Edit tour

Windows Analysis Report
debit-note-19-08-dn-2024.exe

Overview

General Information

Sample name:	debit-note-19-08-dn-2024.exe
Analysis ID:	1499056
MD5:	5133f0baa9ab594674eae836fd1491c7
SHA1:	389ab5a5e7ed520406265e0a1adc14d5ff478c4a
SHA256:	e13fd3d42fb6c63fcf7780701282f760bd4aaa6ad1cdb55cc586e1aca8caaf2a
Tags:	exe
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

debit-note-19-08-dn-2024.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe" MD5: 5133F0BAA9AB594674EAE836FD1491C7)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: debit-note-19-08-dn-2024.exe PID: 6616	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: debit-note-19-08-dn-2024.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for sample

Source: debit-note-19-08-dn-2024.exe

Joe Sandbox ML: detected

Source: debit-note-19-08-dn-2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: debit-note-19-08-dn-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004057D0
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_0040628B FindFirstFileW,FindClose,	0_2_0040628B
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770

Source: debit-note-19-08-dn-2024.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_00405331 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405331

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_083B2260 NtAllocateVirtualMemory,

0_2_083B2260

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_0040335A EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_0040335A

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_00404B6E	0_2_00404B6E
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_0040659D	0_2_0040659D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08373819	0_2_08373819
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08391E02	0_2_08391E02
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08382A72	0_2_08382A72
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083735AA	0_2_083735AA
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083AE29B	0_2_083AE29B
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083B24C9	0_2_083B24C9
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083AEB33	0_2_083AEB33
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08381516	0_2_08381516
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08382D17	0_2_08382D17
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_08373771	0_2_08373771
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083AD351	0_2_083AD351
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083735AA	0_2_083735AA
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083ADF9A	0_2_083ADF9A
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083AD9CB	0_2_083AD9CB

Source: debit-note-19-08-dn-2024.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/10@0/0

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_00404635 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404635

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_0040206A CoCreateInstance,

0_2_0040206A

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File created: C:\Users\user\brugerlicensaftalerne

Jump to behavior

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File created: C:\Users\user\AppData\Local\Temp\nsq44F0.tmp

Jump to behavior

Source: debit-note-19-08-dn-2024.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: debit-note-19-08-dn-2024.exe

ReversingLabs: Detection: 50%

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File read: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Jump to behavior

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: debit-note-19-08-dn-2024.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: Process Memory Space: debit-note-19-08-dn-2024.exe PID: 6616, type: MEMORYSTR

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062B2

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_10002DE0 push eax; ret	0_2_10002E0E
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1C7AF push 00000063h; ret	0_2_07F1C7B1
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083735AA push edx; iretd	0_2_0838013A
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F2135A push eax; iretd	0_2_07F2135B
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1D55C push cs; iretd	0_2_07F1D55D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1ED5C push cs; iretd	0_2_07F1ED5D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1FD5C push cs; iretd	0_2_07F1FD5D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F2055C push cs; iretd	0_2_07F2055D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1FB47 push cs; iretd	0_2_07F1FB5D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1EB4A push cs; iretd	0_2_07F1EB5D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F2034D push cs; iretd	0_2_07F2035D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1D11F pushfd ; ret	0_2_07F1D120
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083AC91E push es; iretd	0_2_083AC9E7
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_0838A55C push es; iretd	0_2_0838A5A2
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1F072 pushfd ; ret	0_2_07F1F07F
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F20878 pushfd ; retf	0_2_07F2087F
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F20466 pushfd ; iretd	0_2_07F2047F
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_083735AA push edx; iretd	0_2_0838013A
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F20647 push cs; iretd	0_2_07F2065D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F2004A push cs; iretd	0_2_07F2005D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1E84A push cs; iretd	0_2_07F1E85D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1F84A push cs; iretd	0_2_07F1F85D
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_07F1FE4A push cs; iretd	0_2_07F1FE5D

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

File created: C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

RDTSC instruction interceptor: First address: 837375C second address: 837375C instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F88E11DC97Fh 0x00000006 test dx, ax 0x00000009 inc ebp 0x0000000a cmp edi, 251CB53Ch 0x00000010 inc ebx 0x00000011 cmp ebx, ecx 0x00000013 rdtsc

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_083735AA rdtsc

0_2_083735AA

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_004057D0 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_004057D0
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_0040628B FindFirstFileW,FindClose,	0_2_0040628B
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	Code function: 0_2_00402770 FindFirstFileW,	0_2_00402770

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	API call chain: ExitProcess graph end node			graph_0-6672
Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe	API call chain: ExitProcess graph end node			graph_0-6677

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_083735AA rdtsc

0_2_083735AA

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_08373819 LdrInitializeThunk,

0_2_08373819

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_004062B2 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_004062B2

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_0838A55C mov eax, dword ptr fs:[00000030h]

0_2_0838A55C

Source: C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe

Code function: 0_2_00405F6A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F6A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
debit-note-19-08-dn-2024.exe	50%	ReversingLabs	Win32.Trojan.Guloader
debit-note-19-08-dn-2024.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	debit-note-19-08-dn-2024.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1499056
Start date and time:	2024-08-26 15:22:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	debit-note-19-08-dn-2024.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/10@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 52 Number of non-executed functions: 46
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.190.159.71, 20.190.159.23, 40.126.31.73, 20.190.159.68, 20.190.159.64, 40.126.31.67, 40.126.31.71, 20.190.159.2
Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.trafficmanager.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
VT rate limit hit for: debit-note-19-08-dn-2024.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll	HE9306_AWBLaser_Single240812144358.exe	Get hash	malicious	GuLoader	Browse
	HE9306_AWBLaser_Single240812144358.exe	Get hash	malicious	GuLoader	Browse
	z41_EX24-772_24.exe	Get hash	malicious	GuLoader	Browse
	z41_EX24-772_24.exe	Get hash	malicious	GuLoader	Browse
	_EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe	Get hash	malicious	FormBook, GuLoader	Browse
	_EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe	Get hash	malicious	GuLoader	Browse
	PROJRCTS_INQUIRY_SPECIFICATIONS_DRAWING_SAMPLES.exe	Get hash	malicious	GuLoader	Browse
	PROJRCTS_INQUIRY_SPECIFICATIONS_DRAWING_SAMPLES.exe	Get hash	malicious	GuLoader	Browse
	2024090533201.exe	Get hash	malicious	Remcos, GuLoader	Browse
	2024090533201.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\App.ini

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	49
Entropy (8bit):	4.75216571132969
Encrypted:	false
SSDEEP:	3:a6QLQIfLBJXlFGfv:xQkIPeH
MD5:	797DA95245047A54F125FBF3B19FA295
SHA1:	9E46F51C033836343C4099609F35B9B62C290A00
SHA-256:	A047914D1DB23829E36D3A2A908D83F4B51F5A8194AE090BB9F9AB9F8DDA9128
SHA-512:	4755C72A469C7C816D7B4A08BFEABFC266AAD029156A301E2592E3AFD16C5DB5FCE44C4475CB83C43B859A06AD069370182FCA5CAFACF4A27D191F4C0AE34A03
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Loading]..Start=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.656006343879828
Encrypted:	false
SSDEEP:	192:eP24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35OlbSl:T8QIl975eXqlWBrz7YLOlb
MD5:	3E6BF00B3AC976122F982AE2AADB1C51
SHA1:	CAAB188F7FDC84D3FDCB2922EDEEB5ED576BD31D
SHA-256:	4FF9B2678D698677C5D9732678F9CF53F17290E09D053691AAC4CC6E6F595CBE
SHA-512:	1286F05E6A7E6B691F6E479638E7179897598E171B52EB3A3DC0E830415251069D29416B6D1FFC6D7DCE8DA5625E1479BE06DB9B7179E7776659C5C1AD6AA706
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse Filename: HE9306_AWBLaser_Single240812144358.exe, Detection: malicious, Browse Filename: z41_EX24-772_24.exe, Detection: malicious, Browse Filename: z41_EX24-772_24.exe, Detection: malicious, Browse Filename: _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe, Detection: malicious, Browse Filename: _EX24-772_24341300EX00314559_ARI TEKST#U0130L_KontrolCiktisiEkliListe.exe, Detection: malicious, Browse Filename: PROJRCTS_INQUIRY_SPECIFICATIONS_DRAWING_SAMPLES.exe, Detection: malicious, Browse Filename: PROJRCTS_INQUIRY_SPECIFICATIONS_DRAWING_SAMPLES.exe, Detection: malicious, Browse Filename: 2024090533201.exe, Detection: malicious, Browse Filename: 2024090533201.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....n3T...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsq44F1.tmp

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	425059
Entropy (8bit):	6.492264923451216
Encrypted:	false
SSDEEP:	6144:qRP7Sfw7mc55PPLrSwwPxUEf9BUWrTQAyCY4xZyL4i/yrlmh2suWOOufV5a:4P7IcLNwHUWnO4fyL4jrlmhbuXC
MD5:	56074DE62B2FE4CCC5906532BF729C62
SHA1:	352E7F71C32F6B974CEE9BE59DCBEA1257EB37BD
SHA-256:	A7022A661A55C0679DF510D460786911EF9DCF090AB0E2BFDF2AEB5776DF1623
SHA-512:	E84667D77854B3996F75FE36F5B49B2FE99AB487FC90F32D45C10A0CDBD432167858F954013EAD56ED23FA386B860E15DCBD205631B40E8872713356FC5B3F08
Malicious:	false
Reputation:	low
Preview:	f.......,...................[...................f...........................................................................................................................................................................................................................................G...J...........e...j.........................................................................................................................................../...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.134336113194451
Encrypted:	false
SSDEEP:	3:iGAeSMn:lAeZ
MD5:	7AB6006A78C23C5DEC74C202B85A51A4
SHA1:	C0FF9305378BE5EC16A18127C171BB9F04D5C640
SHA-256:	BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
SHA-512:	40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Access]..Setting=Enabled..

