetParent.USER32 ref: 00199606
            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00199609
            • GetDlgCtrlID.USER32(?), ref: 00199612
            • GetParent.USER32(?), ref: 0019962E
            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00199631
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CtrlParent$ClassName_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 1536045017-1403004172
            • Opcode ID: a12a4c47c615b19648287c831d2d0e92da0999e7228b02ef28743466a8f2489f
            • Instruction ID: 825d3ea66e85926f69184bc0f399c88e6dacdd736eb6e740d0c0a97cb991a4d8
            • Opcode Fuzzy Hash: a12a4c47c615b19648287c831d2d0e92da0999e7228b02ef28743466a8f2489f
            • Instruction Fuzzy Hash: F921C5B4900208BBDF05AB64CCC5EFEBB79EF58300F14401AF961972A1DB759959DB20
            Function 00199645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00199651
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00199666
            • _wcscmp.LIBCMT ref: 00199678
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 001996F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend_wcscmp
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1704125052-3381328864
            • Opcode ID: ba214fc26fbedd1b4039a36fab214521abe8d09be75acd1875aec81b54de4b0c
            • Instruction ID: ea8decaa9d2cc856f995b03e13c2cb4e3b2b5837f2fdd8fd86b8b51f43e37600
            • Opcode Fuzzy Hash: ba214fc26fbedd1b4039a36fab214521abe8d09be75acd1875aec81b54de4b0c
            • Instruction Fuzzy Hash: BB11E976248317BAFE053628DC07EB6779C9F15760F20012FFA10A54E1FFA1A9618A58
            Function 001B8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 001B8BEC
            • CoInitialize.OLE32(00000000), ref: 001B8C19
            • CoUninitialize.OLE32 ref: 001B8C23
            • GetRunningObjectTable.OLE32(00000000,?), ref: 001B8D23
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 001B8E50
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,001D2C0C), ref: 001B8E84
            • CoGetObject.OLE32(?,00000000,001D2C0C,?), ref: 001B8EA7
            • SetErrorMode.KERNEL32(00000000), ref: 001B8EBA
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 001B8F3A
            • VariantClear.OLEAUT32(?), ref: 001B8F4A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
            • String ID:
            • API String ID: 2395222682-0
            • Opcode ID: ea2fa0424c54a3c954b34514f4dbafeab0453d7862658c8ee17aada89c38f4e5
            • Instruction ID: 40884a27f1f341f2765f7dab7167db6075527fbe9fcbff0756ec475c8622f996
            • Opcode Fuzzy Hash: ea2fa0424c54a3c954b34514f4dbafeab0453d7862658c8ee17aada89c38f4e5
            • Instruction Fuzzy Hash: BBC125B1608305AFC700EF64C8849ABBBE9FF89748F00495DF5899B261DB71ED46CB52
            Function 001A4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
            Download Yara Rule
            APIs
            • __swprintf.LIBCMT ref: 001A419D
            • __swprintf.LIBCMT ref: 001A41AA
              • Part of subcall function 001638D8: __woutput_l.LIBCMT ref: 00163931
            • FindResourceW.KERNEL32(?,?,0000000E), ref: 001A41D4
            • LoadResource.KERNEL32(?,00000000), ref: 001A41E0
            • LockResource.KERNEL32(00000000), ref: 001A41ED
            • FindResourceW.KERNEL32(?,?,00000003), ref: 001A420D
            • LoadResource.KERNEL32(?,00000000), ref: 001A421F
            • SizeofResource.KERNEL32(?,00000000), ref: 001A422E
            • LockResource.KERNEL32(?), ref: 001A423A
            • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 001A429B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
            • String ID:
            • API String ID: 1433390588-0
            • Opcode ID: b6a4259fa26035d4ebff4d3582aaf702d3b2b48b49b0bde7c6e7251779096ed8
            • Instruction ID: 9b59a6d6fff04ce01f2d1ac46dda243baa3beff2e8129b6a9de57544bc6b7991
            • Opcode Fuzzy Hash: b6a4259fa26035d4ebff4d3582aaf702d3b2b48b49b0bde7c6e7251779096ed8
            • Instruction Fuzzy Hash: C931A175A0521AAFDB119F60EC48EBF7BADEF45301F00452AF915D2150D7B0DA62CBA0
            Function 001A16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 001A1700
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A1714
            • GetWindowThreadProcessId.USER32(00000000), ref: 001A171B
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A172A
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 001A173C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A1755
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,001A0778,?,00000001), ref: 001A1767
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17AC
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17C1
            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,001A0778,?,00000001), ref: 001A17CC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: 09a4c462d964760e20d9a521a5b278249e7739b78f9ce109b7726c81257c9818
            • Instruction ID: 1b777f4757bba50530b51b3d76d29648d3c6f2468cda778c19b0923f47cbc447
            • Opcode Fuzzy Hash: 09a4c462d964760e20d9a521a5b278249e7739b78f9ce109b7726c81257c9818
            • Instruction Fuzzy Hash: 2931A279A04305BFEB119F94EC8CF797BEAEB66751F104029F904C66A0D774AD808BA0
            Function 0014FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0014FC06
            • OleUninitialize.OLE32(?,00000000), ref: 0014FCA5
            • UnregisterHotKey.USER32(?), ref: 0014FDFC
            • DestroyWindow.USER32(?), ref: 00184A00
            • FreeLibrary.KERNEL32(?), ref: 00184A65
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00184A92
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 746a7ffd9ae184e75b31cc90c4793ba4b850da534087272439f18ae8f40c48a0
            • Instruction ID: 1a0e6c2745f295cb411aa16bceec367672e8846e5f55b14ae3506a408f92a418
            • Opcode Fuzzy Hash: 746a7ffd9ae184e75b31cc90c4793ba4b850da534087272439f18ae8f40c48a0
            • Instruction Fuzzy Hash: F0A14835701212CFCB29EF54C895E69F7A5AF14700F1542ADE80AAB262DF30EE56CF94
            Function 0019A693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
            Download Yara Rule
            APIs
            • EnumChildWindows.USER32(?,0019AA64), ref: 0019A9A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ChildEnumWindows
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 3555792229-1603158881
            • Opcode ID: f023d9c1d6265b6663d014a6fccf30dbac7566f24533dfbef38f119d9d25d1f5
            • Instruction ID: c1a40dba53fe6e6403c38ca0441bc27c23e12ecc9b9d490ad71619cbde0b7aae
            • Opcode Fuzzy Hash: f023d9c1d6265b6663d014a6fccf30dbac7566f24533dfbef38f119d9d25d1f5
            • Instruction Fuzzy Hash: B8917270A0060AEBDF18EFA0C881BE9FB75BF14314F918119E99AA7151DF306A5DCBD1
            Function 00142E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 00142EAE
              • Part of subcall function 00141DB3: GetClientRect.USER32(?,?), ref: 00141DDC
              • Part of subcall function 00141DB3: GetWindowRect.USER32(?,?), ref: 00141E1D
              • Part of subcall function 00141DB3: ScreenToClient.USER32(?,?), ref: 00141E45
            • GetDC.USER32 ref: 0017CF82
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0017CF95
            • SelectObject.GDI32(00000000,00000000), ref: 0017CFA3
            • SelectObject.GDI32(00000000,00000000), ref: 0017CFB8
            • ReleaseDC.USER32(?,00000000), ref: 0017CFC0
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0017D04B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: c3f809f92f4d6eb98950fb731ecdcced8c6823344baa64f3411c5e52a79ebbaf
            • Instruction ID: 66f4788ca97d41288f5b6aa94ce1d879c35cc061c4e823b390ae33654054b923
            • Opcode Fuzzy Hash: c3f809f92f4d6eb98950fb731ecdcced8c6823344baa64f3411c5e52a79ebbaf
            • Instruction Fuzzy Hash: 7F71A530500209DFCF25CF64DC84AAA7BB6FF49350F14826EFD596A166C7318C92DB60
            Function 001B8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,001CF910), ref: 001B903D
            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,001CF910), ref: 001B9071
            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 001B91EB
            • SysFreeString.OLEAUT32(?), ref: 001B9215
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Free$FileLibraryModuleNamePathQueryStringType
            • String ID:
            • API String ID: 560350794-0
            • Opcode ID: 064242b021a5f9868b4f20de43d8de83e341f6c38112ebc7a3df4e3564302d49
            • Instruction ID: 4eeb8e43b161cc1604fb0adc4347afafcd245afe53b634d2c7590b24a6ca7f1b
            • Opcode Fuzzy Hash: 064242b021a5f9868b4f20de43d8de83e341f6c38112ebc7a3df4e3564302d49
            • Instruction Fuzzy Hash: 23F1F971A00119EFDB04DFA4C888EEEB7B9FF49315F108459F515AB261DB31AE46CB60
            Function 001BF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001BF9C9
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BFB5C
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 001BFB80
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BFBC0
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 001BFBE2
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 001BFD5E
            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 001BFD90
            • CloseHandle.KERNEL32(?), ref: 001BFDBF
            • CloseHandle.KERNEL32(?), ref: 001BFE36
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
            • String ID:
            • API String ID: 4090791747-0
            • Opcode ID: ab3738251a1589193a70152f84f86b7775971bb23ce96e36c64da5f82ec58504
            • Instruction ID: 404b9e775b2b9af2e0fc03af4ea8abbc8abb3df94c25114829707edb4acfcc11
            • Opcode Fuzzy Hash: ab3738251a1589193a70152f84f86b7775971bb23ce96e36c64da5f82ec58504
            • Instruction Fuzzy Hash: 12E19F31204341DFCB14EF24C891BAABBE1EF95354F14896DF8999B2A2DB31DC46CB52
            Function 001A4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001A38D3,?), ref: 001A48C7
              • Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001A38D3,?), ref: 001A48E0
              • Part of subcall function 001A4CD3: GetFileAttributesW.KERNEL32(?,001A3947), ref: 001A4CD4
            • lstrcmpiW.KERNEL32(?,?), ref: 001A4FE2
            • _wcscmp.LIBCMT ref: 001A4FFC
            • MoveFileW.KERNEL32(?,?), ref: 001A5017
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
            • String ID:
            • API String ID: 793581249-0
            • Opcode ID: 9aead4cd92f45c50362c180d97a863b396ad8d07916c9540af55b1c3f4994eec
            • Instruction ID: e4537f33c856b2e0020815cf761d0a901d5e0701f97c2c7ebbaff5be6f8fe663
            • Opcode Fuzzy Hash: 9aead4cd92f45c50362c180d97a863b396ad8d07916c9540af55b1c3f4994eec
            • Instruction Fuzzy Hash: EB5171B600C7849BC724DBA0CC819DFB3ECAF95340F00492EF189C3152EF74A2888766
            Function 001C88B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 001C896E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 5f2399e2ab90cf14d8c9ba98a83a46f7d45beef8e0e63f843fc85b98cfd50dcc
            • Instruction ID: 6bd9ea7cf577b4f426ece688d4d665c46835a7fe908222bec58832a9f3807733
            • Opcode Fuzzy Hash: 5f2399e2ab90cf14d8c9ba98a83a46f7d45beef8e0e63f843fc85b98cfd50dcc
            • Instruction Fuzzy Hash: 4A51A130600219BEDF249F28CCC9FAA7B65BB25314F60411AF515E79A1DF71ED908B51
            Function 00142B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0017C547
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0017C569
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0017C581
            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0017C59F
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0017C5C0
            • DestroyIcon.USER32(00000000), ref: 0017C5CF
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0017C5EC
            • DestroyIcon.USER32(?), ref: 0017C5FB
              • Part of subcall function 001CA71E: DeleteObject.GDI32(00000000), ref: 001CA757
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
            • String ID:
            • API String ID: 2819616528-0
            • Opcode ID: d461113cbf5a654ec9405f319dd10292b7094dc41c296e061a75a6e25eeaaf54
            • Instruction ID: a7a9dfe036645fadfb96672c544188d7138ad37250e53c53c8c8473eb7438351
            • Opcode Fuzzy Hash: d461113cbf5a654ec9405f319dd10292b7094dc41c296e061a75a6e25eeaaf54
            • Instruction Fuzzy Hash: FB515974A00309AFDB24DF24DC85FAA7BB5EB58310F50452CF906976A0DB71ED91DBA0
            Function 00199B50 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0019AE57: GetWindowThreadProcessId.USER32(?,00000000), ref: 0019AE77
              • Part of subcall function 0019AE57: GetCurrentThreadId.KERNEL32 ref: 0019AE7E
              • Part of subcall function 0019AE57: AttachThreadInput.USER32(00000000,?,00199B65,?,00000001), ref: 0019AE85
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00199B70
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00199B8D
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00199B90
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00199B99
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00199BB7
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00199BBA
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00199BC3
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00199BDA
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00199BDD
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: 6dcc998dec756fa22432522638eb62557d1e173537640a90006f7b4c883a627e
            • Instruction ID: 542958ba49363ba91da59299e7695b19501c33c4d8b6657274a202272686bb1f
            • Opcode Fuzzy Hash: 6dcc998dec756fa22432522638eb62557d1e173537640a90006f7b4c883a627e
            • Instruction Fuzzy Hash: D8110871550218BEFA106F64DC49F6A3F1EDF4C755F510429F244AB4A0CAF39C51DAA4
            Function 00198E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00198A84,00000B00,?,?), ref: 00198E0C
            • HeapAlloc.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E13
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00198A84,00000B00,?,?), ref: 00198E28
            • GetCurrentProcess.KERNEL32(?,00000000,?,00198A84,00000B00,?,?), ref: 00198E30
            • DuplicateHandle.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E33
            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00198A84,00000B00,?,?), ref: 00198E43
            • GetCurrentProcess.KERNEL32(00198A84,00000000,?,00198A84,00000B00,?,?), ref: 00198E4B
            • DuplicateHandle.KERNEL32(00000000,?,00198A84,00000B00,?,?), ref: 00198E4E
            • CreateThread.KERNEL32(00000000,00000000,00198E74,00000000,00000000,00000000), ref: 00198E68
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: 67d3fbfea285093868ce34630445bb537842491cb17e48fcb17ebe5d83b61ed4
            • Instruction ID: 3d6e07d9afa8af9edfcc8a5000e8aea27922233834248496ee46cb2478f3ed55
            • Opcode Fuzzy Hash: 67d3fbfea285093868ce34630445bb537842491cb17e48fcb17ebe5d83b61ed4
            • Instruction Fuzzy Hash: A001A4B5240308FFEA10ABA5DC49F6B7BADEB89711F044425FA05DB6A1CA70D8418A20
            Function 001B9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearInit$_memset
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2862541840-625585964
            • Opcode ID: b9f896042b459c76c16a40b63ca76c17aa2e66794be4092b7bb062314634f246
            • Instruction ID: a1e506fa0baef402845f629fb0adac761ffff70f2fceb706ef7e79b7aca5f4a5
            • Opcode Fuzzy Hash: b9f896042b459c76c16a40b63ca76c17aa2e66794be4092b7bb062314634f246
            • Instruction Fuzzy Hash: 80919171A00219ABDF24DFA5CC44FEEBBB8EF45710F10815AF615AB290D7749946CFA0
            Function 001B9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00197652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?,?,0019799D), ref: 0019766F
              • Part of subcall function 00197652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 0019768A
              • Part of subcall function 00197652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 00197698
              • Part of subcall function 00197652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?), ref: 001976A8
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 001B9B1B
            • _memset.LIBCMT ref: 001B9B28
            • _memset.LIBCMT ref: 001B9C6B
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 001B9C97
            • CoTaskMemFree.OLE32(?), ref: 001B9CA2
            Strings
            • NULL Pointer assignment, xrefs: 001B9CF0
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 1300414916-2785691316
            • Opcode ID: 5ad7a988ef36ac9c90b61fcfd4a2590e54fa1662464d1f9f3a1b4a5868daef71
            • Instruction ID: f98f0a07ada8666001f7735a4c4616461ed8c60933e99a66c3a963e4afdea087
            • Opcode Fuzzy Hash: 5ad7a988ef36ac9c90b61fcfd4a2590e54fa1662464d1f9f3a1b4a5868daef71
            • Instruction Fuzzy Hash: 12914871D00229ABDF10DFA5DC84EDEBBB9EF18710F20415AF519A7291DB31AA45CFA0
            Function 001C6FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 001C7093
            • SendMessageW.USER32(?,00001036,00000000,?), ref: 001C70A7
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 001C70C1
            • _wcscat.LIBCMT ref: 001C711C
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 001C7133
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 001C7161