C:\Users\user\brugerlicensaftalerne\Anam.Tra

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	13390
Entropy (8bit):	4.527773348664665
Encrypted:	false
SSDEEP:	192:ZIh2g9y8px5TSdP6V5kT+kU3Dr9W2jEk+SlVUDVN:ah2gwQ5TSF6PktgDrQaHDK
MD5:	2A2EBC2FA44FD1D75481C6CAAB1695E4
SHA1:	5A59085A600674418CCFD1B81F6CB58A062D94A7
SHA-256:	3A505BAA89729E166CF0173A702F15DC34592872BDF6A69105D4DC5677DE21CF
SHA-512:	200377184F413650F690D424565B7DEE8DEDBB9E58CC84666BA027C5ABF1EBBC6B75BA8BE697F07F1514C1FEDAAB044A532B5BC93D81A9EDBA466F0E1CBE58CD
Malicious:	false
Reputation:	low
Preview:	.....JJJ.........y.........WWW......................NN..>.??.@@........9.......22......Z...I...k...e...r..>n...e...l...3...2...:.*:...C...r...e...a...t.X.e..>F..Zi...l...e...A...(...m... ...r...4... ...,..$ ...i... ...0...x..F8...0...0...0...0...0..^0...0...,... ...i... ...0...,... ...p.OO ...0...,... ...i... ...4...,... ...i... ...0..9x.W.8..t0...,.GG ...i.s. ...0...)...i.......r...8...q...k.I.e...r...n...e.J.l...3...2...:.yy:..VS.3.e...t...F...i...l...e...P...o..[i...n...t...e...r...(...i... ...r...8...,... ..Vi... ...2...3...0...1...2... ...,... ...i... ...0..L,...i... ...0...)...i.......r...4...q...k...e..^r...n...e...l...3...2...:...:...V...i...r...t...u...a...l...A...l...l...o...c...(...i... ...0...,...i... ..{7...0...5...6...5..@8..8...8...,... ...i..< ...0...x...3...0...0...0..s,... ...i..* ...0..Ox...4...0..=)...p.......r...2...q...k..ye...r...n...e...l...3...2...:...:...R.>.e...a...d...F.\|\|i...l...e...(...i... .D.r...8.SS,... ...i... ...r...2...,... ...i... ...7...0...5...6

C:\Users\user\brugerlicensaftalerne\Isidora\gaadefulde.txt

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	485
Entropy (8bit):	4.232571417138926
Encrypted:	false
SSDEEP:	12:ZvQJDLIkJHTjbxleUuXCrM+loDMsjHoIIFVVUIgib:ZvQvzjlleUuXso9ZWVy6
MD5:	3AF0252A9A2814A66060B5602FEFB22A
SHA1:	C03E5A75AC4B95C5FC3631EA80E3182FBAD4F03B
SHA-256:	2467A15368DFEDFB6156E0C02D2A958DBB18456051665A317CB7628E32FB046F
SHA-512:	3E0CF8FB7D600FD0E228A24163A54F7820B8575AE2D49C048A0D16A923716AF7AD868C4951C09D2C941EABDF9E6EDA081C16A68338BCFDD46CC5A682EC82ED10
Malicious:	false
Reputation:	low
Preview:	tomandstelte haggling hunknsvsens faq indulgentness dermestid daabsfadene spillereglernes hngerv..aktieprotokols overenskomststridige moonwort exion dolkestdslegender.otomian steading thoracomelus spaltedefinitionernes paracelsist stikkel urkokkens disuses sunniest counterlighted spadeformede depreciative coset..snnekonens soundings karotiner dutte.scoparin unglittery bdestraffes land synkefrdig kadaya..tildragelsers fjerkrfarmenes trailerite differentialize plejeforldre concaves.

C:\Users\user\brugerlicensaftalerne\Isidora\mininetwork.bil

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	34424
Entropy (8bit):	3.2127370751221456
Encrypted:	false
SSDEEP:	768:XeemGABJJ8rAL0xf2NDjhS8t5L/bKNEwLeRmQTid9:XeXfBJarAL0IlVSutjed9
MD5:	357C239C8A128101281301765FAE888E
SHA1:	C06BA64C77BA6E06E4AEF81076946E2E14475719
SHA-256:	BDFD76CAC29B8F8C3852AE9332E26BAD07838999BC81F50A05CC9513A5DF661F
SHA-512:	A2B185AF74AAAB903DC7B34FB7C9017D01FA44F0FDB903E3FB68EEE88F783AD5DC9D73731A37B181C911C036950BE193794105250BC277F9F7A38ED0DCDA81A5
Malicious:	false
Reputation:	low
Preview:	................z.-...............,..........s.....+.......@..,.......+n.$........f....H.........u..y..................t.......]...............$..........................\|..............<'........n.........RD.......vk...................b.....g........+..........&t...8....&......6.$'...,.............v.0........................e...]./.........,...............................@..G.............../................................-....8.........l.............&S..e...............%.........[\|.....A............j.....%............r..........l...........................:.....f7.................................[.......................M.............................g.....n...................h......................7...............1...D...............!....0....b.........!..}.......4......................H...........a......0......................rzG......$.....ty.[..8....t..........................ix[... ..#X~.....................Z_................ ............b.....W...Hq................9....2......

C:\Users\user\brugerlicensaftalerne\Photostatting.bak

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	284395
Entropy (8bit):	7.494018575020684
Encrypted:	false
SSDEEP:	6144:nfw7mc55PPLrSwwPxUEf9BUWrTQAyCY4xZyL4i/yrlmh2sr:fcLNwHUWnO4fyL4jrlmhbr
MD5:	9CFDB6FACB7D10B9AA1C82CDBB445F33
SHA1:	391C6DBE051F1ABD8B77D8627C9883E9392485AC
SHA-256:	0171AB74E03848F6A071617FCC12849E3A61BD966A74A3C94796B7C8041BDA53
SHA-512:	6C4DAB89FDEDDFB1DA2976EE33B7FE315763CC117351CEC59F0B2E0804B06EA543E0552DF5C2BC987D277B938F9B1DA42A857E63E2FC162CE84B47918C496A46
Malicious:	false
Preview:	.....vv......P.X......)))........ii............a......................S..........%%..........;;;;.......................................mmm...^^......"".p........j.........!....HH........XX.........FF..........e........ccccc......v......................bb..{.....[..............h..........n.........HH...............$$$$...............4....X.aa..................Q.@......22.........)................V.................888888....................................###...[[...'........................\|\|.qq....ccc.................................555..........KKK.......=..<.^^..F............{{.^....U...................==.3........................666...".P..-.............%%%............{{{{{{{...11........T...............................................44444.....B...........ll.=.....................X.....................\.....0000..........f........K...hh...........SS.........;.E.N..........._.''..z....l.......T..!!.ww.......777.............A......................W.Q...../...........R.oo..K..NNN.0..

C:\Users\user\brugerlicensaftalerne\armless.ude

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 211-0, spot sensor temperature -2251799813685248.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000
Category:	dropped
Size (bytes):	46432
Entropy (8bit):	3.2136461621363517
Encrypted:	false
SSDEEP:	768:ASGyNzhlBd5sdPN1A1Qh0prboupWEK6zFx+UHd:n7lBd5QNw9ok/Fx39
MD5:	AE7B67A58B022BEFCC6C3B1922A12AE3
SHA1:	ADBF63E7714B4968A236C3BFDC6EBB1ED24DD996
SHA-256:	6EE65A08717947BA0023F0ABC4E60A08E1A638C067D8DCC9CA7B0645859D916F
SHA-512:	712018BDF5981A0601728BF4FC2A27971F13E0DAC6AA4774957B91D9631DBCF81B66B85D4216ABA34B243DBD0402FB7BFB11A92B3566278CA7DAC057C1A455CC
Malicious:	false
Preview:	......._h1....................Q.................Z..........a.....!...........W8........%..w.................G........................7.......... .7......e..........................................s...'.....................................y............&i..................H........:...........`....d....%@S.\|~....T.........<....4...................j..................................................E...N...e.....x.k...5X........................7.........O-.................................Y."...!.......-................o......4........n..d.................f......./........................7......V...>.....y...C......<.......-.......................4........................)..............................&.w........./.3..........n..u...;......Ad......E...~.....o...~..................................w.................c........."..........\......B..x.........\|...>..B.............................0.....E......."...................rB.................................?....................4.xP....

C:\Users\user\brugerlicensaftalerne\buxus.bog

Download File

Process:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
File Type:	data
Category:	dropped
Size (bytes):	26080
Entropy (8bit):	3.20612396093193
Encrypted:	false
SSDEEP:	384:p7ctcY4i68lGFjVq4cPpf3NNMG63AzpZWoI64ICEaHFf8CXvRU:pgtgrsGFY4Q3DL63AzpZc+s00pU
MD5:	6843BC02ED836FABDD0C402C93BD6070
SHA1:	8CA940C30AAFD3E2B41A54A98E3359A7E70F6F01
SHA-256:	E8500F97DC807D1A6FFA7D6EC3001C51281398B6BA21DFB66418D4D193E31FFB
SHA-512:	8995001C1662F7D4BD43EBF2DA40AC17513419FC150901E45E14A72EEF58A032D1F70CAFFED893BEF0AB360968BD132472D2171B3C3C790D8796DAA4A34E2E59
Malicious:	false
Preview:	.........`...................'...2........... .#.................8.................x........&....=.......F...."..........x.+....0e.T..........................)........K........z.R..Y....Qr.......................+..........>.$.%....,..5................S....zg.....'.....$......+..D..................M........s........3.....................X...........F.......................D..........................v....3....E.....A....._...................................`............ ....i.....................Q.........._........................C.E...T................................N.....I{.......F........4....k................................................x....[......L........................................#..xt.3......J..................................4....6................................^..R......_...........}..\|....._......................8......./..............................................U...............G................u.2..........o.......&........+.........M..............;........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.93777579175851
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	debit-note-19-08-dn-2024.exe
File size:	330'962 bytes
MD5:	5133f0baa9ab594674eae836fd1491c7
SHA1:	389ab5a5e7ed520406265e0a1adc14d5ff478c4a
SHA256:	e13fd3d42fb6c63fcf7780701282f760bd4aaa6ad1cdb55cc586e1aca8caaf2a
SHA512:	0b1be90e58591907084f7262c60b0fb92de18bce2ad5e47aaa3592a9795a7c4d0fd4301c58427588361ac626cd19f59ba1c362b41765765e0b3d1e093fe427e3
SSDEEP:	6144:XW+7+eMMKlVXkYuF6ECJ4D3aJ6SXfBBJEh3LO3Arcp:XRLKlVXREC2qJLX/JU3yz
TLSH:	7B6412427ACBC13AFBC25A30DB66DE7AF2B6D604052603473F216FF52931286C569367
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....n3T.................`.........Z3.......p....@