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window_wcscat
            • String ID: SysListView32
            • API String ID: 307300125-78025650
            • Opcode ID: ab3bb28ff2806c350d0b484b94529e7919feec0211394660520b544a872e204c
            • Instruction ID: ff4534fd0fc1c4d67c3f2a24480b9b146e1ae2ff39b7d092422e3dbffe5be688
            • Opcode Fuzzy Hash: ab3bb28ff2806c350d0b484b94529e7919feec0211394660520b544a872e204c
            • Instruction Fuzzy Hash: CD418071A04308ABDB219FA4CC85FEE77A9EF18350F10452EF544A72D2D7B1DD958B50
            Function 001BEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001A3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 001A3EB6
              • Part of subcall function 001A3E91: Process32FirstW.KERNEL32(00000000,?), ref: 001A3EC4
              • Part of subcall function 001A3E91: CloseHandle.KERNEL32(00000000), ref: 001A3F8E
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BECB8
            • GetLastError.KERNEL32 ref: 001BECCB
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 001BECFA
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 001BED77
            • GetLastError.KERNEL32(00000000), ref: 001BED82
            • CloseHandle.KERNEL32(00000000), ref: 001BEDB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 7ef01f5ffc8ffac78673c6c0f5bdc2180b8980e4dc166ab2cc0790a1acaad3ca
            • Instruction ID: 81013515fc595777f33542f1960df8e4ac7f7bb0dff3b901a0421a4e81b8f069
            • Opcode Fuzzy Hash: 7ef01f5ffc8ffac78673c6c0f5bdc2180b8980e4dc166ab2cc0790a1acaad3ca
            • Instruction Fuzzy Hash: FB41AB71200201AFDB14EF64CC95FAEBBA1AF90714F18845DF8429B2D2DBB5A845CB96
            Function 001A3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 001A32C5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 749cfe8d7ba0161bdc109af480b6e358bec48a68c3076a271a6c66c14bb664d0
            • Instruction ID: be39be8e279e2b18f5c0d5d694ba3879659ce068016863cb81778ace99e1acca
            • Opcode Fuzzy Hash: 749cfe8d7ba0161bdc109af480b6e358bec48a68c3076a271a6c66c14bb664d0
            • Instruction Fuzzy Hash: 2611277920834ABAE7055B54DC43F7AB79CDF1B370F20002BF524A6181E7656B4145B5
            Function 001A4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 001A454E
            • LoadStringW.USER32(00000000), ref: 001A4555
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 001A456B
            • LoadStringW.USER32(00000000), ref: 001A4572
            • _wprintf.LIBCMT ref: 001A4598
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 001A45B6
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 001A4593
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wprintf
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 3648134473-3128320259
            • Opcode ID: 70d8f13561b3c29453bc92afdb6e6a6486de3db215074d7b54748213329a2fe0
            • Instruction ID: 49a496cc3380110ff2edc57d4ee87b65bb7c09c416b3f9b4c6733ceae4674926
            • Opcode Fuzzy Hash: 70d8f13561b3c29453bc92afdb6e6a6486de3db215074d7b54748213329a2fe0
            • Instruction Fuzzy Hash: 6F014FF690021CBFE710A7A09D89EE6776DD708301F0005A9BB45E2451EA749E868B74
            Function 001CD74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • GetSystemMetrics.USER32(0000000F), ref: 001CD78A
            • GetSystemMetrics.USER32(0000000F), ref: 001CD7AA
            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 001CD9E5
            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 001CDA03
            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 001CDA24
            • ShowWindow.USER32(00000003,00000000), ref: 001CDA43
            • InvalidateRect.USER32(?,00000000,00000001), ref: 001CDA68
            • DefDlgProcW.USER32(?,00000005,?,?), ref: 001CDA8B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
            • String ID:
            • API String ID: 1211466189-0
            • Opcode ID: 752fc78a4b4de97a8fd6ee67bf5c9e0ec2e99c2c9462cf46f39893b22c2a50a4
            • Instruction ID: 2b886e0230bd2abf5b5a5632caeb913c8935bc5f1307fd145fe0b61fe408bd33
            • Opcode Fuzzy Hash: 752fc78a4b4de97a8fd6ee67bf5c9e0ec2e99c2c9462cf46f39893b22c2a50a4
            • Instruction Fuzzy Hash: 19B18775600225ABDF18CF68D989BBD7BB2BF18700F09807DEC489B699D734E990CB50
            Function 00142A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 00142ACF
            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000,000000FF), ref: 00142B17
            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 0017C46A
            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,0017C417,00000004,00000000,00000000,00000000), ref: 0017C4D6
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 7ab2476a088f64db26a808aee3582a8ce2f3943d87dc5aebf14eb2bf0a78d61f
            • Instruction ID: 9497964391c994e9f34ec82656266683d27cdfed1b095fc74489cce33c6bca1c
            • Opcode Fuzzy Hash: 7ab2476a088f64db26a808aee3582a8ce2f3943d87dc5aebf14eb2bf0a78d61f
            • Instruction Fuzzy Hash: 3241E6312087809AC7398B289C9CB7A7BA2AB96310FB5C81DF84B87D71C77598C6D751
            Function 001A7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 001A737F
              • Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
              • Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 001A73B6
            • EnterCriticalSection.KERNEL32(?), ref: 001A73D2
            • _memmove.LIBCMT ref: 001A7420
            • _memmove.LIBCMT ref: 001A743D
            • LeaveCriticalSection.KERNEL32(?), ref: 001A744C
            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 001A7461
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 001A7480
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
            • String ID:
            • API String ID: 256516436-0
            • Opcode ID: c11838e77266d1d1dc6d2c3a15b16574f86c59a8cae1176f7748a5a8103b1772
            • Instruction ID: bafdd844dc4af21b99d29d12f6243a6948fe603fe936f0c48bfeec9e6723dc74
            • Opcode Fuzzy Hash: c11838e77266d1d1dc6d2c3a15b16574f86c59a8cae1176f7748a5a8103b1772
            • Instruction Fuzzy Hash: 5A315C75904205EBCF10DF68DC85EAFBBB8EF49710B1541A9F904AB286DB30DA55CBA0
            Function 001C6442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 001C645A
            • GetDC.USER32(00000000), ref: 001C6462
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001C646D
            • ReleaseDC.USER32(00000000,00000000), ref: 001C6479
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 001C64B5
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 001C64C6
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,001C9299,?,?,000000FF,00000000,?,000000FF,?), ref: 001C6500
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 001C6520
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: f92ff5ea646486dfa75f10f39150496108ce1ae401c9c1adff927203f2866fa6
            • Instruction ID: f5c95a1258494e81f3e4c55ab23595ecb22f4bbf6e0f894916b74578a9cbf46e
            • Opcode Fuzzy Hash: f92ff5ea646486dfa75f10f39150496108ce1ae401c9c1adff927203f2866fa6
            • Instruction Fuzzy Hash: 3F317176101214BFEB118F50CC4AFEA3FAAEF19761F044069FE089A291D775DC42CB64
            Function 0019C072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: dea7491aa36f6abc1bf2ca4a8b5162fcd136d01b0cfa38c3ceb4efc3574750bd
            • Instruction ID: 4c53b03b4627b7e222291f632e9c774c98a74a756a2fdf7fef1e44467d9b598a
            • Opcode Fuzzy Hash: dea7491aa36f6abc1bf2ca4a8b5162fcd136d01b0cfa38c3ceb4efc3574750bd
            • Instruction Fuzzy Hash: 9721A179A01205BBEA14A921CD46FBF339DAF303A4F0C4021FD8596382E7A1DE2186F5
            Function 001AED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
              • Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9
            • _wcstok.LIBCMT ref: 001AEEFF
            • _wcscpy.LIBCMT ref: 001AEF8E
            • _memset.LIBCMT ref: 001AEFC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
            • String ID: X
            • API String ID: 774024439-3081909835
            • Opcode ID: 7e9d4aa72bfafa371d722b781f618796b63b2fb4188ac8b2bd3e0b015a9424ab
            • Instruction ID: 420b1bd40d17b2b55b71aee4f75a30e03640a6a03fb3f83137467b445646749c
            • Opcode Fuzzy Hash: 7e9d4aa72bfafa371d722b781f618796b63b2fb4188ac8b2bd3e0b015a9424ab
            • Instruction Fuzzy Hash: 27C18C756083009FCB24EF64C981A6BB7E5FF95310F14492DF8999B2A2DB30ED45CB92
            Function 00141424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8fbf617021fe72651ba12290769e46cb5b7c737e3d3cff4906cafcb6d78895fa
            • Instruction ID: cf3dcda71c79a6a72abbf63ebb08fe40ce0d4bf88954d95bc4247207f35192b4
            • Opcode Fuzzy Hash: 8fbf617021fe72651ba12290769e46cb5b7c737e3d3cff4906cafcb6d78895fa
            • Instruction Fuzzy Hash: 7E715C71904109FFCB14DF98CC89EBEBB79FF85314F248159F915AA261C734AA91CBA0
            Function 001B6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1d53c804a0971d24de0af43baf849ab4ea5267c4b1185c8caeeaee9845da2978
            • Instruction ID: 0c4a3a2b9f46a168c1c7c0697e6cff3c798eae8a28effdef46aa9dfacccc1086
            • Opcode Fuzzy Hash: 1d53c804a0971d24de0af43baf849ab4ea5267c4b1185c8caeeaee9845da2978
            • Instruction Fuzzy Hash: C3619A72508300ABC710EB24CC86EAFB7A9AFA5714F14491DF556972E2DB70ED05CBA2
            Function 001CB60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00BC7200), ref: 001CB6A5
            • IsWindowEnabled.USER32(00BC7200), ref: 001CB6B1
            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 001CB795
            • SendMessageW.USER32(00BC7200,000000B0,?,?), ref: 001CB7CC
            • IsDlgButtonChecked.USER32(?,?), ref: 001CB809
            • GetWindowLongW.USER32(00BC7200,000000EC), ref: 001CB82B
            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 001CB843
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
            • String ID:
            • API String ID: 4072528602-0
            • Opcode ID: c646258579b51bc2f4ecf7adf3994dcf0cfd8b2090227c4eeb8e8f8de344f7b3
            • Instruction ID: 7974a7ed93dcdcdd5a2b3c1afd844dd3e36b6d15dbaf43fd81aa236e6c8e5cc4
            • Opcode Fuzzy Hash: c646258579b51bc2f4ecf7adf3994dcf0cfd8b2090227c4eeb8e8f8de344f7b3
            • Instruction Fuzzy Hash: A9718A74608314AFDB259F64C8DAFAABBB9EB69300F14406DE945D72A1C731E891CB50
            Function 001BF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001BF75C
            • _memset.LIBCMT ref: 001BF825
            • ShellExecuteExW.SHELL32(?), ref: 001BF86A
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
              • Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9
            • GetProcessId.KERNEL32(00000000), ref: 001BF8E1
            • CloseHandle.KERNEL32(00000000), ref: 001BF910
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
            • String ID: @
            • API String ID: 3522835683-2766056989
            • Opcode ID: 014415c63433914ca61ab59e4fa485b202923d25fe339007ca7a21cfe9979029
            • Instruction ID: eadcf1abe9aab273b8e790975d8471192eabcc223b4ed175d2052ae655e2fac3
            • Opcode Fuzzy Hash: 014415c63433914ca61ab59e4fa485b202923d25fe339007ca7a21cfe9979029
            • Instruction Fuzzy Hash: 93618F75A00619DFCF14DF64C885AAEBBF5FF58314B14846DE85AAB361CB30AE41CB90
            Function 001A145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 001A149C
            • GetKeyboardState.USER32(?), ref: 001A14B1
            • SetKeyboardState.USER32(?), ref: 001A1512
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 001A1540
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 001A155F
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 001A15A5
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 001A15C8
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 5cd15a6587bb3ce065850eaa65c2e73e718d771df9ba48828a8ea13baa8392c6
            • Instruction ID: 50f8a8b7e246c1ca98216f4c02e734e74e115e2eaef659b1dd8068cef9470500
            • Opcode Fuzzy Hash: 5cd15a6587bb3ce065850eaa65c2e73e718d771df9ba48828a8ea13baa8392c6
            • Instruction Fuzzy Hash: DA51E3A4A047D53EFB3646788C45BBABEAA5B47304F0C8589E5D9868C3C3D4ECC8D750
            Function 001A1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 001A12B5
            • GetKeyboardState.USER32(?), ref: 001A12CA
            • SetKeyboardState.USER32(?), ref: 001A132B
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 001A1357
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 001A1374
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 001A13B8
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 001A13D9
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: d4d204bdbbef7d4689919c40506a7970d72ac8ac80b2896d0a0730bd66c76069
            • Instruction ID: 03832917318b5b4f43bfd502b602cf50e047d6fb2f3d7990fd0950bb31fda67a
            • Opcode Fuzzy Hash: d4d204bdbbef7d4689919c40506a7970d72ac8ac80b2896d0a0730bd66c76069
            • Instruction Fuzzy Hash: 2551E4A59447D53DFB3287348C55BBABFA96F07310F088589E1D48ACC2D395EC98D760
            Function 001A589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcsncpy$LocalTime
            • String ID:
            • API String ID: 2945705084-0
            • Opcode ID: 94f57ff30672aaa011eb094912774006005465caee1762d1f0155fe7ed325dae
            • Instruction ID: ba8410a1850e669638a72828179d84e44b2095658ca270506a23665654c88483
            • Opcode Fuzzy Hash: 94f57ff30672aaa011eb094912774006005465caee1762d1f0155fe7ed325dae
            • Instruction Fuzzy Hash: AD41A4A9D2062876CB10EBB4CC869CFB3A9AF15310F508566F518E3161F734E725C7A9
            Function 001A38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,001A38D3,?), ref: 001A48C7
              • Part of subcall function 001A48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,001A38D3,?), ref: 001A48E0
            • lstrcmpiW.KERNEL32(?,?), ref: 001A38F3
            • _wcscmp.LIBCMT ref: 001A390F
            • MoveFileW.KERNEL32(?,?), ref: 001A3927
            • _wcscat.LIBCMT ref: 001A396F
            • SHFileOperationW.SHELL32(?), ref: 001A39DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
            • String ID: \*.*
            • API String ID: 1377345388-1173974218
            • Opcode ID: a06d0fde65c8b6f08e9e3d3b65e5a89cb7eb097fb12f072d95b97dc459121a82
            • Instruction ID: ea354d375e121e4e7057ff276fe453b5009aae25b620588831bda4750a259bc7
            • Opcode Fuzzy Hash: a06d0fde65c8b6f08e9e3d3b65e5a89cb7eb097fb12f072d95b97dc459121a82
            • Instruction Fuzzy Hash: 894191B55083449EC751EF64C881AEFB7E8AF99344F10192EF499C3151EB74D688C752
            Function 001C7500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001C7519
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001C75C0
            • IsMenu.USER32(?), ref: 001C75D8
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 001C7620
            • DrawMenuBar.USER32 ref: 001C7633
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert_memset
            • String ID: 0
            • API String ID: 3866635326-4108050209
            • Opcode ID: 17dbb987c481e20d3cbdbb50f023ae0cc491816f2216dd45d0e28470df224844
            • Instruction ID: 901de41b8b27d37dcade3c6400efabd106b0645a07bda4e7c6cb7ef92f65589f
            • Opcode Fuzzy Hash: 17dbb987c481e20d3cbdbb50f023ae0cc491816f2216dd45d0e28470df224844
            • Instruction Fuzzy Hash: C04125B5A04609AFEB20DF54E884E9ABBF9FB18310F04812DE9159B290D770ED55CFA0
            Function 001C122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 001C125C
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C1286
            • FreeLibrary.KERNEL32(00000000), ref: 001C133D
              • Part of subcall function 001C122D: RegCloseKey.ADVAPI32(?), ref: 001C12A3
              • Part of subcall function 001C122D: FreeLibrary.KERNEL32(?), ref: 001C12F5
              • Part of subcall function 001C122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 001C1318
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 001C12E0
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: EnumFreeLibrary$CloseDeleteOpen
            • String ID:
            • API String ID: 395352322-0
            • Opcode ID: f8674d62ffb15597433e91abce1ab4c0e5502c1b8615ea484a8b3786057e7010
            • Instruction ID: 67161c1c6e839a25499e8ea53b417f75b74d222d57dc9729775a22de81d86724
            • Opcode Fuzzy Hash: f8674d62ffb15597433e91abce1ab4c0e5502c1b8615ea484a8b3786057e7010
            • Instruction Fuzzy Hash: 713169B5940109BFDB14DB90DC89EFEBBBDEF19310F10416EF501E2542EB709E869AA0
            Function 001C653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 001C655B
            • GetWindowLongW.USER32(00BC7200,000000F0), ref: 001C658E
            • GetWindowLongW.USER32(00BC7200,000000F0), ref: 001C65C3
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 001C65F5
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 001C661F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 001C6630
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 001C664A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 6e6888c9f6488cedd01c18c6ec9ec788f782351f8964e636f9e8b6f720f2738c
            • Instruction ID: 547afb2acf563d0102fb71153fba04ce296dc352b8e8df4dc6bee699b83ed28d
            • Opcode Fuzzy Hash: 6e6888c9f6488cedd01c18c6ec9ec788f782351f8964e636f9e8b6f720f2738c
            • Instruction Fuzzy Hash: 58312470604221AFDB20CF18EC89F653BE1FB6A354F2941A8F5018B2B6CB71EC95DB41
            Function 001B6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001B80A0: inet_addr.WSOCK32(00000000), ref: 001B80CB
            • socket.WSOCK32(00000002,00000001,00000006), ref: 001B64D9
            • WSAGetLastError.WSOCK32(00000000), ref: 001B64E8
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001B6521
            • connect.WSOCK32(00000000,?,00000010), ref: 001B652A
            • WSAGetLastError.WSOCK32 ref: 001B6534
            • closesocket.WSOCK32(00000000), ref: 001B655D
            • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 001B6576
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
            • String ID:
            • API String ID: 910771015-0
            • Opcode ID: 23c4e00fc7b97b2c9a1dbe9f911a88ebc53280ec0f631a4dbe8e23426df42b84
            • Instruction ID: 670dfdf3dc3974abb6a5bb62a512df73e8a4be66f7832c52b4b08f23c28b50fa
            • Opcode Fuzzy Hash: 23c4e00fc7b97b2c9a1dbe9f911a88ebc53280ec0f631a4dbe8e23426df42b84
            • Instruction Fuzzy Hash: 9931BF31600218AFDB20AF24DC85FFE7BADEB54764F008069F909A7291CB74AD45CBA1
            Function 0019E0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019E0FA
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0019E120
            • SysAllocString.OLEAUT32(00000000), ref: 0019E123
            • SysAllocString.OLEAUT32 ref: 0019E144
            • SysFreeString.OLEAUT32 ref: 0019E14D
            • StringFromGUID2.OLE32(?,?,00000028), ref: 0019E167
            • SysAllocString.OLEAUT32(?), ref: 0019E175
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 38bc43fadffeaf3d8f0379a5208b9866ba9d74317b2a9b8bec53f2ffcedda686
            • Instruction ID: 42e29a47cbe87bd437e4e8813d78f5ba7565126d89e0a7e017774a4e8a78fdf6
            • Opcode Fuzzy Hash: 38bc43fadffeaf3d8f0379a5208b9866ba9d74317b2a9b8bec53f2ffcedda686
            • Instruction Fuzzy Hash: FA213E35604208AFDF14DFA8DC88DAB77EDEB09760B148139F915CB260DB71DC818B64
            Function 0019FB6E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __wcsnicmp
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 1038674560-2734436370
            • Opcode ID: 1928739f5077dea98bc95c95f972e0129ad44e800578d5659a709b6e6db8f647
            • Instruction ID: 49f06c5519c9f43671652a3fcffdaa0782f00e8fe50f6ed05f5fd7632f4ee5f8
            • Opcode Fuzzy Hash: 1928739f5077dea98bc95c95f972e0129ad44e800578d5659a709b6e6db8f647
            • Instruction Fuzzy Hash: 0B214932204255B6DB34AA34DC12FA7B3D8EF61358F14843EFC86C7181EB61AD93D2A1
            Function 001C783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00141D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00141D73
              • Part of subcall function 00141D35: GetStockObject.GDI32(00000011), ref: 00141D87
              • Part of subcall function 00141D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00141D91
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 001C78A1
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 001C78AE
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001C78B9
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 001C78C8
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 001C78D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: 752e798af8808ccdb6104896fd1fd63cb3ff1d57f9b027201e6608faeea9e4a7
            • Instruction ID: d1c0ccb62cf0a34081cb207fd74ed016a4a2278ae9176dfe692ed32c202158ee
            • Opcode Fuzzy Hash: 752e798af8808ccdb6104896fd1fd63cb3ff1d57f9b027201e6608faeea9e4a7
            • Instruction Fuzzy Hash: 591190B2514219BFEF159F60CC86EE77F6DEF08758F014118BB04A20A0C7729C21DBA0
            Function 001641C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00164292,?), ref: 001641E3
            • GetProcAddress.KERNEL32(00000000), ref: 001641EA
            • EncodePointer.KERNEL32(00000000), ref: 001641F6
            • DecodePointer.KERNEL32(00000001,00164292,?), ref: 00164213
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoInitialize$combase.dll
            • API String ID: 3489934621-340411864
            • Opcode ID: ec2d71f035bf4b032226baf1778e03a28cce692f317f2c597ae44e6ebbd2a8a4
            • Instruction ID: d5dd9e4ddb8798dc9f542a4142aba8ea46edf7acb44f2f4061a812b589642362
            • Opcode Fuzzy Hash: ec2d71f035bf4b032226baf1778e03a28cce692f317f2c597ae44e6ebbd2a8a4
            • Instruction Fuzzy Hash: 5CE012F0690340AFEB207BB4FC0DF047AA6BB61B02F108428F625E55A1DBB580E6CF00
            Function 0016429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,001641B8), ref: 001642B8
            • GetProcAddress.KERNEL32(00000000), ref: 001642BF
            • EncodePointer.KERNEL32(00000000), ref: 001642CA
            • DecodePointer.KERNEL32(001641B8), ref: 001642E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
            • String ID: RoUninitialize$combase.dll
            • API String ID: 3489934621-2819208100
            • Opcode ID: b11866203d438bc512fba751915cf39d85da3d4751abec8822e90b45c4f7ccf0
            • Instruction ID: d3c6b27e57ca2213340bf5b71825bdf5775eff803f5f582bd12414ceca02348f
            • Opcode Fuzzy Hash: b11866203d438bc512fba751915cf39d85da3d4751abec8822e90b45c4f7ccf0
            • Instruction Fuzzy Hash: 26E0B6B8581300AFEB10AB61FC0DF057EA6B724B42F20802DF215E15A1CBF48595CA14
            Function 001A675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$__itow__swprintf
            • String ID:
            • API String ID: 3253778849-0
            • Opcode ID: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
            • Instruction ID: a56a1a1cb6afee92e91e58b6dfd924e4e1c0fdf1ec960c72c6ccb5ffd8ec93f2
            • Opcode Fuzzy Hash: cb1dd912e883e8d9c29446e36cc817b48adc01cf96968c0a1b7864e8d4a650fe
            • Instruction Fuzzy Hash: 0761F13450425AAFCF15EF60CC82EFF37A9AF65308F094519F85A5B2A2DB34AC11CB90
            Function 001C046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0548
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C0588
            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 001C05AB
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 001C05D4
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 001C0617
            • RegCloseKey.ADVAPI32(00000000), ref: 001C0624
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
            • String ID:
            • API String ID: 4046560759-0
            • Opcode ID: 5bb498acfa9b8ce50b853f0e01ae3c16bad5a7affb624b2e65e2342c94726d22
            • Instruction ID: d66c4f0a323d867e4f3faa4408c2850287fb7eccd96e649d9d2744af713be4d1
            • Opcode Fuzzy Hash: 5bb498acfa9b8ce50b853f0e01ae3c16bad5a7affb624b2e65e2342c94726d22
            • Instruction Fuzzy Hash: 70515631208200EFCB15EF64C885E6BBBE9FFA9714F04492DF495872A2DB31E915CB52
            Function 001C5A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 001C5A82
            • GetMenuItemCount.USER32(00000000), ref: 001C5AB9
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 001C5AE1
            • GetMenuItemID.USER32(?,?), ref: 001C5B50
            • GetSubMenu.USER32(?,?), ref: 001C5B5E
            • PostMessageW.USER32(?,00000111,?,00000000), ref: 001C5BAF
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$CountMessagePostString
            • String ID:
            • API String ID: 650687236-0
            • Opcode ID: 69d8ac814bcb0d2bf71e28d931caa38d9de933c5d04373b82445923767f56046
            • Instruction ID: ba1e431e8fa8dcbfe0f8fea1693d4dd2d09ed92fb7b4827aab7df46e20a6a882
            • Opcode Fuzzy Hash: 69d8ac814bcb0d2bf71e28d931caa38d9de933c5d04373b82445923767f56046
            • Instruction Fuzzy Hash: 02515C35A00625AFCF159F64C845FAEBBB6EF68310F144469E812A7351CB70FE818B90
            Function 0019F3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 0019F3F7
            • VariantClear.OLEAUT32(00000013), ref: 0019F469
            • VariantClear.OLEAUT32(00000000), ref: 0019F4C4
            • _memmove.LIBCMT ref: 0019F4EE
            • VariantClear.OLEAUT32(?), ref: 0019F53B
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 0019F569
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType_memmove
            • String ID:
            • API String ID: 1101466143-0
            • Opcode ID: 79dfc8bd63bb02554e1689d166944cd0165fe51173db54ad666276c0ae7c85ea
            • Instruction ID: 714d25d5fd1512d8d46509a3d76f89f54f249525b24b64bb4fd7e5524eb52d33
            • Opcode Fuzzy Hash: 79dfc8bd63bb02554e1689d166944cd0165fe51173db54ad666276c0ae7c85ea
            • Instruction Fuzzy Hash: 03515BB5A00209EFDB14CF58D884EAAB7B9FF48314B15816DE959DB310D730E952CBA0
            Function 001A26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001A2747
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 001A2792
            • IsMenu.USER32(00000000), ref: 001A27B2
            • CreatePopupMenu.USER32 ref: 001A27E6
            • GetMenuItemCount.USER32(000000FF), ref: 001A2844
            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 001A2875
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
            • String ID:
            • API String ID: 3311875123-0
            • Opcode ID: 3c25cc3c5f67b49dd18e4387ec4ad40ad3a68d95e9dc843dcb7d2564768b4aba
            • Instruction ID: 81974f4a7c6740cbe54de8d0b9277e501f5e170351ebc4bf44aa524bb83c3e4e
            • Opcode Fuzzy Hash: 3c25cc3c5f67b49dd18e4387ec4ad40ad3a68d95e9dc843dcb7d2564768b4aba
            • Instruction Fuzzy Hash: E751C278A00309EFDF25CFACD988BAEBBF5AF56314F104169F8119B291D7788944CB51
            Function 00141765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • BeginPaint.USER32(?,?,?,?,?,?), ref: 0014179A
            • GetWindowRect.USER32(?,?), ref: 001417FE
            • ScreenToClient.USER32(?,?), ref: 0014181B
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0014182C
            • EndPaint.USER32(?,?), ref: 00141876
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: PaintWindow$BeginClientLongRectScreenViewport
            • String ID:
            • API String ID: 1827037458-0
            • Opcode ID: f59615542df2c877e3cf513396bbb219f89d23f9a154838b389aae6992874c9c
            • Instruction ID: c35abf366ecf398d7644b15f2daf6097f1ba0ad7bec55a480d0ac9d911e19f5c
            • Opcode Fuzzy Hash: f59615542df2c877e3cf513396bbb219f89d23f9a154838b389aae6992874c9c
            • Instruction Fuzzy Hash: 60418C71104301AFD711DF24D888FBA7BF9EB59724F144629F998872B2C7319889DB61
            Function 001CB958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(002067B0,00000000,00BC7200,?,?,002067B0,?,001CB862,?,?), ref: 001CB9CC
            • EnableWindow.USER32(00000000,00000000), ref: 001CB9F0
            • ShowWindow.USER32(002067B0,00000000,00BC7200,?,?,002067B0,?,001CB862,?,?), ref: 001CBA50
            • ShowWindow.USER32(00000000,00000004,?,001CB862,?,?), ref: 001CBA62
            • EnableWindow.USER32(00000000,00000001), ref: 001CBA86
            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 001CBAA9
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: e4e8874fd62c5b8365ff602f08f0030f9bee885c7a677dd92da84edbed4eafbb
            • Instruction ID: 5245e6fb6ab3022e1950841801fd8ad1af9555299d370252e21f364766ed9e1c
            • Opcode Fuzzy Hash: e4e8874fd62c5b8365ff602f08f0030f9bee885c7a677dd92da84edbed4eafbb
            • Instruction Fuzzy Hash: 02415074604241AFDB25CF54C4CAF957BE1BB15314F1882BDEA48DF6A2C732E846CB51
            Function 001B73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,?,?,?,?,001B5134,?,?,00000000,00000001), ref: 001B73BF
              • Part of subcall function 001B3C94: GetWindowRect.USER32(?,?), ref: 001B3CA7
            • GetDesktopWindow.USER32 ref: 001B73E9
            • GetWindowRect.USER32(00000000), ref: 001B73F0
            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 001B7422
              • Part of subcall function 001A54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A555E
            • GetCursorPos.USER32(?), ref: 001B744E
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 001B74AC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
            • String ID:
            • API String ID: 4137160315-0
            • Opcode ID: e9bbb2f6f544a1f3f94613d4baf2f86a39fd4ababdc72bd1e4ef556c740351db
            • Instruction ID: 14af65fe98f0861eadb2d293269a4e3abd72b210df60759ade6349837cc02722
            • Opcode Fuzzy Hash: e9bbb2f6f544a1f3f94613d4baf2f86a39fd4ababdc72bd1e4ef556c740351db
            • Instruction Fuzzy Hash: 3131D272508305ABD720DF54D849E9BBBAAFF89314F000929F58997191DB30EA49CB92
            Function 00198D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001985F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00198608
              • Part of subcall function 001985F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00198612
              • Part of subcall function 001985F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00198621
              • Part of subcall function 001985F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00198628
              • Part of subcall function 001985F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019863E
            • GetLengthSid.ADVAPI32(?,00000000,00198977), ref: 00198DAC
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00198DB8
            • HeapAlloc.KERNEL32(00000000), ref: 00198DBF
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00198DD8
            • GetProcessHeap.KERNEL32(00000000,00000000,00198977), ref: 00198DEC
            • HeapFree.KERNEL32(00000000), ref: 00198DF3
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 0954561b60f7be1985d06148751e7b455da49b787a27bee8720be5390a29d3c0
            • Instruction ID: 6c802b6fa555ce8711838fd19153a16af98fdcd3e20fafff4f82bac58ac3e52b
            • Opcode Fuzzy Hash: 0954561b60f7be1985d06148751e7b455da49b787a27bee8720be5390a29d3c0
            • Instruction Fuzzy Hash: 4911A932601605FFDF149FA4CC09FAE7BAAEF56315F14402EF84997291CB32A985CB60
            Function 00198AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00198B2A
            • OpenProcessToken.ADVAPI32(00000000), ref: 00198B31
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00198B40
            • CloseHandle.KERNEL32(00000004), ref: 00198B4B
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00198B7A
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00198B8E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: f6d2836199f9d39d3f76f212422cbba0d7d0416ba2d48b393dd77021b353d771
            • Instruction ID: 068b6a73229bba7871a03fd60ddb182f55c3b2050b94539e7a586cac49efe459
            • Opcode Fuzzy Hash: f6d2836199f9d39d3f76f212422cbba0d7d0416ba2d48b393dd77021b353d771
            • Instruction Fuzzy Hash: 79115CB2500249ABDF018FA4DD49FDA7BAAFF09704F084069FE05A2160C772CD61DB60
            Function 001CC19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
              • Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014135C
              • Part of subcall function 001412F3: BeginPath.GDI32(?), ref: 00141373
              • Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014139C
            • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 001CC1C4
            • LineTo.GDI32(00000000,00000003,?), ref: 001CC1D8
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001CC1E6
            • LineTo.GDI32(00000000,00000000,?), ref: 001CC1F6
            • EndPath.GDI32(00000000), ref: 001CC206
            • StrokePath.GDI32(00000000), ref: 001CC216
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 67747188dd18dc962b9a15b4ea8726fa446f563fe9a5c9d90eabc70a1c73db0d
            • Instruction ID: 8f4bb6e8d396c3f0d86f6cd0c74b62915451899bc50c1b7bcd7f93254a6f00bc
            • Opcode Fuzzy Hash: 67747188dd18dc962b9a15b4ea8726fa446f563fe9a5c9d90eabc70a1c73db0d
            • Instruction Fuzzy Hash: 1211DB7640014DBFDF119F94DC88FAA7FAEFB08354F048025FA189A1A1D7719DA5DBA0
            Function 001603A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 001603D3
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 001603DB
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 001603E6
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 001603F1
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 001603F9
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00160401
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 08e059fff13d3f8eca6d0dc40b0c97844d505f67b8376da72f15b2fda6d04c01
            • Instruction ID: 0e9b6e567b3288db49fe8121ccfd6c834a8b7c6b18c2605b806fd664030a910a
            • Opcode Fuzzy Hash: 08e059fff13d3f8eca6d0dc40b0c97844d505f67b8376da72f15b2fda6d04c01
            • Instruction Fuzzy Hash: 17016CB09017597DE3008F5A8C85B52FFA8FF19354F00411FA15C47941C7F5A864CBE5
            Function 001A568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 001A569B
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 001A56B1
            • GetWindowThreadProcessId.USER32(?,?), ref: 001A56C0
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56CF
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56D9
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 001A56E0
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: db7ba6f87729ebb666c5286d38df8158507239eec73d25523fe3faa432c6af5d
            • Instruction ID: d3f0b0cdf2c0b4c022609b1766f7beeca4420b6584d9a5d9bc280b99b2d8ffb7
            • Opcode Fuzzy Hash: db7ba6f87729ebb666c5286d38df8158507239eec73d25523fe3faa432c6af5d