File Icon


Icon Hash:	3d2e0f95332b3399

Static PE Info

General

Entrypoint:	0x40335a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x54336EB4 [Tue Oct 7 04:40:20 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D8h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+18h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+14h], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000009h
mov dword ptr [004292B8h], eax
call 00007F88E0B836BAh
mov dword ptr [00429204h], eax
push ebp
lea eax, dword ptr [esp+38h]
push 000002B4h
push eax
push ebp
push 004206A8h
call dword ptr [0040717Ch]
push 0040937Ch
push 00428200h
call 00007F88E0B83325h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F88E0B83313h
push ebp
call dword ptr [0040710Ch]
push 00000022h
mov dword ptr [00429200h], eax
pop edi
mov eax, ebx
cmp word ptr [00434000h], di
jne 00007F88E0B807A9h
mov esi, edi
mov eax, 00434002h
push esi
push eax
call 00007F88E0B82D63h
push eax
call dword ptr [00407240h]
mov ecx, eax
mov dword ptr [esp+1Ch], ecx
jmp 00007F88E0B8089Bh
push 00000020h
pop edx
cmp ax, dx
jne 00007F88E0B807A9h
inc ecx
inc ecx
cmp word ptr [ecx], dx

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4d000	0xb10	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5ec6	0x6000	60ec0c4d80dd6821cdaced6135eddfd5	False	0.6593424479166666	data	6.438901783265187	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202f8	0x600	99cdd6cde9adee6bf3b24ee817b4574b	False	0.4830729166666667	data	3.8340327961758165	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x23000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4d000	0xb10	0xc00	254b81c9e7cdc6038a0abfd972e7779c	False	0.4134114583333333	data	4.250827316191816	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4d1c0	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.42473118279569894
RT_DIALOG	0x4d4a8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4d5a8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4d6c8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4d790	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x4d7f0	0x14	data	English	United States	1.2
RT_MANIFEST	0x4d808	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:23:04
Start date:	26/08/2024
Path:	C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"
Imagebase:	0x400000
File size:	330'962 bytes
MD5 hash:	5133F0BAA9AB594674EAE836FD1491C7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	12.6%
Dynamic/Decrypted Code Coverage:	28.1%
Signature Coverage:	28.5%
Total number of Nodes:	1820
Total number of Limit Nodes:	46

Executed Functions

Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403379
SetErrorMode.KERNELBASE(00008001), ref: 00403384
OleInitialize.OLE32(00000000), ref: 0040338B

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

SHGetFileInfoW.SHELL32(004206A8,00000000,?,000002B4,00000000), ref: 004033B3

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55

GetCommandLineW.KERNEL32(00428200,NSIS Error), ref: 004033C8
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",00000000), ref: 004033DB
CharNextW.USER32(00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",00000020), ref: 00403403
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,?), ref: 0040353B
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040354C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403558
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040356C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403574
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403585
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040358D
DeleteFileW.KERNELBASE(1033), ref: 004035A1
OleUninitialize.OLE32(?), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp), ref: 00403698
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",00000000,?), ref: 004036A4
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 004036B0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 004036B7
DeleteFileW.KERNEL32(0041FEA8,0041FEA8,?,0042A000,?), ref: 00403711
CopyFileW.KERNEL32(C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,0041FEA8,00000001), ref: 00403725
CloseHandle.KERNEL32(00000000,0041FEA8,0041FEA8,?,0041FEA8,00000000), ref: 00403752
GetCurrentProcess.KERNEL32(00000028,00000006,00000006,00000005,00000004), ref: 004037AC
ExitWindowsEx.USER32(00000002,80040002), ref: 00403804
ExitProcess.KERNEL32 ref: 00403827

Strings

1033, xrefs: 0040359C
\Temp, xrefs: 00403552
C:\Users\user\brugerlicensaftalerne\Isidora, xrefs: 00403649
C:\Users\user\Desktop, xrefs: 0040369D, 004036A2, 004036C6
C:\Users\user\brugerlicensaftalerne, xrefs: 00403520, 0040363E, 004036BD, 004036C7
~nsu.tmp, xrefs: 00403692
NSIS Error, xrefs: 004033B9
C:\Users\user\AppData\Local\Temp\, xrefs: 00403530, 00403535, 0040354B, 00403557, 00403566, 00403573, 0040357F, 00403587, 00403697, 004036A3, 004036AF, 004036B6, 00403767
Error launching installer, xrefs: 00403623
TMP, xrefs: 00403588
C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe, xrefs: 00403720
"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe", xrefs: 004033CE, 004033D4, 004033EB, 004035C9
Low, xrefs: 0040356E
TEMP, xrefs: 00403580
SeShutdownPrivilege, xrefs: 004037BE
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336D

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe$C:\Users\user\brugerlicensaftalerne$C:\Users\user\brugerlicensaftalerne\Isidora$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-2806124946
Opcode ID: 4d4429256b2e22e1563bae374a615e4d58d6fbe71fb0bbfbec444303671cea11
Instruction ID: 39938aed3c042d93969ea090ff24049052e59ae08dabad03a7e97e37c14ef613
Opcode Fuzzy Hash: 4d4429256b2e22e1563bae374a615e4d58d6fbe71fb0bbfbec444303671cea11
Instruction Fuzzy Hash: 8AC12670604311AAD720BF659C49A2B3EACEB8574AF10483FF480B62D2D77D9D41CB6E

Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405390
GetDlgItem.USER32(?,000003EE), ref: 0040539F
GetClientRect.USER32(?,?), ref: 004053DC
GetSystemMetrics.USER32(00000015), ref: 004053E4
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 00405405
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405416
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405429
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405437
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040544A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040546C
ShowWindow.USER32(?,00000008), ref: 00405480
GetDlgItem.USER32(?,000003EC), ref: 004054A1
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004054B1
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004054CA
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004054D6
GetDlgItem.USER32(?,000003F8), ref: 004053AE

Part of subcall function 004041CF: SendMessageW.USER32(00000028,?,00000001,00403FFB), ref: 004041DD

GetDlgItem.USER32(?,000003EC), ref: 004054F3
CreateThread.KERNELBASE(00000000,00000000,Function_000052C5,00000000), ref: 00405501
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405508
ShowWindow.USER32(00000000), ref: 0040552C
ShowWindow.USER32(?,00000008), ref: 00405531
ShowWindow.USER32(00000008), ref: 0040557B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004055AF
CreatePopupMenu.USER32 ref: 004055C0
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004055D4
GetWindowRect.USER32(?,?), ref: 004055F4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040560D
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
OpenClipboard.USER32(00000000), ref: 00405655
EmptyClipboard.USER32 ref: 0040565B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405667
GlobalLock.KERNEL32(00000000), ref: 00405671
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405685
GlobalUnlock.KERNEL32(00000000), ref: 004056A5
SetClipboardData.USER32(0000000D,00000000), ref: 004056B0
CloseClipboard.USER32 ref: 004056B6

Strings

{, xrefs: 00405599
&B, xrefs: 00405621

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: {$&B
API String ID: 4154960007-2518801558
Opcode ID: 7775d457d8fde2865fa6d0874cf326612850ae095f4a8d1cd8ac1be61ac30762
Instruction ID: 6f8bb207ab4459f732b66fbe2fdab1c380fd8c459621fe3193bce92f33b6cf64
Opcode Fuzzy Hash: 7775d457d8fde2865fa6d0874cf326612850ae095f4a8d1cd8ac1be61ac30762
Instruction Fuzzy Hash: ECB14A70900208FFDB119F60DD89AAE7B79FB04354F40817AFA05BA1A0C7759E52DF69

Function 00405F6A Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 0040602D
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004060AB
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004060BE
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 004060FA
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406108
CoTaskMemFree.OLE32(?), ref: 00406113
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406137
lstrlenW.KERNEL32(Call,00000000,004216C8,?,00405229,004216C8,00000000,00000000,00000000), ref: 00406191

Strings

Call, xrefs: 00405F94, 00406074, 00406095, 004060AA, 004060BD, 004060D9, 00406104, 00406136, 0040613C, 00406156, 0040616A, 0040618A, 00406190, 0040619C, 004061CF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406131
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406079

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1230650788
Opcode ID: 1bceb9c34b05b27e3618ed90a195e6464c3aae8e072edacfa9e3722d3d9acc23
Instruction ID: 5a47950f0b5222037037379568de6f858daa6aaa62ae53bcd4b1bc7075dc7fd7
Opcode Fuzzy Hash: 1bceb9c34b05b27e3618ed90a195e6464c3aae8e072edacfa9e3722d3d9acc23
Instruction Fuzzy Hash: DE611571A00105ABDF209F24CC40AAF37A5EF55314F52C13BE956BA2E1D73D4AA2CB5E

Function 004057D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 004057F9
lstrcatW.KERNEL32(Antegrade\Fravristelse213.Sto226,\*.*), ref: 00405841
lstrcatW.KERNEL32(?,00409014), ref: 00405864
lstrlenW.KERNEL32(?,?,00409014,?,Antegrade\Fravristelse213.Sto226,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 0040586A
FindFirstFileW.KERNELBASE(Antegrade\Fravristelse213.Sto226,?,?,?,00409014,?,Antegrade\Fravristelse213.Sto226,?,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 0040587A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 0040591A
FindClose.KERNEL32(00000000), ref: 00405929

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057DE
Antegrade\Fravristelse213.Sto226, xrefs: 00405829, 0040582F, 00405840, 00405879
"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe", xrefs: 004057D9
\*.*, xrefs: 0040583B

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"$Antegrade\Fravristelse213.Sto226$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2588867409
Opcode ID: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
Instruction ID: 2292a97837c012d07e09995a86319137dd3f2048718c0aa8a22e23afcdeedbd0
Opcode Fuzzy Hash: 42d14f137d7c51639dd5450d77468bfd9c1695374b56492c5285f64ee032ed7a
Instruction Fuzzy Hash: BF41C171800914EACF217B668C49BBF7678EB81328F24817BF811761D1D77C4E829E6E

Function 0040628B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425738,Antegrade\Fravristelse213.Sto226,00405AE4,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,00000000,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00406296
FindClose.KERNEL32(00000000), ref: 004062A2

Strings

Antegrade\Fravristelse213.Sto226, xrefs: 0040628B
8WB, xrefs: 0040628C

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: 8WB$Antegrade\Fravristelse213.Sto226
API String ID: 2295610775-220311181
Opcode ID: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction ID: bfad84801e56aa45620b307e7a8f789e26230cc956ed9d1a225fdef78671a1f1
Opcode Fuzzy Hash: ea398e9f6ccb252cf4d9fa8037675df58843bd33ee06a9524947f1dc2dc69440
Instruction Fuzzy Hash: A7D01231A59020ABC6003B38AD0C84B7A989B553317224AB6F426F63E0C37C8C66969D