            • Instruction Fuzzy Hash: BFF06D32241168BBE3205BA29C0DEEB7E7DEBC6B11F00016DFA04D105097A19A42C6B5
            Function 001A74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,?), ref: 001A74E5
            • EnterCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A74F6
            • TerminateThread.KERNEL32(00000000,000001F6,?,00151044,?,?), ref: 001A7503
            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00151044,?,?), ref: 001A7510
              • Part of subcall function 001A6ED7: CloseHandle.KERNEL32(00000000,?,001A751D,?,00151044,?,?), ref: 001A6EE1
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 001A7523
            • LeaveCriticalSection.KERNEL32(?,?,00151044,?,?), ref: 001A752A
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: 6c2a41e9b5edd943fecb3f00e64f8e8178aa2556c1c872e1c51e249b8b8129bc
            • Instruction ID: d9306ad73b42a028f3fbc4aa25a1ad682747730407efa59b49ef5eaa47ac094e
            • Opcode Fuzzy Hash: 6c2a41e9b5edd943fecb3f00e64f8e8178aa2556c1c872e1c51e249b8b8129bc
            • Instruction Fuzzy Hash: 9FF03A3A540612EBDB121B64EC88DEA7B2AEF45302F04053AF202918A0CB75D982CA50
            Function 00198E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00198E7F
            • UnloadUserProfile.USERENV(?,?), ref: 00198E8B
            • CloseHandle.KERNEL32(?), ref: 00198E94
            • CloseHandle.KERNEL32(?), ref: 00198E9C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00198EA5
            • HeapFree.KERNEL32(00000000), ref: 00198EAC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 2fcca122cbe746990e90c57e74b7c62ba2709a3a7b99a9113ab1866346ca214c
            • Instruction ID: b73eb9044e3a0ba93bf2749f0bd06a48f367ef733ecbeca382d5c82c4bcb2652
            • Opcode Fuzzy Hash: 2fcca122cbe746990e90c57e74b7c62ba2709a3a7b99a9113ab1866346ca214c
            • Instruction Fuzzy Hash: 0FE05276104545FBDA011FE6EC0CD5ABF6AFB89762B54863AF21981870CB3294A2DB50
            Function 001B8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 001B8928
            • CharUpperBuffW.USER32(?,?), ref: 001B8A37
            • VariantClear.OLEAUT32(?), ref: 001B8BAF
              • Part of subcall function 001A7804: VariantInit.OLEAUT32(00000000), ref: 001A7844
              • Part of subcall function 001A7804: VariantCopy.OLEAUT32(00000000,?), ref: 001A784D
              • Part of subcall function 001A7804: VariantClear.OLEAUT32(00000000), ref: 001A7859
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4237274167-1221869570
            • Opcode ID: 239c32b39813c850534b75ef24d0a1b67d70a726e9a2afaf2757addff9a96610
            • Instruction ID: 9392eeeac8477e00cbe845d98fd6013260145f3ad9f03ff37ec324b97a11e3d0
            • Opcode Fuzzy Hash: 239c32b39813c850534b75ef24d0a1b67d70a726e9a2afaf2757addff9a96610
            • Instruction Fuzzy Hash: BE919F716083019FCB04DF24C5809ABBBE8EFD9714F14496EF89A8B361DB30E946CB52
            Function 001A2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9
            • _memset.LIBCMT ref: 001A3077
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A30A6
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 001A3159
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 001A3187
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ItemMenu$Info$Default_memset_wcscpy
            • String ID: 0
            • API String ID: 4152858687-4108050209
            • Opcode ID: 6cd85fb58d47a397815f496f73dd1058edf1673d30b7a135dfe64d46e6a219c4
            • Instruction ID: 03a747018b17762bd390eee32dd5045af53c158713037ea44adf8e7cf9a8626d
            • Opcode Fuzzy Hash: 6cd85fb58d47a397815f496f73dd1058edf1673d30b7a135dfe64d46e6a219c4
            • Instruction Fuzzy Hash: 6451E3796083009FD7299F28D849B6BBBE4EF56320F044A2DF8A5D31E1DB70CE548792
            Function 0019DA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0019DAC5
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0019DAFB
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0019DB0C
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 0019DB8E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 35d228a4f639252d916916f578d629a0d9f95407ff57426d4307e9d37633c6cb
            • Instruction ID: 826a4551fd27f9cb643e905c12451f238a478ff6febbd7e9aaf2c30641f04117
            • Opcode Fuzzy Hash: 35d228a4f639252d916916f578d629a0d9f95407ff57426d4307e9d37633c6cb
            • Instruction Fuzzy Hash: B94160B1600208EFDF15CF65D885AAA7BB9EF45350F1680AEED069F205D7B1DD44CBA0
            Function 001A2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001A2CAF
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 001A2CCB
            • DeleteMenu.USER32(?,00000007,00000000), ref: 001A2D11
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00206890,00000000), ref: 001A2D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem_memset
            • String ID: 0
            • API String ID: 1173514356-4108050209
            • Opcode ID: 10a6819034aff0c912eeb910472bd07f0b1c3c9b3f761906fddcd0e1fbc8e105
            • Instruction ID: 41cfad4b102f803c5bf9548d3e6f27502eea9e0f1864fae4a7d7b93c5fc1c2f1
            • Opcode Fuzzy Hash: 10a6819034aff0c912eeb910472bd07f0b1c3c9b3f761906fddcd0e1fbc8e105
            • Instruction Fuzzy Hash: 61419F342043029FD724DF68C845F5ABBE8EF96320F14466DF966972E2D770E905CB92
            Function 001BDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001BDAD9
              • Part of subcall function 001479AB: _memmove.LIBCMT ref: 001479F9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharLower_memmove
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 3425801089-567219261
            • Opcode ID: 5d908c75e46b401119802c7c53a55a9cdddb61dabf73c84f31e3fffc980d5380
            • Instruction ID: f7f605fcef5f07fa5428a97b4f58de95c55f2556da4a4d922f6c1eca40af21a3
            • Opcode Fuzzy Hash: 5d908c75e46b401119802c7c53a55a9cdddb61dabf73c84f31e3fffc980d5380
            • Instruction Fuzzy Hash: AA31C371504619AFCF04EF94CD819FEB3B4FF55320B108A69E975A76E1DB31A906CB80
            Function 00199372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 001993F6
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00199409
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00199439
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$_memmove$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 365058703-1403004172
            • Opcode ID: ab354a78b2a20ea2e497e305d84fe146c9fe575e0272246b8a3c6146788272e7
            • Instruction ID: e771de9ffac10ab2bb3c5f10928ec9d198aec86a7c47126c9edb671f647b1d55
            • Opcode Fuzzy Hash: ab354a78b2a20ea2e497e305d84fe146c9fe575e0272246b8a3c6146788272e7
            • Instruction Fuzzy Hash: 832121B1900108BBDF18ABB8DC86CFFBB79DF55320B14412DF925972E1DB344A0A9660
            Function 001B1B21 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001B1B40
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 001B1B66
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 001B1B96
            • InternetCloseHandle.WININET(00000000), ref: 001B1BDD
              • Part of subcall function 001B2777: GetLastError.KERNEL32(?,?,001B1B0B,00000000,00000000,00000001), ref: 001B278C
              • Part of subcall function 001B2777: SetEvent.KERNEL32(?,?,001B1B0B,00000000,00000000,00000001), ref: 001B27A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 2c538eff3e94f6b8c81e82952947f7a83518720c7efb373a7449ddb2246d17b0
            • Instruction ID: d75a4a0e7b7a2e3ab8f7eea473b6d28f7c72d6858177ef520119cbd70f395a48
            • Opcode Fuzzy Hash: 2c538eff3e94f6b8c81e82952947f7a83518720c7efb373a7449ddb2246d17b0
            • Instruction Fuzzy Hash: 9B21CDB2600208BFEB119F60CD95EFF7AFDEB59744F51412EF405A2240EB309E0997A1
            Function 001C6656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00141D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00141D73
              • Part of subcall function 00141D35: GetStockObject.GDI32(00000011), ref: 00141D87
              • Part of subcall function 00141D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00141D91
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 001C66D0
            • LoadLibraryW.KERNEL32(?), ref: 001C66D7
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 001C66EC
            • DestroyWindow.USER32(?), ref: 001C66F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
            • String ID: SysAnimate32
            • API String ID: 4146253029-1011021900
            • Opcode ID: 4ae0dffc38b04608d70dbb7a3bce775c6d7be598b9f40ad465c5def272a4ebf1
            • Instruction ID: 38c71c39b1eb4dc3aec386d8e538c05095c47a94fd44411490e3b2036b6fc9ac
            • Opcode Fuzzy Hash: 4ae0dffc38b04608d70dbb7a3bce775c6d7be598b9f40ad465c5def272a4ebf1
            • Instruction Fuzzy Hash: 2A219AB120021ABBEF104F64EC80FBB77ADEF69368F50462DFA10921A0D771CC919761
            Function 001A703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 001A705E
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A7091
            • GetStdHandle.KERNEL32(0000000C), ref: 001A70A3
            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 001A70DD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 0831fb12b5d15e06d1ac60186d1bf7c7ebbcf2666738f06f173360c8a5f63747
            • Instruction ID: cfc813ed5fae588afacc3de6b985db754bbe30d375df5c75a6b9025fa5ba3540
            • Opcode Fuzzy Hash: 0831fb12b5d15e06d1ac60186d1bf7c7ebbcf2666738f06f173360c8a5f63747
            • Instruction Fuzzy Hash: 94215178504309AFDB209F29DD05A9ABBA8AF57720F204A29FDA1D72D0E770DA518B50
            Function 001A710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 001A712B
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 001A715D
            • GetStdHandle.KERNEL32(000000F6), ref: 001A716E
            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 001A71A8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHandle$FilePipe
            • String ID: nul
            • API String ID: 4209266947-2873401336
            • Opcode ID: 58281964704e11c5b7be483886da6dcc10177dc1b84d8a9eea1abb976d1c2291
            • Instruction ID: fc6fa8a444fcbfebab367c44fca55300afc3b425be17f24d9f4b455de96dda99
            • Opcode Fuzzy Hash: 58281964704e11c5b7be483886da6dcc10177dc1b84d8a9eea1abb976d1c2291
            • Instruction Fuzzy Hash: EE2195796043059BDB209F68DC44EAAB7E8AF56730F200A19FDB1D72D0E770D941CB51
            Function 001AAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 001AAEBF
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 001AAF13
            • __swprintf.LIBCMT ref: 001AAF2C
            • SetErrorMode.KERNEL32(00000000,00000001,00000000,001CF910), ref: 001AAF6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume__swprintf
            • String ID: %lu
            • API String ID: 3164766367-685833217
            • Opcode ID: c85a2488263330ec6dc236131488fc29e6dbc1b51265870457d5515e73db103b
            • Instruction ID: f9949471be1102439abede403bdad757c19f9349125707953afca8c5871ce8dd
            • Opcode Fuzzy Hash: c85a2488263330ec6dc236131488fc29e6dbc1b51265870457d5515e73db103b
            • Instruction Fuzzy Hash: 71218334A00109AFCB10DF65CC85EAE7BB9EF89704B104069F909EB261DB71EA45CB21
            Function 0019A52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
              • Part of subcall function 0019A37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0019A399
              • Part of subcall function 0019A37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 0019A3AC
              • Part of subcall function 0019A37C: GetCurrentThreadId.KERNEL32 ref: 0019A3B3
              • Part of subcall function 0019A37C: AttachThreadInput.USER32(00000000), ref: 0019A3BA
            • GetFocus.USER32 ref: 0019A554
              • Part of subcall function 0019A3C5: GetParent.USER32(?), ref: 0019A3D3
            • GetClassNameW.USER32(?,?,00000100), ref: 0019A59D
            • EnumChildWindows.USER32(?,0019A615), ref: 0019A5C5
            • __swprintf.LIBCMT ref: 0019A5DF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
            • String ID: %s%d
            • API String ID: 1941087503-1110647743
            • Opcode ID: 8bcc6ce52d9482d90a561c30ac69ba0d2a9cde43519ce2b133248c17a7cd73d0
            • Instruction ID: edc8e480222ba99303322a165c07e1b9a749800a08265ae2d5b53f03dbe934b2
            • Opcode Fuzzy Hash: 8bcc6ce52d9482d90a561c30ac69ba0d2a9cde43519ce2b133248c17a7cd73d0
            • Instruction Fuzzy Hash: A311B4716402087BDF10BFB0DC85FEA3B7DAF58710F044079BD08AA192CB709A4A8BB5
            Function 001A2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 001A2048
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 3964851224-769500911
            • Opcode ID: 18a6a7b7e9fcd8d81e45df79f3336cf5e9348c8fc3de8896d43d2a2198433772
            • Instruction ID: ab432734cf651a5f18960c78e7380519a8833e79bf1aa068cad01e504917db18
            • Opcode Fuzzy Hash: 18a6a7b7e9fcd8d81e45df79f3336cf5e9348c8fc3de8896d43d2a2198433772
            • Instruction Fuzzy Hash: 5E11617490010DDFCF00EFA4DA514FEB7B4FF26304B508569E965A7252EB325916CB50
            Function 001BEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
            Download Yara Rule
            APIs
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 001BEF1B
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 001BEF4B
            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 001BF07E
            • CloseHandle.KERNEL32(?), ref: 001BF0FF
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Process$CloseCountersHandleInfoMemoryOpen
            • String ID:
            • API String ID: 2364364464-0
            • Opcode ID: 86f1d1c85ecb5de9ac0869634f71291829a4ff5fdbb2536d1a107c9658b3c5df
            • Instruction ID: b75ec43d3069f0c5823f0d9e220c9a7c29f7ac585cfe3bf4e0e9c356c0073f4a
            • Opcode Fuzzy Hash: 86f1d1c85ecb5de9ac0869634f71291829a4ff5fdbb2536d1a107c9658b3c5df
            • Instruction Fuzzy Hash: D58160716043119FD720EF28CC86F6AB7E5AF98720F14885DF999DB3A2DB70AC418B51
            Function 0016564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
            • String ID:
            • API String ID: 1559183368-0
            • Opcode ID: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
            • Instruction ID: 51dc233c78dec26c5ea85074625121491327d7a1bccfe9ac58f84c0ccbb812ed
            • Opcode Fuzzy Hash: fd1a262b7e6f1cb596d0076786feeeb097306c284ce0f321d4276a437e8c5e71
            • Instruction Fuzzy Hash: 54519171A00B05DBDB288FA9CC8466E77B7AF50324FA58729F835962D0D7709D70DB50
            Function 001C02C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 001C10A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,001C0038,?,?), ref: 001C10BC
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 001C0388
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 001C03C7
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 001C040E
            • RegCloseKey.ADVAPI32(?,?), ref: 001C043A
            • RegCloseKey.ADVAPI32(00000000), ref: 001C0447
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
            • String ID:
            • API String ID: 3440857362-0
            • Opcode ID: be73d0d64183febedc87ac178a302247c025412c690351f4b6aeb5d232810fcf
            • Instruction ID: 6b22222cab43488f24c8271b13ab089f0280319a483df4a5f528a58427be7bd8
            • Opcode Fuzzy Hash: be73d0d64183febedc87ac178a302247c025412c690351f4b6aeb5d232810fcf
            • Instruction Fuzzy Hash: 16514631208244EFDB05EB64C885F6FB7E9FFA8704F44892DB595872A2DB30E905CB52
            Function 001AE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 001AE88A
            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 001AE8B3
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 001AE8F2
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 001AE917
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 001AE91F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
            • String ID:
            • API String ID: 1389676194-0
            • Opcode ID: cb3f6b38dd4530edf00051205ffb98f198e745a85bd5c88468b878045a6fa065
            • Instruction ID: 35261207880d131ae57d1dd5499dac9c4ea6115417a943c955a7e2bb279ab435
            • Opcode Fuzzy Hash: cb3f6b38dd4530edf00051205ffb98f198e745a85bd5c88468b878045a6fa065
            • Instruction Fuzzy Hash: D9511D39A00215EFCF01EF64C9819AEBBF5FF59314B148099E849AB362CB31ED51DB50
            Function 001CA2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 8c7f54a1541017faa479a8431079b7c333ac0e7a022db30f84148336ba4422c0
            • Instruction ID: fbe13a9f5b4139da4c863a8b459171f477ec858c362425827b479efa1cbca7d8
            • Opcode Fuzzy Hash: 8c7f54a1541017faa479a8431079b7c333ac0e7a022db30f84148336ba4422c0
            • Instruction Fuzzy Hash: CE41213590024CAFC725DB28CC58FA9BBA9FF29314F89422CF955A72E1C730ED81CA51
            Function 00142344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00142357
            • ScreenToClient.USER32(002067B0,?), ref: 00142374
            • GetAsyncKeyState.USER32(00000001), ref: 00142399
            • GetAsyncKeyState.USER32(00000002), ref: 001423A7
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 0c70cfe55de769e85f02bd68370712d995ad79083a889d2bee3a1698f29a282d
            • Instruction ID: af0c4f84336ac4e058502a76fc92cd79ad4d308e0bad54d58d05ff3174b8c765
            • Opcode Fuzzy Hash: 0c70cfe55de769e85f02bd68370712d995ad79083a889d2bee3a1698f29a282d
            • Instruction Fuzzy Hash: 29418231504119FBDF199F68C844EEEBB75FB19320F60836AF829962A1C7349990DFD1
            Function 00196920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
            Download Yara Rule
            APIs
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0019695D
            • TranslateAcceleratorW.USER32(?,?,?), ref: 001969A9
            • TranslateMessage.USER32(?), ref: 001969D2
            • DispatchMessageW.USER32(?), ref: 001969DC
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001969EB
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message$PeekTranslate$AcceleratorDispatch
            • String ID:
            • API String ID: 2108273632-0
            • Opcode ID: 5d6ec915d4315dfb6323cb96b247d005cb7bc3d1d185099d52dd4c9d47a64908
            • Instruction ID: b053fb1603d0db8ff38970a128be5077bb90e8ab476eadbe5e9e114d26c343a8
            • Opcode Fuzzy Hash: 5d6ec915d4315dfb6323cb96b247d005cb7bc3d1d185099d52dd4c9d47a64908
            • Instruction Fuzzy Hash: F131D231900256AEDF24CF74DC4CFB6BBACAB11308F104169E421D75A2D734D89AD7B0
            Function 00198F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00198F12
            • PostMessageW.USER32(?,00000201,00000001), ref: 00198FBC
            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00198FC4
            • PostMessageW.USER32(?,00000202,00000000), ref: 00198FD2
            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00198FDA
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 872871091f56d71b2f05359895a22a6e392d4f8f1f24e78a17d671b0df3fdae2
            • Instruction ID: 8b49332a594265de6486470288f0fa2b26b3c1870d92b11cbeabd1dac6815aed
            • Opcode Fuzzy Hash: 872871091f56d71b2f05359895a22a6e392d4f8f1f24e78a17d671b0df3fdae2
            • Instruction Fuzzy Hash: FC31CC71500219EFDF14CFA8D94CAAE7BB6EB06325F104229F925EA2D0C7B0DA54DB90
            Function 0019B6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 0019B6C7
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0019B6E4
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0019B71C
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0019B742
            • _wcsstr.LIBCMT ref: 0019B74C
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
            • String ID:
            • API String ID: 3902887630-0
            • Opcode ID: 9698ac0255a2a11e08643c1bc75b091bdfcb30576304451a77f504fd0e61336d
            • Instruction ID: e9b12b86938dec01a493d43e9ebd4386d80c7bf51262211844c9d095628ced54
            • Opcode Fuzzy Hash: 9698ac0255a2a11e08643c1bc75b091bdfcb30576304451a77f504fd0e61336d
            • Instruction Fuzzy Hash: AA212931208214BBEF295B79AD89E7B7B99DF89710F10413DFC05CA1A1EF61DC4197A0
            Function 001CB405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • GetWindowLongW.USER32(?,000000F0), ref: 001CB44C
            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 001CB471
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 001CB489
            • GetSystemMetrics.USER32(00000004), ref: 001CB4B2
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,001B1184,00000000), ref: 001CB4D0
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Long$MetricsSystem
            • String ID:
            • API String ID: 2294984445-0
            • Opcode ID: ddf93503469cb175d4ee89474f38ecd2363c89fec2c1119cd1138a9ab969ffb1
            • Instruction ID: 2ef198ceeb40922a6c8ce6a20251f90255979ac07155865cde3081ed440bf17a
            • Opcode Fuzzy Hash: ddf93503469cb175d4ee89474f38ecd2363c89fec2c1119cd1138a9ab969ffb1
            • Instruction Fuzzy Hash: 81218031918255AFCB188F38DC89F6A3BA5EB15720F15872CF926D71E2E730D861DB80
            Function 001997E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00199802
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00199834
            • __itow.LIBCMT ref: 0019984C
            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00199874
            • __itow.LIBCMT ref: 00199885
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$__itow$_memmove
            • String ID:
            • API String ID: 2983881199-0
            • Opcode ID: 0e3f361bf245ff2231fe705306485eaf09d4131243b4ea9537371d94c20dcc94
            • Instruction ID: f992fa1edb4723b3f70e07d1ff3f00d15d4f40b33d18e01af7803fd42f65e864
            • Opcode Fuzzy Hash: 0e3f361bf245ff2231fe705306485eaf09d4131243b4ea9537371d94c20dcc94
            • Instruction Fuzzy Hash: 2221C575B00218ABDF10ABA98C86EAE7BA9EF5A720F04402DF904EB291D770CD4597D1
            Function 001412F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
            • SelectObject.GDI32(?,00000000), ref: 0014135C
            • BeginPath.GDI32(?), ref: 00141373
            • SelectObject.GDI32(?,00000000), ref: 0014139C
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: db5a8d01d0ccd21350500850efa841a88b7c7ba3e1f03d300b13c650f5ebf6d6
            • Instruction ID: f24e524d9bbfca27071b138208b47b7302f41f8c0c5e14df0449b7f724a391d9
            • Opcode Fuzzy Hash: db5a8d01d0ccd21350500850efa841a88b7c7ba3e1f03d300b13c650f5ebf6d6
            • Instruction Fuzzy Hash: 1A213971800308EBDB119F25EC0CBA97BF9FB00761F14822AF814965B2D77199EADB91
            Function 0019C161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 798b65d34e1f7d838189b38301e0f2c12ff3c43d85574447bb937307530e237c
            • Instruction ID: 5d54b85ef0154dd9a5b757dc3ee6b141f36251a5118fa267776b579d0562ad3b
            • Opcode Fuzzy Hash: 798b65d34e1f7d838189b38301e0f2c12ff3c43d85574447bb937307530e237c
            • Instruction Fuzzy Hash: F201D8B1A04115BBEA04A6209D42FAB735C9F31394F484032FD5497383E7E0EE21C2F9
            Function 001A4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 001A4D5C
            • __beginthreadex.LIBCMT ref: 001A4D7A
            • MessageBoxW.USER32(?,?,?,?), ref: 001A4D8F
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 001A4DA5
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 001A4DAC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
            • String ID:
            • API String ID: 3824534824-0
            • Opcode ID: 552d25e0023e00da6f301b6e9c6cf6bc27c56fd4a2c8849d63f6f729413fb588
            • Instruction ID: 8c267e9b77320d4680fa5887c9700cdc20d60b251d01093850d72a48c8fa51d4
            • Opcode Fuzzy Hash: 552d25e0023e00da6f301b6e9c6cf6bc27c56fd4a2c8849d63f6f729413fb588
            • Instruction Fuzzy Hash: CE11E576904359BFC7019BB8AC0CAAA7FADEB95320F144269FD14D3251D7B18D5087A0
            Function 0019874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00198766
            • GetLastError.KERNEL32(?,0019822A,?,?,?), ref: 00198770
            • GetProcessHeap.KERNEL32(00000008,?,?,0019822A,?,?,?), ref: 0019877F
            • HeapAlloc.KERNEL32(00000000,?,0019822A,?,?,?), ref: 00198786
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0019879D
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: 2dee558426c31483cbbf1e225415ebbfccf9aad5ae3d26b433967eb819483ad6
            • Instruction ID: 293572dad0d56531afdc7efe42e6d8942a62a95174051fd89124e372f02ddb38
            • Opcode Fuzzy Hash: 2dee558426c31483cbbf1e225415ebbfccf9aad5ae3d26b433967eb819483ad6
            • Instruction Fuzzy Hash: 02012471200208BF9B244FA6DC88D6BBFAEEF8A355B200429F849C2260DB31CC41DA60
            Function 001A54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A5502
            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001A5510
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A5518
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 001A5522
            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 001A555E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 61702258f0d4393c5a21eeaa27aa41fe38d47cca6aba26fa59c7780341860fde
            • Instruction ID: 5bfee760f6df4c860d50fab8edc352d5abc916a12b9e07ebb713ec260172cd13
            • Opcode Fuzzy Hash: 61702258f0d4393c5a21eeaa27aa41fe38d47cca6aba26fa59c7780341860fde
            • Instruction Fuzzy Hash: 7B012175D04A1DDBCF00DFE5E8889EDBB7AFB0A711F05005AE501F2540DB309594C7A1
            Function 00197652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?,?,0019799D), ref: 0019766F
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 0019768A
            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 00197698
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?), ref: 001976A8
            • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,0019758C,80070057,?,?), ref: 001976B4
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: 33e8005b6bba66f4bdb6fcdd6830e776f76c96802f909eb6c2cacf99b5e804e4
            • Instruction ID: a4c84d99007257d3b3addada136f6b2b84fa0a0ab5e485a282e7026b26ed8c04
            • Opcode Fuzzy Hash: 33e8005b6bba66f4bdb6fcdd6830e776f76c96802f909eb6c2cacf99b5e804e4
            • Instruction Fuzzy Hash: F6017176615604BBEB105F59DC44EAA7FBDEF44B51F140028FD04D2261E731DD4197A0
            Function 001985F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00198608
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00198612
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00198621
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00198628
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0019863E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 66c8653702c666b4d9e89d7049d009dcef8e925dad753e8f776a22dfe8da05b0
            • Instruction ID: ac635b8a04bc5c628a726c6cf7213a1027674f5fb7f63a280feb748cf261ab22
            • Opcode Fuzzy Hash: 66c8653702c666b4d9e89d7049d009dcef8e925dad753e8f776a22dfe8da05b0
            • Instruction Fuzzy Hash: D0F04F35201204AFEB100FA9DC89E6B3FAEFF8AB54B140429F945C6150CB65DC82DA60
            Function 00198652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00198669
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00198673
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00198682
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00198689
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0019869F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 4917cec13d77f1dd5fd99e1498c11d9517e21899c9111deafed440c10ee3655a
            • Instruction ID: 5ff771937b5c4f4d1e098cd200728a0a23eb644b83d39d9ea228dd999b3958c3
            • Opcode Fuzzy Hash: 4917cec13d77f1dd5fd99e1498c11d9517e21899c9111deafed440c10ee3655a
            • Instruction Fuzzy Hash: 15F04F75200204AFEB111FA6EC88E677FBEFF8A754B14002AF945C6150CB61D982DA60
            Function 0019C6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 0019C6BA
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0019C6D1
            • MessageBeep.USER32(00000000), ref: 0019C6E9
            • KillTimer.USER32(?,0000040A), ref: 0019C705
            • EndDialog.USER32(?,00000001), ref: 0019C71F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: 206a5ee1aed59a9771f095a60d91267e391fc6880a15ac88f5ba5f48dbfb9616
            • Instruction ID: b9ea92b1e02fe2bc4819937c6020b9518e622dfafb4263ee3f882e2770163278
            • Opcode Fuzzy Hash: 206a5ee1aed59a9771f095a60d91267e391fc6880a15ac88f5ba5f48dbfb9616
            • Instruction Fuzzy Hash: 57018130500714ABEF259B60DD8EFA67BB9FF00705F00066DF582A19E1DBF0A9998F80
            Function 001413B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 001413BF
            • StrokeAndFillPath.GDI32(?,?,0017BAD8,00000000,?), ref: 001413DB
            • SelectObject.GDI32(?,00000000), ref: 001413EE
            • DeleteObject.GDI32 ref: 00141401
            • StrokePath.GDI32(?), ref: 0014141C
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: 6bc3fca1478e02d313a9e75b7beed1afd0af5077085bdcadb664752701a5aaf0
            • Instruction ID: f8d42dde69bcb1146b9c5755a240c4affa9627b65323aff7853892fcf3f63281
            • Opcode Fuzzy Hash: 6bc3fca1478e02d313a9e75b7beed1afd0af5077085bdcadb664752701a5aaf0
            • Instruction Fuzzy Hash: 49F0B230004308ABDB155F66EC0CB583FA6AB01726F08C228F469854F2C73189EADF51
            Function 00152E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00160FF6: std::exception::exception.LIBCMT ref: 0016102C
              • Part of subcall function 00160FF6: __CxxThrowException@8.LIBCMT ref: 00161041
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 00147BB1: _memmove.LIBCMT ref: 00147C0B
            • __swprintf.LIBCMT ref: 0015302D
            Strings
            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00152EC6
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
            • API String ID: 1943609520-557222456
            • Opcode ID: ed675e142a2997b56a7ae6089d84a89bc357760ce5da76e1533ba79ad534550a
            • Instruction ID: a40b32157fe7674abbaee98bdd3849dfd6c555a5ae8a302ae24e2ffffffa8c0a
            • Opcode Fuzzy Hash: ed675e142a2997b56a7ae6089d84a89bc357760ce5da76e1533ba79ad534550a
            • Instruction Fuzzy Hash: 90916D71108701DFCB18EF24D895C6FB7A4EFA5750F04491DF9A69B2A1DB20EE48CB52
            Function 001ABBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001448AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,001448A1,?,?,001437C0,?), ref: 001448CE
            • CoInitialize.OLE32(00000000), ref: 001ABC26
            • CoCreateInstance.OLE32(001D2D6C,00000000,00000001,001D2BDC,?), ref: 001ABC3F
            • CoUninitialize.OLE32 ref: 001ABC5C
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
            • String ID: .lnk
            • API String ID: 2126378814-24824748
            • Opcode ID: 718eab217a74f4d0eeea5f73ecedbc587036078cfc1ff2caca950342f1a10aa6
            • Instruction ID: d633343f1c36fae35915cc1acac0786d50208da7d59a2e887223c413a023e787
            • Opcode Fuzzy Hash: 718eab217a74f4d0eeea5f73ecedbc587036078cfc1ff2caca950342f1a10aa6
            • Instruction Fuzzy Hash: 48A134756043419FCB10DF64C484D6ABBE5FF89318F148998F8999B3A2CB31ED45CB91
            Function 0016524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 001652DD
              • Part of subcall function 00170340: __87except.LIBCMT ref: 0017037B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorHandling__87except__start
            • String ID: pow
            • API String ID: 2905807303-2276729525
            • Opcode ID: 9490806d913347f9af14baf678dd0cab665c7f29fd44292f130130b3c9ecfcb0
            • Instruction ID: b79ffd198838269c628a6d14da4c0d3987a54c30bf2405d47bedcf7f1b921501
            • Opcode Fuzzy Hash: 9490806d913347f9af14baf678dd0cab665c7f29fd44292f130130b3c9ecfcb0
            • Instruction Fuzzy Hash: 89517C21A1E702CBCB167724CD5137E6BA1AB04750F20CD5DF0DA862E5EF748CE4DA46
            Function 0016023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID: #$+
            • API String ID: 0-2552117581
            • Opcode ID: 0fc4d48bff2a1fc59ac25a7aaa49648ceae5ebd7e2d9fc5d42eebee32a3c1ff7
            • Instruction ID: dba8467019fd8bc8ac5d84ee57657cdffcc2de6079ca406655adc9a55f9110b1
            • Opcode Fuzzy Hash: 0fc4d48bff2a1fc59ac25a7aaa49648ceae5ebd7e2d9fc5d42eebee32a3c1ff7
            • Instruction Fuzzy Hash: 925133741046868FDF1ADFA8C888AFA7BE6FF29310F140055EC91AB2A0D7309C52C760
            Function 001562F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$_memmove
            • String ID: ERCP
            • API String ID: 2532777613-1384759551
            • Opcode ID: 809788a3b94f885137836830001ab2a99c7a36745f1e43a946f53ceb36e1f27c
            • Instruction ID: 447056f4b3b85eb929651b77c2b09185f92a817fccee01266465c25baf7b85c6
            • Opcode Fuzzy Hash: 809788a3b94f885137836830001ab2a99c7a36745f1e43a946f53ceb36e1f27c
            • Instruction Fuzzy Hash: 3151B171900309EFDB24CF65C8817AABBF4FF14315F60856EEA5ADB241E7719698CB80
            Function 001C7BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,001CF910,00000000,?,?,?,?), ref: 001C7C4E
            • GetWindowLongW.USER32 ref: 001C7C6B
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 001C7C7B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: 941ed2103666da1163d1ef7d979f500cd5adf96cf825cc5f3df0a7d84b5d077f
            • Instruction ID: df87783b62f7a3d0fa082a8982fbdad91b1ef1b658cf33e84a2c0d129f0b2e9d
            • Opcode Fuzzy Hash: 941ed2103666da1163d1ef7d979f500cd5adf96cf825cc5f3df0a7d84b5d077f
            • Instruction Fuzzy Hash: 2031CF31204206ABDB118F38CC45FEA7BA9EF69324F244729F875932E0C771EC919B60
            Function 001C7648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 001C76D0
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 001C76E4
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 001C7708
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 190838ffdd1ee24d2e53106a8be0c29ccd66fa76234826cc602ee56ef0632790
            • Instruction ID: 138d4a7e348ef5f681f3f52fd080f6818a604b8e292e04293a1b36d7599d98f0
            • Opcode Fuzzy Hash: 190838ffdd1ee24d2e53106a8be0c29ccd66fa76234826cc602ee56ef0632790
            • Instruction Fuzzy Hash: 9F219F32504229BBDF15CEA4CC86FEA3B79EB58714F110218FE15AB1D0D7B1E8919BA0
            Function 001C6F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 001C6FAA
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 001C6FBA
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 001C6FDF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: e4e7664ec628474e1fe5c38b0e14fd8acad4a7c5b8e6c31c635be2f52f6a2c82
            • Instruction ID: ba4325b964863b688dd3c5db052d544bc6971bb0e12e253cbb48f3acda934705
            • Opcode Fuzzy Hash: e4e7664ec628474e1fe5c38b0e14fd8acad4a7c5b8e6c31c635be2f52f6a2c82