Function 0040659D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction ID: 2d3234ddcc30eb1b928d1b3f6e05ca322d860fc2e9c12c5c13e3e91ce8371178
Opcode Fuzzy Hash: a31c6952aff2c2d9e3077db5cda77fcb20a4fa1314c68fe29834e6b9dbef6b62
Instruction Fuzzy Hash: 74F17571D04229CBCF28CFA8C8946ADBBB1FF44305F25856ED456BB281D3785A96CF44

Function 004062B2 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 6db28869a22d2b590e25977263656b8717a92efcd7e963286bbc5c179789795b
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: F2E0C236E0C120ABC7225B209E4896B73ACAFE9651305043EF506F6280C774EC229BE9

Function 083B2260 Relevance: 1.5, APIs: 1, Instructions: 32memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 083B2307

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 6dc8fe5d2a5a0c5d78cf17b2b1f8c2fee78e4fd8163ea9a95b50814d9d869165
Instruction ID: a0d4a6602652b248dee18972d602444d7b6eff8ebea74b3bcad55c0bda05a8ed
Opcode Fuzzy Hash: 6dc8fe5d2a5a0c5d78cf17b2b1f8c2fee78e4fd8163ea9a95b50814d9d869165
Instruction Fuzzy Hash: EDF03AB160064ACFCF25DEB8C9943CE37A1AFC9356F10462ACA09DFF04DB3499458B00

Function 08373819 Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

\V], xrefs: 083B243A

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: \V]
API String ID: 0-3082944825
Opcode ID: bd68e6966e3a6c76fff631fa09c498e3ad04800ad2a4193d0c204218ea3ea39e
Instruction ID: a812d494fd32b079bb7b240b45a2e8bc79310fe2090acfc7e4ea9d6de6d4c7b2
Opcode Fuzzy Hash: bd68e6966e3a6c76fff631fa09c498e3ad04800ad2a4193d0c204218ea3ea39e
Instruction Fuzzy Hash: A751FE75608781CFD72A9E38C8543DA7BA2EFC1351F14816EDC549FAA2CB358946C781

Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403CFE
ShowWindow.USER32(?), ref: 00403D1B
DestroyWindow.USER32 ref: 00403D2F
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403D4B
GetDlgItem.USER32(?,?), ref: 00403D6C
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D80
IsWindowEnabled.USER32(00000000), ref: 00403D87
GetDlgItem.USER32(?,00000001), ref: 00403E35
GetDlgItem.USER32(?,00000002), ref: 00403E3F
SetClassLongW.USER32(?,000000F2,?), ref: 00403E59
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403EAA
GetDlgItem.USER32(?,00000003), ref: 00403F50
ShowWindow.USER32(00000000,?), ref: 00403F71
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F83
EnableWindow.USER32(?,?), ref: 00403F9E
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403FB4
EnableMenuItem.USER32(00000000), ref: 00403FBB
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403FD3
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403FE6
lstrlenW.KERNEL32(004226E8,?,004226E8,00428200), ref: 0040400F
SetWindowTextW.USER32(?,004226E8), ref: 00404023
ShowWindow.USER32(?,0000000A), ref: 00404157

Strings

&B, xrefs: 00403FFB

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: &B
API String ID: 3282139019-3208460036
Opcode ID: df49f6763b05bfa84c1d779e4394ea7a5d72abe941678efbb561a9aecc95dd19
Instruction ID: 615a13079a357bc63dc92eaebf5b97e46402dd0953b19927b77141fc7a078d9b
Opcode Fuzzy Hash: df49f6763b05bfa84c1d779e4394ea7a5d72abe941678efbb561a9aecc95dd19
Instruction Fuzzy Hash: B6C1A371A04201BBDB216F61ED49E2B3AA8FB95705F40093EF601B51F1C7799892DB2E

Function 0040391F Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004062B2: GetModuleHandleA.KERNEL32(?,?,00000020,0040339D,00000009), ref: 004062C4
Part of subcall function 004062B2: LoadLibraryA.KERNELBASE(?,?,00000020,0040339D,00000009), ref: 004062CF
Part of subcall function 004062B2: GetProcAddress.KERNEL32(00000000,?), ref: 004062E0

GetUserDefaultUILanguage.KERNELBASE(00000002,C:\Users\user\AppData\Local\Temp\,75923420,00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 00403939

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

lstrcatW.KERNEL32(1033,004226E8), ref: 004039A0
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\brugerlicensaftalerne,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A20
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\brugerlicensaftalerne,1033,004226E8,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226E8,00000000), ref: 00403A33
GetFileAttributesW.KERNEL32(Call), ref: 00403A3E
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\brugerlicensaftalerne), ref: 00403A87
RegisterClassW.USER32(004281A0), ref: 00403AC4
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403ADC
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B11
ShowWindow.USER32(00000005,00000000), ref: 00403B47
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403B58
LoadLibraryW.KERNEL32(RichEd32), ref: 00403B63
GetClassInfoW.USER32(00000000,RichEdit20W,004281A0), ref: 00403B73
GetClassInfoW.USER32(00000000,RichEdit,004281A0), ref: 00403B80
RegisterClassW.USER32(004281A0), ref: 00403B89
DialogBoxParamW.USER32(?,00000000,00403CC2,00000000), ref: 00403BA8

Strings

1033, xrefs: 0040393F, 0040399B
RichEd20, xrefs: 00403B53
Call, xrefs: 004039E7, 004039F0, 004039FE, 00403A4D, 00403A53
.exe, xrefs: 00403A2D
C:\Users\user\brugerlicensaftalerne, xrefs: 004039AF, 004039B7, 00403A5A, 00403A60, 00403A70
RichEd32, xrefs: 00403B5E
RichEdit20W, xrefs: 00403B6B, 00403B71
C:\Users\user\AppData\Local\Temp\, xrefs: 0040392B
&B, xrefs: 0040394B
_Nb, xrefs: 00403AA3, 00403B0B
Control Panel\Desktop\ResourceLocale, xrefs: 00403953
"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe", xrefs: 00403922
RichEdit, xrefs: 00403B7A
.DEFAULT\Control Panel\International, xrefs: 0040398B

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\brugerlicensaftalerne$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb$&B
API String ID: 2262724009-3522622930
Opcode ID: 9ff61719f6c30c529665ce4dbc08b581b5599c43b58c29c5b92350d035ae6190
Instruction ID: 309fb0296e4a6d1bba18aa3b2e86eaa258190dfd088e540a173f113b23667d40
Opcode Fuzzy Hash: 9ff61719f6c30c529665ce4dbc08b581b5599c43b58c29c5b92350d035ae6190
Instruction Fuzzy Hash: BE61B570644200BED720AF669C46F2B3A7CEB84749F40457FF945B62E2DB796902CA3D

Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DD0
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,00000400), ref: 00402DEC

Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 00402E35
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC9, 00402F94
Error launching installer, xrefs: 00402E0C
Inst, xrefs: 00402EA3
C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe, xrefs: 00402DD6, 00402DE5, 00402DF9, 00402E16
"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe", xrefs: 00402DC5
C:\Users\user\Desktop, xrefs: 00402E17, 00402E1C, 00402E22
soft, xrefs: 00402EAC
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC5
Null, xrefs: 00402EB5
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403013

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3322023375
Opcode ID: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
Instruction ID: b2cc58b1aa553f56ba66d3b0850f03698e33e3340d89f7fe3e9d1fe3a0eb5287
Opcode Fuzzy Hash: dbc4309bf9e12582ea8865ce62b28691ef8d5c521c6be9f7d6ce07414c4970ed
Instruction Fuzzy Hash: 43610371941205ABDB209FA4DD85B9E3BB8EB04354F20447BF605B72D2C7BC9E418BAD

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\brugerlicensaftalerne\Isidora,?,?,00000031), ref: 004017B8

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Strings

Call, xrefs: 00401770, 00401779, 00401786, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll, xrefs: 00401818, 00401834
C:\Users\user\brugerlicensaftalerne\Isidora, xrefs: 00401781
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp, xrefs: 00401804, 00401822

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nso4DFA.tmp$C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll$C:\Users\user\brugerlicensaftalerne\Isidora$Call
API String ID: 1941528284-3601920934
Opcode ID: 8fd7ff773941625183321c21c1d438156bd1c93f7609a995d7972b8441070f6c
Instruction ID: 22a22a0f5d261001ccd7191b61e6a6ae22ba545f5f0eb33ed6189b5534195358
Opcode Fuzzy Hash: 8fd7ff773941625183321c21c1d438156bd1c93f7609a995d7972b8441070f6c
Instruction Fuzzy Hash: 3341C071900515BACF11BBB5CC86EAF3679EF06369F20423BF422B10E1C73C8A419A6D

Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004025DB
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402616
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402639
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040264F

Part of subcall function 00405C37: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Strings

9, xrefs: 004025BE

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
Instruction ID: 34008a6f5bb5370994306dbe4266d00811a1d2e87b5126a94146f67fdcf6739f
Opcode Fuzzy Hash: 14d7a1a443259207830479a75009ee39c6dacd7ae2e8022bb32dc9fb2f0741b6
Instruction Fuzzy Hash: 0E51E771E04209ABDF24DF94DE88AAEB779FF04304F50443BE511B62D0D7B99A42CB69

Function 004051F2 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
lstrcatW.KERNEL32(004216C8,00402D94), ref: 0040524D
SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 241caa620ce1fcc58b3a3595d79cd8debb0f013b3e7c164dabd01d0a25878295
Instruction ID: 09d17c59ce7287a2cbf3dc662f19c44123261f726eb293d34c68041fb2ac0666
Opcode Fuzzy Hash: 241caa620ce1fcc58b3a3595d79cd8debb0f013b3e7c164dabd01d0a25878295
Instruction Fuzzy Hash: CA21A131900558BBCB219FA5DD849DFBFB8EF54310F14807AF904B62A0C3798A81CFA8

Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236F
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238F
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023CB
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Strings

C:\Users\user\AppData\Local\Temp\nso4DFA.tmp, xrefs: 00402380, 0040238E, 004023A5, 004023B5, 004023C0

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nso4DFA.tmp
API String ID: 1356686001-2211028983
Opcode ID: 8805ef30542b3f47b4a39dd0cadf8e155504b39143e93a45ad012f161cb1779c
Instruction ID: 1c964708cf89b7fac74d07524040b6b2ab84de1cfba919da144199f52892a02b
Opcode Fuzzy Hash: 8805ef30542b3f47b4a39dd0cadf8e155504b39143e93a45ad012f161cb1779c
Instruction Fuzzy Hash: A51190B1A00108BEEB11EFA4CD89EAFBB7CEB50358F10443AF505B61D1D7B85E409B29