            • Instruction Fuzzy Hash: 5C218032610118BFDF118F54DC85FAB3BAAEF99754F01812CFA549B1A0C771EC518BA0
            Function 001C797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 001C79E1
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 001C79F6
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 001C7A03
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: ab78be60280a733f85b41a3eed70cb8fc2448e696306055b83b17ecdd206fc05
            • Instruction ID: 7600be72c8d80f41fa8917d1255a5783d0a57c2dafac8974ec506834a5604f04
            • Opcode Fuzzy Hash: ab78be60280a733f85b41a3eed70cb8fc2448e696306055b83b17ecdd206fc05
            • Instruction Fuzzy Hash: 8411E372244208BBEF149F61CC46FEB7BA9EF99B64F02051DFA41A60E0D3B1D851CB60
            Function 00144C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00144C2E), ref: 00144CA3
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00144CB5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetNativeSystemInfo$kernel32.dll
            • API String ID: 2574300362-192647395
            • Opcode ID: c07484f647048b024c6fbbee9bbebc4995250ae6003df765a3b54b0e48c3f377
            • Instruction ID: 15cff25ed95b82f3053dd42f165a976089e5a2526845c35c362ecbcd4cef9b82
            • Opcode Fuzzy Hash: c07484f647048b024c6fbbee9bbebc4995250ae6003df765a3b54b0e48c3f377
            • Instruction Fuzzy Hash: 48D05E70510723CFE7209F71EE59F06BAE6AF15791B19C83ED886DA560E770D8C1CA50
            Function 00144D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00144D2E,?,00144F4F,?,002062F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00144D6F
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00144D81
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-3689287502
            • Opcode ID: 17a9f35a3c7fbc9c7e7f9f39b870288e9f2b206c485975f0ffaa6d0a7925842e
            • Instruction ID: 41513591c25fb144460d46cdfa92a74b5fac1b1d265a55b88ff42475eabb8b25
            • Opcode Fuzzy Hash: 17a9f35a3c7fbc9c7e7f9f39b870288e9f2b206c485975f0ffaa6d0a7925842e
            • Instruction Fuzzy Hash: F9D01730910713CFE7209FB1D809B16BAE9AF25352B15C83EA49AD66A0EB70D8C0CA50
            Function 00144D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,00144CE1,?), ref: 00144DA2
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00144DB4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 2574300362-1355242751
            • Opcode ID: 62a7d656e96c19872b820a4d6231fddb2e28182e372d12c5a1e6b8bda32d43e0
            • Instruction ID: e5fd9607956defecf2d16f00ded93e2350d375cd1e204b884bcb0ef142dadb13
            • Opcode Fuzzy Hash: 62a7d656e96c19872b820a4d6231fddb2e28182e372d12c5a1e6b8bda32d43e0
            • Instruction Fuzzy Hash: 28D01731950713CFD7209FB1D809B46BAE5AF15355B15C83EE8C6D65A0EB70D8C0CA50
            Function 001C1072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(advapi32.dll,?,001C12C1), ref: 001C1080
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 001C1092
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2574300362-4033151799
            • Opcode ID: a90eeba5362ecf97b2b5dc2bf6fe48c2e64edc38c39d8159b62f6a84f4cd0421
            • Instruction ID: 5e0fd9e3edf90f286c704ecbd9fa32457039376b3f80419bae4c7f7c0f2a2980
            • Opcode Fuzzy Hash: a90eeba5362ecf97b2b5dc2bf6fe48c2e64edc38c39d8159b62f6a84f4cd0421
            • Instruction Fuzzy Hash: AAD01730560752DFD7209F35D859E2A7AE6AF16361F198C3EA48ADA550E770D8C0CA50
            Function 001B93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,001B9009,?,001CF910), ref: 001B9403
            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 001B9415
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AddressLibraryLoadProc
            • String ID: GetModuleHandleExW$kernel32.dll
            • API String ID: 2574300362-199464113
            • Opcode ID: 4f24b17da653fa2fa3efc51d072badbf67fc296b8d06488e9ecb3d3c84d547ae
            • Instruction ID: 20237ab2148b10d80e134754ed3804d00ef892f36e6b644b3775bc16b361490e
            • Opcode Fuzzy Hash: 4f24b17da653fa2fa3efc51d072badbf67fc296b8d06488e9ecb3d3c84d547ae
            • Instruction Fuzzy Hash: 01D0C7B0600323CFC7208F32CA08A42BEE6AF00341B04C83EE586C2950E770C8C2CA10
            Function 00181B3E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LocalTime__swprintf
            • String ID: %.3d$WIN_XPe
            • API String ID: 2070861257-2409531811
            • Opcode ID: 64a0b1b24a974a11dffd19a7d86d4d3eb823f4545bc423a10632c58ed4a90407
            • Instruction ID: bebc7fc0ca7035577ce617f326c397258954801b45bb1bcacc2ce2169d1c4f95
            • Opcode Fuzzy Hash: 64a0b1b24a974a11dffd19a7d86d4d3eb823f4545bc423a10632c58ed4a90407
            • Instruction Fuzzy Hash: 9ED012B3804118FACB5CAA908C44CF9777DAB04301F510592B50692400F3349B969F21
            Function 001976C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 3559f5fb658d4b4ffd13a0f1d3b0e050841b39148106057be9bb7a2a93e0e128
            • Instruction ID: 94ab53ae28171b4b27081cdb624a4cd8b8854e4310529366b6a3330b0d2616c9
            • Opcode Fuzzy Hash: 3559f5fb658d4b4ffd13a0f1d3b0e050841b39148106057be9bb7a2a93e0e128
            • Instruction Fuzzy Hash: 91C15E75A14216EFCF18CF94C888EAEBBB5FF48714B158599E805EB291D730ED81CB90
            Function 001BE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(?,?), ref: 001BE3D2
            • CharLowerBuffW.USER32(?,?), ref: 001BE415
              • Part of subcall function 001BDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 001BDAD9
            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 001BE615
            • _memmove.LIBCMT ref: 001BE628
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: BuffCharLower$AllocVirtual_memmove
            • String ID:
            • API String ID: 3659485706-0
            • Opcode ID: c93a890a447cc2b5baa2a5f7c59395c8718f06386140bf15a2a7a7083e399fe1
            • Instruction ID: 7b775a03552d72ccb03610553e699a32d68ee4033e2c7f2760eda9a3aff1226a
            • Opcode Fuzzy Hash: c93a890a447cc2b5baa2a5f7c59395c8718f06386140bf15a2a7a7083e399fe1
            • Instruction Fuzzy Hash: 68C148756083119FC714DF28C4809AABBE4FF98718F14896EF899DB361D731E946CB82
            Function 001B83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 001B83D8
            • CoUninitialize.OLE32 ref: 001B83E3
              • Part of subcall function 0019DA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0019DAC5
            • VariantInit.OLEAUT32(?), ref: 001B83EE
            • VariantClear.OLEAUT32(?), ref: 001B86BF
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
            • String ID:
            • API String ID: 780911581-0
            • Opcode ID: e90f84286e418d1e869f912f0a8ee6ad8517223728a9bb0ccb425029565ef585
            • Instruction ID: 3bf31b6d21e6d9925c4479dffd99ba5632aa129415feeda63849bfe346081f94
            • Opcode Fuzzy Hash: e90f84286e418d1e869f912f0a8ee6ad8517223728a9bb0ccb425029565ef585
            • Instruction Fuzzy Hash: 88A159752047029FCB14DF24C885B6AB7E9BF98714F14844DF99A9B3A2CB30ED45CB82
            Function 00197A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,001D2C7C,?), ref: 00197C32
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,001D2C7C,?), ref: 00197C4A
            • CLSIDFromProgID.OLE32(?,?,00000000,001CFB80,000000FF,?,00000000,00000800,00000000,?,001D2C7C,?), ref: 00197C6F
            • _memcmp.LIBCMT ref: 00197C90
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: 45bda87a90fa1d0062f849389d9ae7f547186258257fb583b32803fabcd5e6fc
            • Instruction ID: b77316203da95158594537803668b934191d20f58b4727f8f867f0bca5521c57
            • Opcode Fuzzy Hash: 45bda87a90fa1d0062f849389d9ae7f547186258257fb583b32803fabcd5e6fc
            • Instruction Fuzzy Hash: EE811C71A10109EFCF04DF94C984EEEB7B9FF89315F244598E516AB290DB71AE06CB60
            Function 00196DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Variant$AllocClearCopyInitString
            • String ID:
            • API String ID: 2808897238-0
            • Opcode ID: 6d9a9251ba10b65d6bc0d8ff0b5af0e4df1fd7a1ff8575aa4ecd49fb7fc3477b
            • Instruction ID: 109d92919733df195757c59c1f53ac0c681beeda3e21f2198e514469a2607491
            • Opcode Fuzzy Hash: 6d9a9251ba10b65d6bc0d8ff0b5af0e4df1fd7a1ff8575aa4ecd49fb7fc3477b
            • Instruction Fuzzy Hash: 8751D6306183029BDF24AF69E895A3EB3E5BF59310F24881FF596CB6D1DB709880DB11
            Function 001C9A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(00BCF2F8,?), ref: 001C9AD2
            • ScreenToClient.USER32(00000002,00000002), ref: 001C9B05
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 001C9B72
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 709c3fab47c8b5c226d9c1f8656afa798c1cbdcb1ef5930b4a9c8c02dc0afaa7
            • Instruction ID: 7049bd7358f3b82e12ea0816d6ac80978f1ba9cfecbfe6c50deb548e974300d1
            • Opcode Fuzzy Hash: 709c3fab47c8b5c226d9c1f8656afa798c1cbdcb1ef5930b4a9c8c02dc0afaa7
            • Instruction Fuzzy Hash: 23511B75A00209AFCF14DF58E889EAE7BB6FB64320F14815DF8159B2A1D730ED91CB90
            Function 001B6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 001B6CE4
            • WSAGetLastError.WSOCK32(00000000), ref: 001B6CF4
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 001B6D58
            • WSAGetLastError.WSOCK32(00000000), ref: 001B6D64
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ErrorLast$__itow__swprintfsocket
            • String ID:
            • API String ID: 2214342067-0
            • Opcode ID: 37b4db2e7ac931eca6a2a921070a14505a45e126aae88667ab44ee1cbd606f40
            • Instruction ID: 9967c12784024b9638342eb954709a909c7c4369f3b67b5c045e67dfad3a873d
            • Opcode Fuzzy Hash: 37b4db2e7ac931eca6a2a921070a14505a45e126aae88667ab44ee1cbd606f40
            • Instruction Fuzzy Hash: 2341B174740200AFEB20AF24DC86F7E77E5DB58B10F448058FA59AB3E2DB749D018B91
            Function 001B672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
            Download Yara Rule
            APIs
            • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,001CF910), ref: 001B67BA
            • _strlen.LIBCMT ref: 001B67EC
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _strlen
            • String ID:
            • API String ID: 4218353326-0
            • Opcode ID: 354a160190b50ee074838e2351a8f60feb1201f57ed7b24b07d66d5dfc8d73ad
            • Instruction ID: 21519e107d09cd31168ae08fa50688db11be3c84c49e49e0e6097282adbcbe5e
            • Opcode Fuzzy Hash: 354a160190b50ee074838e2351a8f60feb1201f57ed7b24b07d66d5dfc8d73ad
            • Instruction Fuzzy Hash: 7741A971A00204AFCB14EBA4DCD5FEEB7A9EF64314F148169F815972A2DF34AD45CB50
            Function 001ABA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 001ABB09
            • GetLastError.KERNEL32(?,00000000), ref: 001ABB2F
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 001ABB54
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 001ABB80
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 2ed831a95db0cde07cd59878eedb14551cb2609cfa87048954384d5a5c9b0e8f
            • Instruction ID: 512f62a550bd400202c60f7a93857fdf768423480d29f97488c16d7b9ec8648e
            • Opcode Fuzzy Hash: 2ed831a95db0cde07cd59878eedb14551cb2609cfa87048954384d5a5c9b0e8f
            • Instruction Fuzzy Hash: 05412539200651DFCB11EF15C584A5EBBE1EF9A324B198498EC4A9B772CB34FD41CB91
            Function 001C8AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
            Download Yara Rule
            APIs
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 001C8B4D
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InvalidateRect
            • String ID:
            • API String ID: 634782764-0
            • Opcode ID: 0eccd811d793a390d1fcf77e8e6ca02a6392a8677301991472d7655463c69d42
            • Instruction ID: 26d5d660dc1e0ce6da4fcca5a2c7e44df791e3ccfb4b1e03d8eb1c2adfbff7aa
            • Opcode Fuzzy Hash: 0eccd811d793a390d1fcf77e8e6ca02a6392a8677301991472d7655463c69d42
            • Instruction Fuzzy Hash: FC31A1B4600208BEEB249E18CCC9FA977A5EB25310F24451EFA51D72E1CF31ED90D651
            Function 001CADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 001CAE1A
            • GetWindowRect.USER32(?,?), ref: 001CAE90
            • PtInRect.USER32(?,?,001CC304), ref: 001CAEA0
            • MessageBeep.USER32(00000000), ref: 001CAF11
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: 231ad471173b970e85b085e91879a6bcf7f0eca8e8805680190d29e9631fec29
            • Instruction ID: 1491229ffd3dfde37930df2c91e154efbcc09e1748f18ae1f828ba3f5fc4cef0
            • Opcode Fuzzy Hash: 231ad471173b970e85b085e91879a6bcf7f0eca8e8805680190d29e9631fec29
            • Instruction Fuzzy Hash: 81416A70A002199FCB12CF58D888FA9BBF5FF69344F5881ADE5148B251D730E942CB92
            Function 001A0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 001A1037
            • SetKeyboardState.USER32(00000080,?,00000001), ref: 001A1053
            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 001A10B9
            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 001A110B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: b0c7ddb61a62d0c584f20f34879fb4a4b3eddd2f4f3fef75b80aed4b56f4526f
            • Instruction ID: 5fcf1c062b3b6205e68cf64c474bb64dc5485c517b1891aa3cbe9bd32e946bb2
            • Opcode Fuzzy Hash: b0c7ddb61a62d0c584f20f34879fb4a4b3eddd2f4f3fef75b80aed4b56f4526f
            • Instruction Fuzzy Hash: B9317838E40698BEFF358B658D05BFEBBAAAB5B310F08431AF580521D0C3748DC58751
            Function 001A1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 001A1176
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 001A1192
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 001A11F1
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 001A1243
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 48d68b3f621a66e8cf56d4fb28c0dafd9c323fc22038fd4fb1ba1fb695ef11e9
            • Instruction ID: a6c0257576be123c9de2b1c04d9d4c8f6eaf111e3753034fcd4362c3a2a402f5
            • Opcode Fuzzy Hash: 48d68b3f621a66e8cf56d4fb28c0dafd9c323fc22038fd4fb1ba1fb695ef11e9
            • Instruction Fuzzy Hash: 3E312638A807187EEF258B758C04BFEBBBBAB5B310F14431FE681925D1C33489959751
            Function 00176415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0017644B
            • __isleadbyte_l.LIBCMT ref: 00176479
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001764A7
            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 001764DD
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
            • String ID:
            • API String ID: 3058430110-0
            • Opcode ID: 86401525a25bb4f5cdef409fb2651255175af72c979b343a8ca36540fa5fd2af
            • Instruction ID: 9a956b4aa911ec8c79aa0872095c1820c21a2eabed49ff92ea83dcab03f0e3ce
            • Opcode Fuzzy Hash: 86401525a25bb4f5cdef409fb2651255175af72c979b343a8ca36540fa5fd2af
            • Instruction Fuzzy Hash: 8A31CF31600A46EFDB258F75CC45BBA7BB5FF41310F198029F86A971A1EB31D891DB90
            Function 001C5175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 001C5189
              • Part of subcall function 001A387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 001A3897
              • Part of subcall function 001A387D: GetCurrentThreadId.KERNEL32 ref: 001A389E
              • Part of subcall function 001A387D: AttachThreadInput.USER32(00000000,?,001A52A7), ref: 001A38A5
            • GetCaretPos.USER32(?), ref: 001C519A
            • ClientToScreen.USER32(00000000,?), ref: 001C51D5
            • GetForegroundWindow.USER32 ref: 001C51DB
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 73a23d624888065dbc893d35d0823cbca7ba5bde9fd0604ecfa9e3ba6715a399
            • Instruction ID: 469d1a378065eb9df67f004e93f7235da6b33188d987d00f1693e21563db47f3
            • Opcode Fuzzy Hash: 73a23d624888065dbc893d35d0823cbca7ba5bde9fd0604ecfa9e3ba6715a399
            • Instruction Fuzzy Hash: 01310E71900118AFDB04EFA5C845EEFB7F9EF98300F10406AE415E7251DB759E45CBA0
            Function 001CC788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • GetCursorPos.USER32(?), ref: 001CC7C2
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0017BBFB,?,?,?,?,?), ref: 001CC7D7
            • GetCursorPos.USER32(?), ref: 001CC824
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0017BBFB,?,?,?), ref: 001CC85E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: d8b3fb83e50b0d16bbf6c0b91d2581c68f8435cfb757109d04872088981b9127
            • Instruction ID: 5315c9f2bdde3d7c7cac044c7bbe2d551859daa85cfa8a1e20a50e0549ad5604
            • Opcode Fuzzy Hash: d8b3fb83e50b0d16bbf6c0b91d2581c68f8435cfb757109d04872088981b9127
            • Instruction Fuzzy Hash: AB318D35600118AFCB15CF58C8A8EEBBBBAEB59310F04406DF9098B661C731DDA1DFA0
            Function 00198B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00198652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00198669
              • Part of subcall function 00198652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00198673
              • Part of subcall function 00198652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00198682
              • Part of subcall function 00198652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00198689
              • Part of subcall function 00198652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0019869F
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00198BEB
            • _memcmp.LIBCMT ref: 00198C0E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00198C44
            • HeapFree.KERNEL32(00000000), ref: 00198C4B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 1d0bf9b109bd7cb1abb8898b6d9674ce78b0f69b03dbe7639b6f142599e2b46c
            • Instruction ID: ab004a5a27dbf18f99427847e588dc07ad62102e62f992065b5f6d6a1a585c5e
            • Opcode Fuzzy Hash: 1d0bf9b109bd7cb1abb8898b6d9674ce78b0f69b03dbe7639b6f142599e2b46c
            • Instruction Fuzzy Hash: 75218C71E41208EFDF10DFA4C945BEEB7B8EF45355F19405AE454AB240DB31AE46CB60
            Function 00160BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
            Download Yara Rule
            APIs
            • __setmode.LIBCMT ref: 00160BF2
              • Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001A7B20,?,?,00000000), ref: 00145B8C
              • Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001A7B20,?,?,00000000,?,?), ref: 00145BB0
            • _fprintf.LIBCMT ref: 00160C29
            • OutputDebugStringW.KERNEL32(?), ref: 00196331
              • Part of subcall function 00164CDA: _flsall.LIBCMT ref: 00164CF3
            • __setmode.LIBCMT ref: 00160C5E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
            • String ID:
            • API String ID: 521402451-0
            • Opcode ID: 45e48f154c4b5f5ab83e18155fb15acac3abdf01d71a8ec2504aa82e4b3a4137
            • Instruction ID: 2b24be12653871e6d5330e5ee0f3004ff11c999f9e190f5a82a77601c0bd2558
            • Opcode Fuzzy Hash: 45e48f154c4b5f5ab83e18155fb15acac3abdf01d71a8ec2504aa82e4b3a4137
            • Instruction Fuzzy Hash: 5E1129329042047FCB09B7B4AC879BF7B69DFA5320F14015AF104972D2EF215DA697A5
            Function 001B1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 001B1A97
              • Part of subcall function 001B1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 001B1B40
              • Part of subcall function 001B1B21: InternetCloseHandle.WININET(00000000), ref: 001B1BDD
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$CloseConnectHandleOpen
            • String ID:
            • API String ID: 1463438336-0
            • Opcode ID: ef53c24edc3167bbe4cbde2600fe3ff2201e7d6bf7df3d814264674d1c227d21
            • Instruction ID: 80b5ff785f8fb01ec204d9ddf503d93419bdfc04157d78e6829e8e4c84d2bb6f
            • Opcode Fuzzy Hash: ef53c24edc3167bbe4cbde2600fe3ff2201e7d6bf7df3d814264674d1c227d21
            • Instruction Fuzzy Hash: 6621CF31200604BFDB159F60CC15FFABBBAFF58700F52001AFA0196660EB31E8259BA4
            Function 0019E1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0019F5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,0019E1C4,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?), ref: 0019F5BC
              • Part of subcall function 0019F5AD: lstrcpyW.KERNEL32(00000000,?,?,0019E1C4,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019F5E2
              • Part of subcall function 0019F5AD: lstrcmpiW.KERNEL32(00000000,?,0019E1C4,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?), ref: 0019F613
            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019E1DD
            • lstrcpyW.KERNEL32(00000000,?,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019E203
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,0019EFB7,00000000,000000EF,00000119,?,?,00000000), ref: 0019E237
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: f51dbcaf76aeff7cbfe59e5425127b4deb5430b375bf6747e4cbc6c388e6efc9
            • Instruction ID: a8a16f29e84bcda59aa3eeab3fe030057c52e74c67e7697f62ce46523f723240
            • Opcode Fuzzy Hash: f51dbcaf76aeff7cbfe59e5425127b4deb5430b375bf6747e4cbc6c388e6efc9
            • Instruction Fuzzy Hash: 05118E3A200345EFDF25AF64DC45E7A77A9FF89750B44402AF806CB260EB71D851D7A0
            Function 00175332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 00175351
              • Part of subcall function 0016594C: __FF_MSGBANNER.LIBCMT ref: 00165963
              • Part of subcall function 0016594C: __NMSG_WRITE.LIBCMT ref: 0016596A
              • Part of subcall function 0016594C: RtlAllocateHeap.NTDLL(00BB0000,00000000,00000001,00000000,?,?,?,00161013,?), ref: 0016598F
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: AllocateHeap_free
            • String ID:
            • API String ID: 614378929-0
            • Opcode ID: 44b65616f0bd533597b9eb21f3e25b35017e2b65b387d3b1cdc01be501035fe4
            • Instruction ID: 876b657d53d0e352d209912a8285a25666727cdd009f34b3782986cb2afdbedc
            • Opcode Fuzzy Hash: 44b65616f0bd533597b9eb21f3e25b35017e2b65b387d3b1cdc01be501035fe4
            • Instruction Fuzzy Hash: 0C11E732904A15AFCB213F70AC0466D3BA6BF203A0F20852AF909961B1DFF589918760
            Function 00144531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 00144560
              • Part of subcall function 0014410D: _memset.LIBCMT ref: 0014418D
              • Part of subcall function 0014410D: _wcscpy.LIBCMT ref: 001441E1
              • Part of subcall function 0014410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 001441F1
            • KillTimer.USER32(?,00000001,?,?), ref: 001445B5
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 001445C4
            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 0017D6CE
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
            • String ID:
            • API String ID: 1378193009-0
            • Opcode ID: 118ce74942efcc3c2fb58c2d2201c92c640b1d0c0eea57572a6fb20eaeb48fa9
            • Instruction ID: e122f7f0563351709653b06ebc5b63003593c1fd658177e988c11c95b42c3c70
            • Opcode Fuzzy Hash: 118ce74942efcc3c2fb58c2d2201c92c640b1d0c0eea57572a6fb20eaeb48fa9
            • Instruction Fuzzy Hash: FC21C9B0904788AFEB328B24DC59BE7BFFD9F11304F04409DE69E5A251C7745A85CB51
            Function 001A40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 001A40D1
            • _memset.LIBCMT ref: 001A40F2
            • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 001A4144
            • CloseHandle.KERNEL32(00000000), ref: 001A414D
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle_memset
            • String ID:
            • API String ID: 1157408455-0
            • Opcode ID: f553f8c4f90f6e8c194d6a21cfbfb566e673516074ac6646d6754be0b228c9d9
            • Instruction ID: d498413c7a87d9d484c92e5c57a04ac80eca4cf56645a934b12b1ad55ac7bba5
            • Opcode Fuzzy Hash: f553f8c4f90f6e8c194d6a21cfbfb566e673516074ac6646d6754be0b228c9d9
            • Instruction Fuzzy Hash: 3611CA759012287AD7309BA5AC4DFEBBB7CEF85760F1041AAF908D7180D7748E84CBA4
            Function 001B667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,001A7B20,?,?,00000000), ref: 00145B8C
              • Part of subcall function 00145B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,001A7B20,?,?,00000000,?,?), ref: 00145BB0
            • gethostbyname.WSOCK32(?), ref: 001B66AC
            • WSAGetLastError.WSOCK32(00000000), ref: 001B66B7
            • _memmove.LIBCMT ref: 001B66E4
            • inet_ntoa.WSOCK32(?), ref: 001B66EF
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
            • String ID:
            • API String ID: 1504782959-0
            • Opcode ID: a0099e1f2ee96a201477ec49cf54af8a692106115620e87bf185481aa4a0ceb1
            • Instruction ID: e8e3e2a616ff5b550f4d79ab83479b54dda9d379b71711caac29297ee3a91a73
            • Opcode Fuzzy Hash: a0099e1f2ee96a201477ec49cf54af8a692106115620e87bf185481aa4a0ceb1
            • Instruction Fuzzy Hash: FB116D35500509AFCF04EBA4DD86DEEB7BAEF64310B148069F506A7272DF30AE44CB61
            Function 00199023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00199043
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00199055
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0019906B
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00199086
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: fdbd39189732e23a92e414d75823ac5c2699404cd74196a450822df4c4c6c24c
            • Instruction ID: 3ae946f48e1026d518b307b02db3db6b28fb19e0a5733b574430c93fd708bd47
            • Opcode Fuzzy Hash: fdbd39189732e23a92e414d75823ac5c2699404cd74196a450822df4c4c6c24c
            • Instruction Fuzzy Hash: DA113A79901218BFDF10DFA9C984E9DBB78FB48310F204095E914B7250D7726E50DB90
            Function 00141290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00142612: GetWindowLongW.USER32(?,000000EB), ref: 00142623
            • DefDlgProcW.USER32(?,00000020,?), ref: 001412D8
            • GetClientRect.USER32(?,?), ref: 0017B84B
            • GetCursorPos.USER32(?), ref: 0017B855
            • ScreenToClient.USER32(?,?), ref: 0017B860
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Client$CursorLongProcRectScreenWindow
            • String ID:
            • API String ID: 4127811313-0
            • Opcode ID: 14c5201e00bce37e2c625b06108fe3fc885437c4c7198e1f8475ff835ef8688f
            • Instruction ID: 8ed43000cfe86410db504ea02f657edc72a8e958424c3e560da48956145a96da
            • Opcode Fuzzy Hash: 14c5201e00bce37e2c625b06108fe3fc885437c4c7198e1f8475ff835ef8688f
            • Instruction Fuzzy Hash: 0F114C35A00119BFCB00DF94D889DFE7BB9FB15300F60445AF901E7161D770BA928BA5
            Function 001A1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A166F
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A1694
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A169E
            • Sleep.KERNEL32(?,?,?,?,?,?,?,001A01FD,?,001A1250,?,00008000), ref: 001A16D1
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 2594d7de0beaab996a3d976b08d82b5881464a37a3dcd347150d73334b71cbe0
            • Instruction ID: 1fbd9dab477ec4c474d9c985203b97aa5197fac55fd99cd6aac5e8f157669e40
            • Opcode Fuzzy Hash: 2594d7de0beaab996a3d976b08d82b5881464a37a3dcd347150d73334b71cbe0
            • Instruction Fuzzy Hash: A9117C35C0091CEBCF049FA5D848AEEBF78FF0A701F49405AE948F2240CB7095A08BD6
            Function 00177207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
            • String ID:
            • API String ID: 3016257755-0
            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction ID: 84c287e5594554ca0b8a8a230526b557bca4cf4e6cf536ce48a212eb7d67202d
            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
            • Instruction Fuzzy Hash: 76018C3204818ABBCF165E84CC018EE3F32BF29354F198625FA2C58072C737C9B1AB81
            Function 001CB57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 001CB59E
            • ScreenToClient.USER32(?,?), ref: 001CB5B6
            • ScreenToClient.USER32(?,?), ref: 001CB5DA
            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 001CB5F5
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClientRectScreen$InvalidateWindow
            • String ID:
            • API String ID: 357397906-0
            • Opcode ID: e5e7e6cd4444e758eecf4c6f760de259094d45304226eeb9e56689fd71f1fd5e
            • Instruction ID: c0976b8246f4cedd9883c6136b0540c96ea3c69aac1d1e4c2270e0748ebb71a7
            • Opcode Fuzzy Hash: e5e7e6cd4444e758eecf4c6f760de259094d45304226eeb9e56689fd71f1fd5e
            • Instruction Fuzzy Hash: 011146B5D04209EFDB41CF99C484AEEFBB5FB18310F104166E954E3620D735AA558F50
            Function 001CB8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001CB8FE
            • _memset.LIBCMT ref: 001CB90D
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00207F20,00207F64), ref: 001CB93C
            • CloseHandle.KERNEL32 ref: 001CB94E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _memset$CloseCreateHandleProcess
            • String ID:
            • API String ID: 3277943733-0
            • Opcode ID: 3dfc975c4255651c551eb9350a5804b62380960a4d58490e43d6cee75c777694
            • Instruction ID: bd53a7814f637d28bfaaa5cdda05a2d468bd6b76f8c23eff4856dfdca75c8e73
            • Opcode Fuzzy Hash: 3dfc975c4255651c551eb9350a5804b62380960a4d58490e43d6cee75c777694
            • Instruction Fuzzy Hash: 24F05EB29483417BE3102761AC0EFBB3A5CEB18354F004025BB08D6593DB71A91187A8
            Function 001A6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
            Download Yara Rule
            APIs
            • EnterCriticalSection.KERNEL32(?), ref: 001A6E88
              • Part of subcall function 001A794E: _memset.LIBCMT ref: 001A7983
            • _memmove.LIBCMT ref: 001A6EAB
            • _memset.LIBCMT ref: 001A6EB8
            • LeaveCriticalSection.KERNEL32(?), ref: 001A6EC8
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CriticalSection_memset$EnterLeave_memmove
            • String ID:
            • API String ID: 48991266-0
            • Opcode ID: 2678749aca50569f81a7a490db0c14c0577502e39856c16dcb5edcaa21f1ba5b
            • Instruction ID: d81665356cbae84dc4da4f60b8af3d995e7a2c87885eaff1271ba58f3b479f2e
            • Opcode Fuzzy Hash: 2678749aca50569f81a7a490db0c14c0577502e39856c16dcb5edcaa21f1ba5b
            • Instruction Fuzzy Hash: FEF0543A104200BBCF016F55DC85E4ABB2AEF55320B04C065FE089E227C731E951CBB4
            Function 001CC00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001412F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0014134D
              • Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014135C
              • Part of subcall function 001412F3: BeginPath.GDI32(?), ref: 00141373
              • Part of subcall function 001412F3: SelectObject.GDI32(?,00000000), ref: 0014139C
            • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 001CC030
            • LineTo.GDI32(00000000,?,?), ref: 001CC03D
            • EndPath.GDI32(00000000), ref: 001CC04D
            • StrokePath.GDI32(00000000), ref: 001CC05B
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: cf11bd033101db6673ed61e53c4fe89e19854c2f1426b4d243540fe9ebbc191e
            • Instruction ID: 225b9e8169c6bc161e26d2bfc7e725b007ba7e8ce16bf41bdd395d89769c2a7d
            • Opcode Fuzzy Hash: cf11bd033101db6673ed61e53c4fe89e19854c2f1426b4d243540fe9ebbc191e
            • Instruction Fuzzy Hash: 38F0BE31000219BBDB122F50AC0EFCE3F5AAF15710F148008FA11610E287B589B6CBD5
            Function 0019A37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0019A399
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 0019A3AC
            • GetCurrentThreadId.KERNEL32 ref: 0019A3B3
            • AttachThreadInput.USER32(00000000), ref: 0019A3BA
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 3b2d1775168876822f0271e0c278cc99d4d83f7200b439a53986e167ac191a48
            • Instruction ID: d2c9a2391ddb3fc4e17445e1e1db8664236bd637bda6e879eee4a4189d7a1ffe
            • Opcode Fuzzy Hash: 3b2d1775168876822f0271e0c278cc99d4d83f7200b439a53986e167ac191a48
            • Instruction Fuzzy Hash: 44E03931541238BADB201BA2DC0CED73F1DFF167A1F408029F90884460C771C685CBE0
            Function 00142218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 00142231
            • SetTextColor.GDI32(?,000000FF), ref: 0014223B
            • SetBkMode.GDI32(?,00000001), ref: 00142250
            • GetStockObject.GDI32(00000005), ref: 00142258
            • GetWindowDC.USER32(?,00000000), ref: 0017C0D3
            • GetPixel.GDI32(00000000,00000000,00000000), ref: 0017C0E0
            • GetPixel.GDI32(00000000,?,00000000), ref: 0017C0F9
            • GetPixel.GDI32(00000000,00000000,?), ref: 0017C112
            • GetPixel.GDI32(00000000,?,?), ref: 0017C132
            • ReleaseDC.USER32(?,00000000), ref: 0017C13D
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
            • String ID:
            • API String ID: 1946975507-0
            • Opcode ID: 3628e08e7bcc58756348909637fce5c31e05af69b193982a8827e86b0ad9c269
            • Instruction ID: 3e62412fe26c889f46ed8e4870d15fc4073efe8675b634575e5279fd521da695
            • Opcode Fuzzy Hash: 3628e08e7bcc58756348909637fce5c31e05af69b193982a8827e86b0ad9c269
            • Instruction Fuzzy Hash: 5AE03932100244EEDB215FA4FC09BD83F21EB15332F18836AFA69480E187B189C1DB51
            Function 00198C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00198C63
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,0019882E), ref: 00198C6A
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0019882E), ref: 00198C77
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,0019882E), ref: 00198C7E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: dee49ed94c64ba7198067797cfbae437e7322e1b37984858ee170e4a76a57e1b
            • Instruction ID: bea9b3a36853aeb0d516b89c6534347fe2e1806940c97c74af90c18d1b0a0209
            • Opcode Fuzzy Hash: dee49ed94c64ba7198067797cfbae437e7322e1b37984858ee170e4a76a57e1b
            • Instruction Fuzzy Hash: 9BE04F76642211ABDB205FB06D0CF973FAAEF51BA2F04482CB645C9040DA34C486CB61
            Function 00182187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 00182187
            • GetDC.USER32(00000000), ref: 00182191
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001821B1
            • ReleaseDC.USER32(?), ref: 001821D2
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 53d9959eb7cd7fbfd9c4ade649ababea40dc85831473063c85b868430209aa5a
            • Instruction ID: 268ef2e5ca5472994a51a16e0cdf5a441ec31039e628173bc38ab20075dd90c5
            • Opcode Fuzzy Hash: 53d9959eb7cd7fbfd9c4ade649ababea40dc85831473063c85b868430209aa5a
            • Instruction Fuzzy Hash: 95E01AB5800224EFDB019F60C808A9D7FF2EB5C351F218429F95A97760CB3891829F40
            Function 0018219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 0018219B
            • GetDC.USER32(00000000), ref: 001821A5