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405A3E: CharNextW.USER32(?,?,Antegrade\Fravristelse213.Sto226,?,00405AB2,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 00405A4C
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\brugerlicensaftalerne\Isidora,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\brugerlicensaftalerne\Isidora, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\brugerlicensaftalerne\Isidora
API String ID: 3751793516-2633333261
Opcode ID: 563658752a320469cbbf05847d38c43e8d4ffc81c57abf02e21dc30b2d994902
Instruction ID: 602e027c19ef8137931421d3e2870900c2c1aa36f58208ee64056e3add0ea48c
Opcode Fuzzy Hash: 563658752a320469cbbf05847d38c43e8d4ffc81c57abf02e21dc30b2d994902
Instruction Fuzzy Hash: 4F11C271904200EBCF206FA0CD449AE7AB4FF14369B34463BF881B62E1D23D49419A6E

Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402B9B
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD7
RegCloseKey.ADVAPI32(?), ref: 00402BE0
RegCloseKey.ADVAPI32(?), ref: 00402C05
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C23

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
Instruction ID: 39c85bfe7ca74ada2351cc0a51ccebcd1f3e21716521df4e7e96f28c7df0de5f
Opcode Fuzzy Hash: b547f4a97addcc1e8c82d95905b84b8973278d2723117ef79469a300e8f1f4e9
Instruction Fuzzy Hash: 5B116A31904008FEEF229F90DE89EAE3B7DFB14348F100476FA01B00A0D3B59E51EA69

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNEL32(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: d19b98991503ed1f4222ee02892706a0c20354a75bd4722b3fc13797bb1a772f
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E3F
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E60
RegCloseKey.KERNELBASE(?,?,00406088,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E83

Strings

Call, xrefs: 00405E18

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: 600534e839ec184522a2ed62e812a695e1e378dc1a2fe7ff70d8343822b3fb0e
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: A7015A3114020EEACB218F56EC08EEB3BA8EF54390F00413AF944D2220D334DA64CBE5

Function 00405BE3 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C01
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403358,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405C1C

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405BE8, 00405BEC
nsa, xrefs: 00405BF0

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction ID: 094b443934c56d738417ad06ce23117a41e39d67b54f0ae1535361756efc6c0b
Opcode Fuzzy Hash: c429582aea5e4f3fae6c397ed87dacf02ee6c580567254a7da4e12ab8597e880
Instruction Fuzzy Hash: 45F09676A04208BBDB009F59DC05E9BB7B8EB91710F10803AEA01E7151E2B0AD448B54

Function 0040317D Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403192

Part of subcall function 0040330F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000), ref: 004031C5
WriteFile.KERNELBASE(0040BE90,0040C02F,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?), ref: 0040327F
SetFilePointer.KERNELBASE(00004D6E,00000000,00000000,00413E90,00004000,?,00000000,?,00403095,00000004,00000000,00000000,?,?,?,0040300E), ref: 004032D1

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction ID: 34320a24581f7621071559271f75aff2a33e70c32c739a51ea230fcf3b1a2f41
Opcode Fuzzy Hash: 38246e7ae17352d7cedfc7595443620c434811b06811d2a86a618e437c7072d2
Instruction Fuzzy Hash: CB418B72504205DFDB109F29EE84AA63BADF74431671441BFE604B22E1C7B96D418BEC

Function 00403326 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 0040623F
Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406253
Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406266

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00403347

Strings

1033, xrefs: 0040334E
C:\Users\user\AppData\Local\Temp\, xrefs: 00403327, 0040332C, 00403332, 0040333E, 00403346, 0040334D

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: bbd1dcb3637595afbe6b96ae3bcfafd58112e7b3325432cb54e87bfcccc6df60
Instruction ID: 64a45b222adfb8bd76fd8b495f2d7cf88aee328212c381153bc1e0c9699f7593
Opcode Fuzzy Hash: bbd1dcb3637595afbe6b96ae3bcfafd58112e7b3325432cb54e87bfcccc6df60
Instruction Fuzzy Hash: 22D0C92251AA3135C551372A7D06FCF295C8F0A329F12A477F809B90C2CB7C2A8249FE

Function 004069D2 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction ID: dca007468fed7c27dd914b546e5ea1ac9ab056a0c62ecf1bea7b7831388965f7
Opcode Fuzzy Hash: ba6317b19b7b230722eb11252d44c293277e5dc1cbca2e551617393c5194c9d0
Instruction Fuzzy Hash: 58A14471E00229DBDF28CFA8C8447ADBBB1FF48305F15816AD856BB281C7785A96CF44

Function 00406BD3 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction ID: e31ab10654d3133c4bbe562e0396aaf9f668a3464ceaf5ac7e335a669e1e1d03
Opcode Fuzzy Hash: db87408b1e9cadcd0a4c6ae5b6f4dd47f3337075cb2a4d2d14f0ff51d5c97f6a
Instruction Fuzzy Hash: 8E912371E00228CBEF28CF98C8587ADBBB1FF44305F15816AD856BB291C7785A96DF44

Function 004068E9 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction ID: e0c60a541a5106e25e0a2f50f35f038ee2aa27f15edb78bccdd8f3c871378321
Opcode Fuzzy Hash: 165f4b65d4ff5263617aa106d744e60dbd7c4f5d43725cc52d5e79b0d4499ef2
Instruction Fuzzy Hash: 2C814471D04228DFDF24CFA8C8487ADBBB1FB45305F25816AD456BB281C7789A96CF44

Function 004063EE Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction ID: c1f18cc480c27d0a28c5d6dc1e8cd9b1e5e62e2ab7f78041d4dc85e199002e6a
Opcode Fuzzy Hash: 148eda801716ed3d9969b88488a2fa3c6a7092fa608051ce9148cc038319d1b3
Instruction Fuzzy Hash: 9B816731D04228DBDF24CFA8C8487ADBBB1FB44305F25816AD856BB2C1C7785A96DF84

Function 0040683C Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction ID: 317a4f11872e46a6f39a96627fb546a7164eb21cb9e645d400dda74b69288846
Opcode Fuzzy Hash: 4983b507bd6312ae2b30a384a7c44b2e85aa51a10719cb6f4e73ba4d3199020d
Instruction Fuzzy Hash: 48713471D04228DFEF24CFA8C8447ADBBB1FB48305F15816AD856BB281C7785A96DF44

Function 0040695A Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction ID: 7b464a411068ed62169f7738ff9b09ef3af2f2625e32a791141ed05019b82bd1
Opcode Fuzzy Hash: 02494a79b55f78bffb2877069ace75a440f4ea31aa61c09e76d6a1b36594b02c
Instruction Fuzzy Hash: A4714571E04228DFEF28CF98C8447ADBBB1FB48301F15816AD456BB281C7785996DF44

Function 004068A6 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction ID: 924b227091e8338000478ad755e115b80dfeef44851b3a3b0f99ac33e872c674
Opcode Fuzzy Hash: e250f200d648af3f0bd61970bfe314c861a6b6aa0b25ddc882d3b39d553e7667
Instruction Fuzzy Hash: 07713571E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7785A96DF44

Function 00403062 Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300E,000000FF,00000000,00000000,00409230,?), ref: 00403088
WriteFile.KERNELBASE(00000000,00413E90,?,000000FF,00000000,00413E90,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403115

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
Instruction ID: e0bff1d0cfda9ca41153e72f66d50dbc15cd376e58f7be5246e1248deba32b17
Opcode Fuzzy Hash: 90118ecf7a9ba7c1b0c512c54543666c71b076bc3a218e086344a49311413f62
Instruction Fuzzy Hash: A2315971504218EBDF20CF65ED45A9F3FB8EB08755F20807AF904EA1A0D3349E40DBA9

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FC3

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

LoadLibraryExW.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: a26c5c83f9ef2ad83768ff0d809e7d0ff534900b7dfbbf6279fa786ce326c683
Instruction ID: 409458e37c45ac75b59f5eb787cb01d488d5b476e6d1706a1798d0305ac83909
Opcode Fuzzy Hash: a26c5c83f9ef2ad83768ff0d809e7d0ff534900b7dfbbf6279fa786ce326c683
Instruction Fuzzy Hash: A221C571904215F6CF206FA5CE48ADEBAB4AB04358F70427BF610B51E0D7B98E41DA6E

Function 00401B22 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(0060B6B0), ref: 00401B92
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BA4

Strings

Call, xrefs: 00401B49, 00401B4F, 00401B69

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 6cca73d6d58e2ed98b8b4a396753f334a5877edaabae191e0243757acd9d30f1
Instruction ID: 564068f58b03e261203e6aa09dab7f6fb5d2f7f966de6333b684a5604785f160
Opcode Fuzzy Hash: 6cca73d6d58e2ed98b8b4a396753f334a5877edaabae191e0243757acd9d30f1
Instruction Fuzzy Hash: C02190B2610501ABCB10EBA4DD859AEB3B8EB45318B24443BF141B72D1D77CAC419F6D

Function 00402454 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C44: RegOpenKeyExW.ADVAPI32(00000000,00000157,00000000,00000022,00000000,?,?), ref: 00402C6C

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402483
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402496
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 08eabb2470022ea022f848a6e11dcf38859f7a65a08fdc0a2d34d61b610d36b3
Instruction ID: 26b43d5caf1540d7dd591319e401bc9d0e282b9307c559b8fc2f3b6a2f24773f
Opcode Fuzzy Hash: 08eabb2470022ea022f848a6e11dcf38859f7a65a08fdc0a2d34d61b610d36b3
Instruction Fuzzy Hash: 31F0D1B1A04204AFEB148FA5DE88EBF767CEF80358F10483EF001A21C0D2B85D419B3A

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 004023E0 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C44: RegOpenKeyExW.ADVAPI32(00000000,00000157,00000000,00000022,00000000,?,?), ref: 00402C6C

RegQueryValueExW.ADVAPI32(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 00402411
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AC

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 1a9fe0657147e393f528c99050b99d89897384afc5368568bb5e959df579fbef
Instruction ID: d7ada52d2c39296e820c3ca3910a3186400bd00b77f85fef4b18c2a42e671548
Opcode Fuzzy Hash: 1a9fe0657147e393f528c99050b99d89897384afc5368568bb5e959df579fbef
Instruction Fuzzy Hash: 53115171915205EEDB14CFA0C6889AFB6B4EF40359F20843FE042A72D0D6B85A41DB5A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
Instruction ID: 092ce593f34d4cefb17b57a654468e4a57f6b0d243feea45f1431905bdcf8400
Opcode Fuzzy Hash: fdfb5bbf2347fc35bcb13febb1c36166d701c4f92b0c5c73d87b5da78d67bd23
Instruction Fuzzy Hash: 6F01F431B24210ABE7295B389C05B6A3698E710314F10863FF911F62F1DA78DC13CB4D

Function 004022D5 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C44: RegOpenKeyExW.ADVAPI32(00000000,00000157,00000000,00000022,00000000,?,?), ref: 00402C6C

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004022F4
RegCloseKey.ADVAPI32(00000000), ref: 004022FD

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: bd7eda068c5a8c487db824b3b1be550dc0b42a90544fb6549d002859b4f80231
Instruction ID: 38b5be8bce117af921f4e5ecf87b48473febfbb911f594cd731ca38f4e60318c
Opcode Fuzzy Hash: bd7eda068c5a8c487db824b3b1be550dc0b42a90544fb6549d002859b4f80231
Instruction Fuzzy Hash: 30F06272A04210ABEB15AFF59A4EBAE7278DB44318F20453BF201B71D1D5FC5D028A7D

Function 0040156B Relevance: 3.0, APIs: 2, Instructions: 23COMMON

Download Yara Rule

APIs

ShowWindow.USER32(?,?), ref: 0040157F
ShowWindow.USER32(?), ref: 00401594

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 1e38a0853b33b15907667b679b343be273cdd0c0ce8fe50ce9f9d5bc537c9385
Instruction ID: 75f1c009598274424d440b05a3ad8c81c52a8946c909ad9098faf089b9281bcd
Opcode Fuzzy Hash: 1e38a0853b33b15907667b679b343be273cdd0c0ce8fe50ce9f9d5bc537c9385
Instruction Fuzzy Hash: 2DE04FB2B101049BCB64CBA8ED808FEB7A5AB48314B60453FE902B3290C675AC11CF28

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: c62722b4de750a969799caa90d9ea8d5cd16caa5ee659d71882de8b6985993d0
Instruction ID: 2c80559432ee8e8f64af81f0c0a70d483a1ba28b218ef0fe4a74e939514edfa0
Opcode Fuzzy Hash: c62722b4de750a969799caa90d9ea8d5cd16caa5ee659d71882de8b6985993d0
Instruction Fuzzy Hash: CEE08CB2B04104DBCB50AFF4AA889DD7378AB90369B20087BF402F10D1C2B86C009A3E

Function 00405BB4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 00405BB8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 004026F9 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 00402713

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
Instruction ID: 39f0610c8197233a3f531ee04e93b66353018be783afcd240567e016e4194b11
Opcode Fuzzy Hash: cb0a79905901771ea4c1f75ea25e576bfed89f1d44749c98cb94dfee4278d200
Instruction Fuzzy Hash: 29E01AB2B14114AADB01ABE5DD49CFEB66CEB40319F20043BF101F00D1C67959019A7E

Function 00402253 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 0040228A

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
Instruction ID: 4332bbb19f5efe4f35bb732f6f353b7f8865d75a24debaa01da2fd7198b4a795
Opcode Fuzzy Hash: ec4fb41ec1acd106f93cf616f3cd4c0d3577891546256094c6c4aadbcc0c0451
Instruction Fuzzy Hash: 18E04F329041246ADB113EF20E8DE7F31689B44718B24427FF551BA1C2D5BC1D434669

Function 00405C37 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E90,0040BE90,0040330C,00409230,00409230,004031FE,00413E90,00004000,?,00000000,?), ref: 00405C4B

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: 63114739b8f5e766059d8f14c8810c8407dd6dd2a261f9f87ac8566b0288577e
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: F6E08632104259ABDF10AEA08C04EEB375CEB04350F044436F915E3140D230E9209BA4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 00402295 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
Instruction ID: 80fa8228d7b44b53eec3e7c38ed93a9451a1703e345daa2b135a9f68ba926bbf
Opcode Fuzzy Hash: 72cdf40c1bf6f5db5f4d9709fda42ed23ef015487cba6367b71ebc3a35df21ba
Instruction Fuzzy Hash: 38E04F30800204BADB00AFA0CD49EAE3B78BF11344F20843AF581BB0D1E6B895809759

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: b1f67d0bd68f695adc8489e74b7692cd90077e549d5f6d1bde923581f8f3e0ae
Instruction ID: 73733a4af0cc64661bb0b95da8c6c6dbb498264e8b287c2b288e90457a890fe4
Opcode Fuzzy Hash: b1f67d0bd68f695adc8489e74b7692cd90077e549d5f6d1bde923581f8f3e0ae
Instruction Fuzzy Hash: B8D012B2B08100D7CB10DFE59A08ADDB765AB50329F304A77D111F21D0D2B885419A3A

Function 004041E6 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction ID: 838c4c0eb33ef43ad7257432987c28a2a788b3f909dd0a51a4998ccc95d90969
Opcode Fuzzy Hash: b125a5c22b87fd8b2e045755239ffd7a4507a0aeed0b74e9a53f3222272f23b7
Instruction Fuzzy Hash: 57C09B717443017BDB308B509D49F1777556754B00F1488397700F50E0CA74E452D62D

Function 0040330F Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE7,?), ref: 0040331D

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 004041CF Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403FFB), ref: 004041DD

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction ID: c6b71f3973dfff953bb7db756b4a53cf392e498aed0f9e65811aff82f73edd61
Opcode Fuzzy Hash: 854be05ff51811c00036400083eb45e7be68dca0691a3475263c9078411ad26b
Instruction Fuzzy Hash: 81B09235684200BADA214B00ED09F867A62A768701F008864B300240B0C6B244A2DB19

Function 004041BC Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F94), ref: 004041C6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction ID: 8b53a25d375a508ca0f68064fdc939b5f25de369c98bd294fc40859475f67141
Opcode Fuzzy Hash: 52bdda195f1be107111d33c53c23f47bc3bdbd5ca81d52a4b6bb6385c1bcbce2
Instruction Fuzzy Hash: 02A01132808000ABCA028BA0EF08C0ABB22BBB8300B008A3AB2008003082320820EB0A

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 8ba86804e83874a1906e97ec6801ccf3b7d57510e6f7f4a869b12a6ffab4bff6
Instruction ID: 43bd389e684fdc992c114de42b340604c9c8a7aa9960d5983178e32e9e1c03f3
Opcode Fuzzy Hash: 8ba86804e83874a1906e97ec6801ccf3b7d57510e6f7f4a869b12a6ffab4bff6
Instruction Fuzzy Hash: 42D0C9B7B141409BDB50EBB8AE8989B73A8E7913297204C73D942F20A1D178D8029A39

Non-executed Functions

Function 00404B6E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B86
GetDlgItem.USER32(?,00000408), ref: 00404B91
GlobalAlloc.KERNEL32(00000040,?), ref: 00404BDB
LoadBitmapW.USER32(0000006E), ref: 00404BEE
SetWindowLongW.USER32(?,000000FC,00405166), ref: 00404C07
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404C1B
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404C2D
SendMessageW.USER32(?,00001109,00000002), ref: 00404C43
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C4F
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C61
DeleteObject.GDI32(00000000), ref: 00404C64
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C8F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C9B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D31
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D5C
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D70
GetWindowLongW.USER32(?,000000F0), ref: 00404D9F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404DAD
ShowWindow.USER32(?,00000005), ref: 00404DBE
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404EBB
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404F20
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404F35
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F59
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F79
ImageList_Destroy.COMCTL32(?), ref: 00404F8E
GlobalFree.KERNEL32(?), ref: 00404F9E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405017
SendMessageW.USER32(?,00001102,?,?), ref: 004050C0
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004050CF
InvalidateRect.USER32(?,00000000,00000001), ref: 004050EF
ShowWindow.USER32(?,00000000), ref: 0040513D
GetDlgItem.USER32(?,000003FE), ref: 00405148
ShowWindow.USER32(00000000), ref: 0040514F

Strings

, xrefs: 00405127
N, xrefs: 00404DF9
M, xrefs: 00404D18

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: c0ce892580bc14cf4332d57b508c1e8237967f859a0b842146343ba826295983
Instruction ID: c838968d9b53d15d037ad3ebbdc97e0e82191de3b695f5e6670933e8e46a19ea
Opcode Fuzzy Hash: c0ce892580bc14cf4332d57b508c1e8237967f859a0b842146343ba826295983
Instruction Fuzzy Hash: E9026EB0A00209EFDB209F94DC85AAE7BB5FB44314F10857AF610BA2E1C7799D42CF58

Function 00404635 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 265stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404684
SetWindowTextW.USER32(00000000,?), ref: 004046AE
SHBrowseForFolderW.SHELL32(?), ref: 0040475F
CoTaskMemFree.OLE32(00000000), ref: 0040476A
lstrcmpiW.KERNEL32(Call,004226E8,00000000,?,?), ref: 0040479C
lstrcatW.KERNEL32(?,Call), ref: 004047A8
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004047BA

Part of subcall function 00405708: GetDlgItemTextW.USER32(?,?,00000400,004047F1), ref: 0040571B

Part of subcall function 004061DC: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 0040623F
Part of subcall function 004061DC: CharNextW.USER32(?,?,?,00000000), ref: 0040624E
Part of subcall function 004061DC: CharNextW.USER32(?,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406253
Part of subcall function 004061DC: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406266

GetDiskFreeSpaceW.KERNEL32(004206B8,?,?,0000040F,?,004206B8,004206B8,?,00000000,004206B8,?,?,000003FB,?), ref: 0040487B
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404896
SetDlgItemTextW.USER32(00000000,00000400,004206A8), ref: 0040490F

Strings

A, xrefs: 00404758
Call, xrefs: 00404796, 0040479B, 004047A6
C:\Users\user\brugerlicensaftalerne, xrefs: 00404785
&B, xrefs: 00404732

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\brugerlicensaftalerne$Call$&B
API String ID: 2246997448-840817404
Opcode ID: 0ddb93969d7d4b6c2286eeeb01da71e9d9c76c94d99e26f32eb17bb22fa58419
Instruction ID: 6e37369fe6ef7f71d764005b1086c215e28ed7130f32df1ae996be3c53d44702
Opcode Fuzzy Hash: 0ddb93969d7d4b6c2286eeeb01da71e9d9c76c94d99e26f32eb17bb22fa58419
Instruction Fuzzy Hash: A79170F1900219EBDB10AFA1DC85AAF77B8EF85714F10443BF601B62D1D77C9A418B69