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 001821B1
            • ReleaseDC.USER32(?), ref: 001821D2
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 57fe650e4d749d1dad94463344d1606b9408ac31ec26c571171e8f60d5dd2d17
            • Instruction ID: 1f5648408e185b2f1c2a57105c0c2ad98bcef88fdd22bdf42502f0aab912d619
            • Opcode Fuzzy Hash: 57fe650e4d749d1dad94463344d1606b9408ac31ec26c571171e8f60d5dd2d17
            • Instruction Fuzzy Hash: 03E09AB5800214AFCB519F70D808A9D7FF6EB5C351F118429F95A97760DB7895829F40
            Function 001BB1B7 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __itow_s
            • String ID: xr $xr
            • API String ID: 3653519197-2518022337
            • Opcode ID: 1d093b1d1dc29bc770bc5064bc66cdbcb373fb7f685bcf811f3dcd0d2b88e8eb
            • Instruction ID: defb884bec3e95cb33581d19a4308c41b000c5daa2d7f39b282be295a827d959
            • Opcode Fuzzy Hash: 1d093b1d1dc29bc770bc5064bc66cdbcb373fb7f685bcf811f3dcd0d2b88e8eb
            • Instruction Fuzzy Hash: E4B17170A04209AFDB24DF54C8D1EEEB7B9FF58300F148499F9459B692DBB0E941CB60
            Function 0019B7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
            Download Yara Rule
            APIs
            • OleSetContainedObject.OLE32(?,00000001), ref: 0019B981
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ContainedObject
            • String ID: AutoIt3GUI$Container
            • API String ID: 3565006973-3941886329
            • Opcode ID: 65b6bcd3647eba9f4579b3e6faeb15e87d4dd84799199e852293c390e1bab1ab
            • Instruction ID: fb38382667cbadba678c02aa3b1e2825b70fa5ebcd20a290312780af08ddccb3
            • Opcode Fuzzy Hash: 65b6bcd3647eba9f4579b3e6faeb15e87d4dd84799199e852293c390e1bab1ab
            • Instruction Fuzzy Hash: 51915B70604601AFDB24DF68D984B6ABBF9FF48710F14856EF94ACB691DB70E841CB50
            Function 001AB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0015FEC6: _wcscpy.LIBCMT ref: 0015FEE9
              • Part of subcall function 00149997: __itow.LIBCMT ref: 001499C2
              • Part of subcall function 00149997: __swprintf.LIBCMT ref: 00149A0C
            • __wcsnicmp.LIBCMT ref: 001AB298
            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 001AB361
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
            • String ID: LPT
            • API String ID: 3222508074-1350329615
            • Opcode ID: 37e300768aca545b3a4f5c5c035d218e4ca62589acfaab8668d35e82f23860a5
            • Instruction ID: 39dcdfa2622a8e1c0c61edd516ee80567021f9185fb32616f6309e97fddac242
            • Opcode Fuzzy Hash: 37e300768aca545b3a4f5c5c035d218e4ca62589acfaab8668d35e82f23860a5
            • Instruction Fuzzy Hash: FD617F79A04255AFCF18DF94C881EAEB7B4FF19310F11446AF946AB292DB70AE44CB50
            Function 00152AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 00152AC8
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00152AE1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: 86a1ac08a3c180834c1db7d6832e25448cfe274e137bf685dc1e354fef0e281d
            • Instruction ID: 0b847720c5366cc3827d08e20bbb5e724aae11fd5538ed7a09fc701ab5912222
            • Opcode Fuzzy Hash: 86a1ac08a3c180834c1db7d6832e25448cfe274e137bf685dc1e354fef0e281d
            • Instruction Fuzzy Hash: F55144724187449BD320AF50DC86BAFBBE8FF94310F92885DF1D9421A2DB318569CB26
            Function 001A99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0014506B: __fread_nolock.LIBCMT ref: 00145089
            • _wcscmp.LIBCMT ref: 001A9AAE
            • _wcscmp.LIBCMT ref: 001A9AC1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: _wcscmp$__fread_nolock
            • String ID: FILE
            • API String ID: 4029003684-3121273764
            • Opcode ID: ab70ed736cf65c4af2f9e68080368a02c384b8b977b6d9002869cbb9981dff16
            • Instruction ID: db23bfcc38319e9fab1aec47cd7e76a2c3dedd7facca0219957aba69563fe0a6
            • Opcode Fuzzy Hash: ab70ed736cf65c4af2f9e68080368a02c384b8b977b6d9002869cbb9981dff16
            • Instruction Fuzzy Hash: 2C41F4B5A00619BBDF209AA0CC45FEFBBBEEF46710F100079B904A7191DB75AA4487B1
            Function 0018099E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClearVariant
            • String ID: Dt $Dt
            • API String ID: 1473721057-1420062600
            • Opcode ID: 5f6f0c021bc79a97cb2e385b511ef4cacb30cfe974dae92b38dacf0ecc0ec727
            • Instruction ID: 40226c619cc5fb4027ba8c94854bd9b0ced3672f88ef7c680ede60edeb1cd318
            • Opcode Fuzzy Hash: 5f6f0c021bc79a97cb2e385b511ef4cacb30cfe974dae92b38dacf0ecc0ec727
            • Instruction Fuzzy Hash: 5B51D3B8A483428FD754CF18C484A2ABBF1BF99354F95485DF9858B361E331E885CF82
            Function 001B2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001B2892
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 001B28C8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CrackInternet_memset
            • String ID: |
            • API String ID: 1413715105-2343686810
            • Opcode ID: f9506da4ef2a092126e5958a953d9475a45c403e0130c6238535d12ac1a997f8
            • Instruction ID: 5d9db2f7b6b09ba33e6004d08b29674ae5fbc4a0fb1453ed4814bfb0e0d04dd7
            • Opcode Fuzzy Hash: f9506da4ef2a092126e5958a953d9475a45c403e0130c6238535d12ac1a997f8
            • Instruction Fuzzy Hash: 12312D71800119AFCF01EFA1CC85EEEBFB9FF18350F104069F815A6166EB715A56DBA0
            Function 001C6CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 001C6D86
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 001C6DC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: eb3ef5bd600a2ef0fe147faf60ca1e04f98cca09eef8f803b5ba9b14c807f5c4
            • Instruction ID: d8ce6b64b0c28a120ba3c927b672dab73b26662f6bb28b3df0f25bfce1bd3e62
            • Opcode Fuzzy Hash: eb3ef5bd600a2ef0fe147faf60ca1e04f98cca09eef8f803b5ba9b14c807f5c4
            • Instruction Fuzzy Hash: 3A316B71200604AADB109F68CC85FFB77A9FF58724F10861DF9AA97190DB31EC92CB60
            Function 001A2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001A2E00
            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 001A2E3B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 9a5a9eb1509ae425eabc4885f244f67d79856ad73f073a880d00f2b21c5ce21c
            • Instruction ID: 493367786d535b52f30db0e474f999d77809a50166800f8c9e8ae957b64f16e4
            • Opcode Fuzzy Hash: 9a5a9eb1509ae425eabc4885f244f67d79856ad73f073a880d00f2b21c5ce21c
            • Instruction Fuzzy Hash: BA310435A00309ABEB258F5CC885BAEBBB9FF06300F14402EE985D62A1E7709984CB50
            Function 001C6943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 001C69D0
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001C69DB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: c5c8df49f86241b662120648be9c0b296f3612909322680a692355ef94f317c1
            • Instruction ID: f55a936873d329ad52ddbdc00ced597153d51bc42fcf95ac1ff16643cdb9702c
            • Opcode Fuzzy Hash: c5c8df49f86241b662120648be9c0b296f3612909322680a692355ef94f317c1
            • Instruction Fuzzy Hash: 7211B2716002096FEF119E14CC81FBB376AEBA93A8F110228F958972A0D775DC9187A0
            Function 001C6E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00141D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00141D73
              • Part of subcall function 00141D35: GetStockObject.GDI32(00000011), ref: 00141D87
              • Part of subcall function 00141D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00141D91
            • GetWindowRect.USER32(00000000,?), ref: 001C6EE0
            • GetSysColor.USER32(00000012), ref: 001C6EFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 11e80aa8015b5f2cd5e654d4c68441fd4e24447244980a83b7b1e165112a8315
            • Instruction ID: 7c226efef5f43456573955c508d003b40ab0c9f2bea942543d55cb62fa5bd07c
            • Opcode Fuzzy Hash: 11e80aa8015b5f2cd5e654d4c68441fd4e24447244980a83b7b1e165112a8315
            • Instruction Fuzzy Hash: 93212672A1020AAFDB04DFA8DD46EEA7BB9FB18314F00462DF955D3250E734E8619B60
            Function 001C6B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 001C6C11
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 001C6C20
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: 341f2b741c0f1c4734b65a5f65ac72b6957c1d9e9322d03c645fa60b3ef3e71f
            • Instruction ID: 89fd38be972bc83dfd83535c729a9a7b693864667ba566c2f48ee8c887a61f31
            • Opcode Fuzzy Hash: 341f2b741c0f1c4734b65a5f65ac72b6957c1d9e9322d03c645fa60b3ef3e71f
            • Instruction Fuzzy Hash: E4118C71600208ABEB108E64DC85FEB3B6AEB24378F204728F965D71E0C775DC919B60
            Function 001A2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
            Download Yara Rule
            APIs
            • _memset.LIBCMT ref: 001A2F11
            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 001A2F30
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: InfoItemMenu_memset
            • String ID: 0
            • API String ID: 2223754486-4108050209
            • Opcode ID: 8906e64f4224b7780b947da04755a3bae99461504569ca5bd98b5fa80124b365
            • Instruction ID: 7ae2209e372fed39e215792a6cdeae8baa941339960bae38e68e7864c9f4579b
            • Opcode Fuzzy Hash: 8906e64f4224b7780b947da04755a3bae99461504569ca5bd98b5fa80124b365
            • Instruction Fuzzy Hash: CB11BF79A01214AFDB24EB5CDC48BA977B9EB16310F1940A5EC54A72A2D7B0EE04C791
            Function 001B24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 001B2520
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 001B2549
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 59b085a48a7aafe52afd549be37adf06234dc59e869176e5a00fcba57ebaa280
            • Instruction ID: 073dceb468c900302f1eb0219eccdcf1c74639d4e8b3c6ab9b174c2f7880f710
            • Opcode Fuzzy Hash: 59b085a48a7aafe52afd549be37adf06234dc59e869176e5a00fcba57ebaa280
            • Instruction Fuzzy Hash: A511C2B0501225BADB389F528C99EFBFF68FF06751F10822AF90556440D3706999DAF0
            Function 001B80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 001B830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,001B80C8,?,00000000,?,?), ref: 001B8322
            • inet_addr.WSOCK32(00000000), ref: 001B80CB
            • htons.WSOCK32(00000000), ref: 001B8108
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ByteCharMultiWidehtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 2496851823-2422070025
            • Opcode ID: 00720e59b78c41fa6432263beda9f597333f30879a3cd254e94bfb877a8b61a4
            • Instruction ID: d3223baadd69b503e9ad00e15620cdf8ea5475bbc02c61790349a84a24e8b7e9
            • Opcode Fuzzy Hash: 00720e59b78c41fa6432263beda9f597333f30879a3cd254e94bfb877a8b61a4
            • Instruction Fuzzy Hash: 1611E174200309ABCB20AF68CC86FFDB769FF14720F10852AF91197292DB72A815C691
            Function 00150A8D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00143C26,002062F8,?,?,?), ref: 00150ACE
              • Part of subcall function 00147D2C: _memmove.LIBCMT ref: 00147D66
            • _wcscat.LIBCMT ref: 001850E1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: FullNamePath_memmove_wcscat
            • String ID: c
            • API String ID: 257928180-2442103856
            • Opcode ID: c8101f01c01eadc7480c770f67606d4eacc2b59725d2acabdf538b4749faf53a
            • Instruction ID: 27498a1b2ccebbd0dc21f350961bdee366e1794d83b1071b5a5584099a8906ed
            • Opcode Fuzzy Hash: c8101f01c01eadc7480c770f67606d4eacc2b59725d2acabdf538b4749faf53a
            • Instruction Fuzzy Hash: 4B118E38A14208EACB01EBA4DC46ED977B9EF18355B0000A5B998DB291EB70DA988B51
            Function 001992E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00199355
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 0341a32a80ed182b87e40930cfabaab6f6edf22219884842eb31e9bb37f7ae6d
            • Instruction ID: 133d7f7800f89f7f2bc4954c29b1a814b0c06b989ef7155262c1fc49909a5016
            • Opcode Fuzzy Hash: 0341a32a80ed182b87e40930cfabaab6f6edf22219884842eb31e9bb37f7ae6d
            • Instruction Fuzzy Hash: CD015E71A45228ABCF08EFA4CC929FE7769BF66320B14061DB972572E2DB31590C8660
            Function 001A901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __fread_nolock_memmove
            • String ID: EA06
            • API String ID: 1988441806-3962188686
            • Opcode ID: 56345ae35e9d3ed0a0dc10a5b3d926e4feb42072b31b1d6c005f1c9c1c56a610
            • Instruction ID: b525c0371253864393821e748ff21c2e130bb027f93241c6cc3330d3570833bc
            • Opcode Fuzzy Hash: 56345ae35e9d3ed0a0dc10a5b3d926e4feb42072b31b1d6c005f1c9c1c56a610
            • Instruction Fuzzy Hash: A201F9718042187EDB28C7A8CC56EFE7BFC9B11301F00419AF552D2181E679A6148760
            Function 001991DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 0019924D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: cb347efa76f6b99f042af37560462322ed2996e8f98b235784dd922c6aa5be70
            • Instruction ID: 454f04ea56de6dd6f3d72436a925ebb5a3681e8aad652790caba2adc3b14f9b9
            • Opcode Fuzzy Hash: cb347efa76f6b99f042af37560462322ed2996e8f98b235784dd922c6aa5be70
            • Instruction Fuzzy Hash: 23018871A4520877CF18E7A4C992EFF77AD9F55300F24001D7516672D1DB115E0C9671
            Function 00199264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00147F41: _memmove.LIBCMT ref: 00147F82
              • Part of subcall function 0019B0C4: GetClassNameW.USER32(?,?,000000FF), ref: 0019B0E7
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 001992D0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassMessageNameSend_memmove
            • String ID: ComboBox$ListBox
            • API String ID: 372448540-1403004172
            • Opcode ID: 92ae5e05c582dfefa56bcd3067caaff211c07b9be60996d14a758b96704edc5b
            • Instruction ID: 15a0908629281e4595d45d46631b5750ca99af2b8e804f9e378bbe48f1fe17a1
            • Opcode Fuzzy Hash: 92ae5e05c582dfefa56bcd3067caaff211c07b9be60996d14a758b96704edc5b
            • Instruction Fuzzy Hash: 8601A2B1E4521877CF04EBA4C982EFF77AC9F21300F240129B912632D2DB215E0C9271
            Function 00166DAE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: __calloc_crt
            • String ID: @R
            • API String ID: 3494438863-1010322380
            • Opcode ID: cd35e809988c7a532fd02f73e30b0e0fc5ebd60711d2d0c0f528e6654b08dc4d
            • Instruction ID: 69ac7e2a816a02ed955da6b176d6226e63ec8684372a0630356312309c5fad1f
            • Opcode Fuzzy Hash: cd35e809988c7a532fd02f73e30b0e0fc5ebd60711d2d0c0f528e6654b08dc4d
            • Instruction Fuzzy Hash: 2EF096713087169FF728DF98FD097A127D9EB10720F10052BFA40DB695EB7088B18684
            Function 001A51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: ClassName_wcscmp
            • String ID: #32770
            • API String ID: 2292705959-463685578
            • Opcode ID: 126f6cdb85f33fd95b7b7f79141cab1cb9ebdb4fbc8257f18eacd6cffb8d2b5a
            • Instruction ID: 2ba175ddce03a649be188519163a0e788147b305a84ecc80bb37fc247b5107fc
            • Opcode Fuzzy Hash: 126f6cdb85f33fd95b7b7f79141cab1cb9ebdb4fbc8257f18eacd6cffb8d2b5a
            • Instruction Fuzzy Hash: 6EE06872A0432C2BE3209B99AC09FA7FBACEF41731F00016BFD14D3040E670AA458BE0
            Function 001981BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 001981CA
              • Part of subcall function 00163598: _doexit.LIBCMT ref: 001635A2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: Message_doexit
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 1993061046-4017498283
            • Opcode ID: 43200bb7bfff0f06005cacc4f5a94c3982ff0f6ae189f08f1f1598f7543f535f
            • Instruction ID: 56363e36136e1600ecafda71b025ef37e5b63258d0d42c27d337ce37faa2c5fb
            • Opcode Fuzzy Hash: 43200bb7bfff0f06005cacc4f5a94c3982ff0f6ae189f08f1f1598f7543f535f
            • Instruction Fuzzy Hash: 6AD05B323C536C36D61433A86D07FC579484B25B51F144426BB08965D38FD199D252D9
            Function 0017B511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 0017B564: _memset.LIBCMT ref: 0017B571
              • Part of subcall function 00160B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,0017B540,?,?,?,0014100A), ref: 00160B89
            • IsDebuggerPresent.KERNEL32(?,?,?,0014100A), ref: 0017B544
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0014100A), ref: 0017B553
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0017B54E
            Memory Dump Source
            • Source File: 00000000.00000002.1729099565.0000000000141000.00000020.00000001.01000000.00000003.sdmp, Offset: 00140000, based on PE: true
            • Associated: 00000000.00000002.1729045524.0000000000140000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001CF000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729182440.00000000001F5000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729227700.00000000001FF000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1729245253.0000000000208000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_140000_Salary_Receipt.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 3158253471-631824599
            • Opcode ID: bc849cafa47d8bd248952b4b5ddb223421e9f43979ec6ff0813bdccac6aa54f4
            • Instruction ID: a43be29f1917e8b2c4f8916f89c1edc310f307e4e390a8954f710793db636306
            • Opcode Fuzzy Hash: bc849cafa47d8bd248952b4b5ddb223421e9f43979ec6ff0813bdccac6aa54f4
            • Instruction Fuzzy Hash: DAE06DB02047508FD321DF29E9487467BF4AF04B48F00C92CE44AC3661DBB4D445CBA1