Function 083AE29B Relevance: 5.3, Strings: 4, Instructions: 328COMMON

Download Yara Rule

Strings

@NYJ, xrefs: 083914B9
\V], xrefs: 083B243A
5, xrefs: 083913EC
C, xrefs: 08391483

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: 5$@NYJ$C$\V]
API String ID: 0-1467138375
Opcode ID: bc86d0d1d9b6a058160d52c7993bfcc76f40009260e2044a645cf0e7857c6290
Instruction ID: b7c299c7ffe5fee660f4392da570862159187f242fec53a71c5b276364060354
Opcode Fuzzy Hash: bc86d0d1d9b6a058160d52c7993bfcc76f40009260e2044a645cf0e7857c6290
Instruction Fuzzy Hash: B0B18632904259CFDF20CE68C8847DA77B1FF86361F59422EDC88AB655C7349D86CB80

Function 083AEB33 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

@NYJ, xrefs: 083914B9
\V], xrefs: 083B243A
5, xrefs: 083913EC
C, xrefs: 08391483

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: 5$@NYJ$C$\V]
API String ID: 0-1467138375
Opcode ID: bab15f73c9cf7e303fcc4a99da228337517bdd1a181862b544523f8b8ce96291
Instruction ID: 01c692332c4817058d5bfd494c28687edc3bd69615ad3a7af6b28fa584a45d9e
Opcode Fuzzy Hash: bab15f73c9cf7e303fcc4a99da228337517bdd1a181862b544523f8b8ce96291
Instruction Fuzzy Hash: 1391B936A04355CFDF309EA8C8D87DA37A2BF96352F95402EDD849F652C7748942CB42

Function 08382D17 Relevance: 4.2, Strings: 3, Instructions: 421COMMON

Download Yara Rule

Strings

Jg, xrefs: 0838312A
\V], xrefs: 083B243A
``t, xrefs: 08382FD0

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: ``t$Jg$\V]
API String ID: 0-3519095151
Opcode ID: 9ff7f6e451b52de52b5aaf0cd59f4c806b69bca329cbdfbc63ea7362f036c953
Instruction ID: fd80b92bebde9dd2b183e1722caa2e40fe00eaea772a7c18bdbf88bfea9c8640
Opcode Fuzzy Hash: 9ff7f6e451b52de52b5aaf0cd59f4c806b69bca329cbdfbc63ea7362f036c953
Instruction Fuzzy Hash: C8E18776608345CFDF389E38CD687EB37A2AFD5790F55412EDC899B644C7308A46CA42

Function 083ADF9A Relevance: 4.1, Strings: 3, Instructions: 332COMMON

Download Yara Rule

Strings

X7q, xrefs: 083ADFBF
\V], xrefs: 083B243A
~n, xrefs: 083AE1BD

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: X7q$~n$\V]
API String ID: 0-2304549257
Opcode ID: d4b0f8f56eae113a2b56a839c0f0314b950defeb44ff050763e0025a22a918cd
Instruction ID: aca891aee71396f523345e063e8d56376cb3fba4dfc1c2d8fbef11b94c237908
Opcode Fuzzy Hash: d4b0f8f56eae113a2b56a839c0f0314b950defeb44ff050763e0025a22a918cd
Instruction Fuzzy Hash: 27B17575508399CFCB35EF2988587DA7BA2FF913A1F50812DDC888BA55C7308A86CB51

Function 083AD9CB Relevance: 4.1, Strings: 3, Instructions: 309COMMON

Download Yara Rule

Strings

\V], xrefs: 083B243A
ze, xrefs: 083ADC1E
.VU, xrefs: 083ADB8E

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: .VU$ze$\V]
API String ID: 0-1780004451
Opcode ID: 02cfafb2af4d2147a00961bc5ac73c44607b3bc48719e53df34af3725082f18b
Instruction ID: 6717852deaf1a9e87160864af7cd4f5b9f9b684bc888d257e1df15a050da870f
Opcode Fuzzy Hash: 02cfafb2af4d2147a00961bc5ac73c44607b3bc48719e53df34af3725082f18b
Instruction Fuzzy Hash: 05B14472509789CFDB35DF68C9187EA3BA1FF91311F94812EDC488BA56C7358A42CB42

Function 083AD351 Relevance: 4.0, Strings: 3, Instructions: 274COMMON

Download Yara Rule

Strings

@NYJ, xrefs: 083914B9
5, xrefs: 083913EC
C, xrefs: 08391483

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: 5$@NYJ$C
API String ID: 0-2924726793
Opcode ID: 9bb2a6ee4fb8beac34498d9f5f6ed9096355a63b6b7cc0f32dc12632a82a883c
Instruction ID: 310752a306bb83c343b13e7164d826bc152085687ab2ea2c0965e8b1f6da719e
Opcode Fuzzy Hash: 9bb2a6ee4fb8beac34498d9f5f6ed9096355a63b6b7cc0f32dc12632a82a883c
Instruction Fuzzy Hash: 3E91A976904355CFDF218F6488D53EA7BB1FF96312F4A406EC8999F652D3348A42CB81

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,00000001,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\brugerlicensaftalerne\Isidora, xrefs: 004020FB

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\brugerlicensaftalerne\Isidora
API String ID: 542301482-2633333261
Opcode ID: c3ac8376005eb2128101160bb39d3078d5e8ab7fad74fdd7db3a3b4458e935d7
Instruction ID: 3f054c58238b343a02ca2e9776fd111f4d7efc3a485c04e582207c90830a0c16
Opcode Fuzzy Hash: c3ac8376005eb2128101160bb39d3078d5e8ab7fad74fdd7db3a3b4458e935d7
Instruction Fuzzy Hash: BC414F75A00105BFCB00DFA4C988EAE7BB5BF49318B20416AF505EF2D1D679AD41CB54

Function 08381516 Relevance: 2.8, Strings: 2, Instructions: 280COMMON

Download Yara Rule

Strings

\V], xrefs: 083B243A
?hNK, xrefs: 08381646

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: ?hNK$\V]
API String ID: 0-1299247497
Opcode ID: 1519a193192b630b474dc756e545c3342d3a27c829a69b371f27eab4c735c86d
Instruction ID: db47a161adf7177306c69399b6793c35135009a60da36fe23f8a10378874f90d
Opcode Fuzzy Hash: 1519a193192b630b474dc756e545c3342d3a27c829a69b371f27eab4c735c86d
Instruction Fuzzy Hash: 6EA122366042958BCF30AE7889547EF77E2AFC6750F55422EDC889B654DB308A82CB42

Function 083B24C9 Relevance: 2.8, Strings: 2, Instructions: 258COMMON

Download Yara Rule

Strings

e);, xrefs: 083B2758
~, xrefs: 083B26B0

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: e);$~
API String ID: 0-3093011733
Opcode ID: 70c29255e394640e30d9e0b57f08dd21191caa1d39200a68671847d7091659d7
Instruction ID: 870d6cf63a8af6519c529afe0854620d8e277cc4b1aff96f01fd3f634acf2922
Opcode Fuzzy Hash: 70c29255e394640e30d9e0b57f08dd21191caa1d39200a68671847d7091659d7
Instruction Fuzzy Hash: EE810176604786CFDB296D38CDB43E63B926F92391F18422ECC848B686D7358446CB52

Function 08382A72 Relevance: 2.7, Strings: 2, Instructions: 181COMMON

Download Yara Rule

Strings

\V], xrefs: 083B243A
)=T, xrefs: 08382A76

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: )=T$\V]
API String ID: 0-798806083
Opcode ID: cfaad1e118a0241d11fc67f09e8facde21e9e24e943019bc05ad9bb3bf385fe8
Instruction ID: 5939b1949a395cc88bcb22bed130d4e746afe453bbf53ea0b2402f01432109ef
Opcode Fuzzy Hash: cfaad1e118a0241d11fc67f09e8facde21e9e24e943019bc05ad9bb3bf385fe8
Instruction Fuzzy Hash: 426145B5604289CFDB34AF288CA97DF33A6AF98350F91412EDC8D9B744D7308A45CB41

Function 00402770 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277F

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: c29cc584e89206ddd90cc1717f0c3dadd219838f9a220d036a6385bc3b1c76f5
Instruction ID: 2908b39070a7deba1428861388b98b097f8f9174a2682adf846a4f1dff5e2c07
Opcode Fuzzy Hash: c29cc584e89206ddd90cc1717f0c3dadd219838f9a220d036a6385bc3b1c76f5
Instruction Fuzzy Hash: D5F05EB16101149BCB00DBA4DD499BEB378FF04318F3005BAE151F31D0D6B859409B2A

Function 08391E02 Relevance: 1.5, Strings: 1, Instructions: 208COMMON

Download Yara Rule

Strings

\V], xrefs: 083B243A

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: \V]
API String ID: 0-3082944825
Opcode ID: db06de5ffb6c32c9369c4aa4edadae22905a59ceadf3a87eae8c17189a0976aa
Instruction ID: 8ccf9818813631d37154009cbc9a30f633f13b648e3fd0ef3ebd3f22f26a2170
Opcode Fuzzy Hash: db06de5ffb6c32c9369c4aa4edadae22905a59ceadf3a87eae8c17189a0976aa
Instruction Fuzzy Hash: A751EA76B443428FDB228F78CCD17DB7BA5EFC3221B68861ADC8987650C3344946C351

Function 0838A55C Relevance: 1.3, Strings: 1, Instructions: 26COMMON

Download Yara Rule

Strings

2h), xrefs: 0838A563

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID: 2h)
API String ID: 0-49650515
Opcode ID: 1d81e17bbff65da7992f0a2259d3f77a25a3219315a7af8a185ffd353359f479
Instruction ID: 53d3d9c651994947db89095e257ba71254d893731d9871cb9bbd3a8b52471194
Opcode Fuzzy Hash: 1d81e17bbff65da7992f0a2259d3f77a25a3219315a7af8a185ffd353359f479
Instruction Fuzzy Hash: 78E068692183C5A7C31F9F349876BA27FF37B8B410714429DE0839F381CD2058C2C652

Function 083735AA Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb6af94f5a80a8d598b51203bf55d8216076c9ccde46f2866097b61347b3334c
Instruction ID: ebdda14202ad46f4ae6f35e4af32478fa5327978453b9ffb472a57e5b0e38b66
Opcode Fuzzy Hash: eb6af94f5a80a8d598b51203bf55d8216076c9ccde46f2866097b61347b3334c
Instruction Fuzzy Hash: 4DA1EC72508389CFCB39DF7898602EA7FB5EF86355F14456EC8828BA52CB35C54AC781

Function 08373771 Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4581430279.0000000007F1C000.00000040.00001000.00020000.00000000.sdmp, Offset: 07F1C000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7f1c000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52aad167a038e58a6acd28c816ea418b2bde18ccf5ad777fdc080e4d679255a7
Instruction ID: d6b3a336477ed843b3904fdc8447dac65fbd05abc8776290a3441543d2f5a665
Opcode Fuzzy Hash: 52aad167a038e58a6acd28c816ea418b2bde18ccf5ad777fdc080e4d679255a7
Instruction Fuzzy Hash: AB417CA574530A5B9F2C6D2889B23FF32936FD1281B54812FCD4BC7F98DB30C4968512

Function 00404337 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004043D5
GetDlgItem.USER32(?,000003E8), ref: 004043E9
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404406
GetSysColor.USER32(?), ref: 00404417
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404425
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404433
lstrlenW.KERNEL32(?), ref: 00404438
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404445
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040445A
GetDlgItem.USER32(?,0000040A), ref: 004044B3
SendMessageW.USER32(00000000), ref: 004044BA
GetDlgItem.USER32(?,000003E8), ref: 004044E5
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404528
LoadCursorW.USER32(00000000,00007F02), ref: 00404536
SetCursor.USER32(00000000), ref: 00404539
ShellExecuteW.SHELL32(0000070B,open,004271A0,00000000,00000000,00000001), ref: 0040454E
LoadCursorW.USER32(00000000,00007F00), ref: 0040455A
SetCursor.USER32(00000000), ref: 0040455D
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040458C
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040459E

Strings

Call, xrefs: 00404514
N, xrefs: 004044D3
open, xrefs: 00404546

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction ID: 8b9c65ccee0929ae2cd37a550bbe3266d1c56d3aba5277cbe5cc7d17fb3eae84
Opcode Fuzzy Hash: 3a3e15a46bcef9b8006e363d6ddaa5c0bc478510f2ba28bfd0355cb20498c547
Instruction Fuzzy Hash: 19718FB1A00209FFDB109F60DD85A6A7BA9FB94354F00853AFB01B62D1C778AD51CF99

Function 00405C66 Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D88,NUL), ref: 00405C76
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,?,00405E0A,?,?,00000001,00405982,?,00000000,000000F1,?), ref: 00405C9A
GetShortPathNameW.KERNEL32(00000000,00425D88,00000400), ref: 00405CA3

Part of subcall function 00405B19: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
Part of subcall function 00405B19: lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

GetShortPathNameW.KERNEL32(?,00426588,00000400), ref: 00405CC0
wsprintfA.USER32 ref: 00405CDE
GetFileSize.KERNEL32(00000000,00000000,00426588,C0000000,00000004,00426588,?,?,?,?,?), ref: 00405D19
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405D28
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D60
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425988,00000000,-0000000A,00409560,00000000,[Rename],00000000,00000000,00000000), ref: 00405DB6
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405DC8
GlobalFree.KERNEL32(00000000), ref: 00405DCF
CloseHandle.KERNEL32(00000000), ref: 00405DD6

Part of subcall function 00405BB4: GetFileAttributesW.KERNELBASE(00000003,00402DFF,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 00405BB8
Part of subcall function 00405BB4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405BDA

Strings

NUL, xrefs: 00405C70
%ls=%ls, xrefs: 00405CD4
[Rename], xrefs: 00405D48, 00405D5A

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 1265525490-899692902
Opcode ID: 559503feb89d21a9c334d896a0f7a2de64537d5462d12f25622628eabbc9644b
Instruction ID: 10a6a65bcc8db41326b0965a868e5b78be2cc6b43571d182478210b5aa6aebd6
Opcode Fuzzy Hash: 559503feb89d21a9c334d896a0f7a2de64537d5462d12f25622628eabbc9644b
Instruction Fuzzy Hash: E941FE71604A18BFD2206B61AC4CF6B3A6CEF45714F24443BB901B62D2EA78AD018A7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428200,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction ID: fcf32cd20748a1213536d9d4e972d5f65e682a1af5e7fde79162f5b09e182029
Opcode Fuzzy Hash: c8f07ac8fddda19ee2bf7cb4f90658f54556206f608d49a47768e3a2d0e378b6
Instruction Fuzzy Hash: D2418B71804249AFCB058FA5DD459BFBBB9FF44310F00852AF561AA1A0C738EA51DFA5

Function 004061DC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 0040623F
CharNextW.USER32(?,?,?,00000000), ref: 0040624E
CharNextW.USER32(?,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406253
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403332,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00406266

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061DD, 004061E2
"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe", xrefs: 00406220
*?|<>/":, xrefs: 0040622E

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-883859158
Opcode ID: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction ID: 5b12d47152ff200ae170f947aa1a5954375b24b0904b9d00ef93706c4e891e75
Opcode Fuzzy Hash: 1606a10478bcb54d9e464e7e1942e813b7f97a0a03c371f366e1e5ab139a473f
Instruction Fuzzy Hash: 1311E61580020295DB303B548C44AB772F8EF95750F42807FED9A732C1E77C5CA286BD

Function 004024EE Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll,00000400,?,?,00000021), ref: 0040252F
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll,00000400,?,?,00000021), ref: 00402536
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402568

Strings

8, xrefs: 0040250C
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll, xrefs: 004024FA, 0040251B, 00402525, 00402535, 0040255C
C:\Users\user\AppData\Local\Temp\nso4DFA.tmp, xrefs: 00402528

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nso4DFA.tmp$C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll
API String ID: 1453599865-760636321
Opcode ID: 6125aa081e30e47da40ee1c37d73e388ad7d86d91ab132d95cfa165a77b7831e
Instruction ID: a0446c0b0672562d506aa58c1ab7e20caafec20b23fb80a76c6cc5bad6f3e06b
Opcode Fuzzy Hash: 6125aa081e30e47da40ee1c37d73e388ad7d86d91ab132d95cfa165a77b7831e
Instruction Fuzzy Hash: C0015271A44214FFD700AFB09E8AEAB7278AF51719F20453BB102B61D1D6BC5E419A2D

Function 00404201 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040421E
GetSysColor.USER32(00000000), ref: 0040423A
SetTextColor.GDI32(?,00000000), ref: 00404246
SetBkMode.GDI32(?,?), ref: 00404252
GetSysColor.USER32(?), ref: 00404265
SetBkColor.GDI32(?,?), ref: 00404275
DeleteObject.GDI32(?), ref: 0040428F
CreateBrushIndirect.GDI32(?), ref: 00404299

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: b52404dbcc62fb778985b33cde271554a932a1fc376a4a1675ca0a40f23ca1f0
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: B821A4B1A04704ABCB219F68DD08B4B7BF8AF80700F04896DFD91E22E1C338E804CB65

Function 004027B5 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402809
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402825
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285E
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402870
GlobalFree.KERNEL32(00000000), ref: 00402877
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288F
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A3

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 175540e7daea46f04fdcb39c2d6b9fb6ccbbe72b81495e9a418fab8b18cc96be
Instruction ID: c76d0c3f0677147b44531d70e17f5e21854c5a6159b3e076b4812541e28699f2
Opcode Fuzzy Hash: 175540e7daea46f04fdcb39c2d6b9fb6ccbbe72b81495e9a418fab8b18cc96be
Instruction Fuzzy Hash: C931BF72C00118BBDF11AFA5CE49DAF7E79EF04324F20423AF510762E1C6796E418BA9

Function 00402D1A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D35
GetTickCount.KERNEL32 ref: 00402D53
wsprintfW.USER32 ref: 00402D81

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

CreateDialogParamW.USER32(0000006F,00000000,00402C7F,00000000), ref: 00402DA5
ShowWindow.USER32(00000000,00000005), ref: 00402DB3

Part of subcall function 00402CFE: MulDiv.KERNEL32(00000000,00000064,0000019F), ref: 00402D13

Strings

... %d%%, xrefs: 00402D7B

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
Instruction ID: 6ab1becf65089363c82906b09123353a2bcc309babf83807567d4fce196db36a
Opcode Fuzzy Hash: 005642a4020e0a71c09553eb7eb2d495990d68115b85ca719a2b531c3bc6c152
Instruction Fuzzy Hash: CD015E31909220EBC7616B64EE5DBDB3A68AB00704B14457BF905B11F1C6B85C45CFAE

Function 00404ABC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404AD7
GetMessagePos.USER32 ref: 00404ADF
ScreenToClient.USER32(?,?), ref: 00404AF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404B0B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404B31

Strings

f, xrefs: 00404B0D

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 0eecd9b69481b59551465bcf9db52b38cf56a1a0cd5b93a9aa54e622b558eefa
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 4B015E71E00219BADB10DBA4DD85FFEBBBCAB94711F10012BBB10B61D0D7B4A9018BA5

Function 00402C7F Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C9D
wsprintfW.USER32 ref: 00402CD1
SetWindowTextW.USER32(?,?), ref: 00402CE1
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF3

Strings

unpacking data: %d%%, xrefs: 00402CBF, 00402CCF
verifying installer: %d%%, xrefs: 00402CC6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction ID: 6313022a6a14420ec29aadc91542e870ad3eb66361cb8d6516b6428425dce57e
Opcode Fuzzy Hash: fb2a05d00326c25166bc5f9aaa13d1f718a743be953a9e67bdfa073c3cfab417
Instruction Fuzzy Hash: 36F01270504108ABEF205F50DD4ABAE3768BB00309F00843AFA16B51D1DBB95959DB59

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNEL32(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 004049D6 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226E8,004226E8,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A67
wsprintfW.USER32 ref: 00404A70
SetDlgItemTextW.USER32(?,004226E8), ref: 00404A83

Strings

%u.%u%s%s, xrefs: 00404A51
&B, xrefs: 00404A56

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$&B
API String ID: 3540041739-2907463167
Opcode ID: bc3b7f17ced557010f42f2a5da3d553c1ee365e0fd64efe36082f95fd3b84f34
Instruction ID: b2bc00afb158c588b9a06456614f3f49c694bd1d1c2ad39e9d347cd1a0135542
Opcode Fuzzy Hash: bc3b7f17ced557010f42f2a5da3d553c1ee365e0fd64efe36082f95fd3b84f34
Instruction Fuzzy Hash: 131126737001247BCB10A66D9C45EDF324DDBC5334F144237FA65F60D1D938882186E8

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5757bc3562e7fd28978ac45cc7d9905cf04a78579febaaeea46e845b0a190490
Instruction ID: 421c968aeac85d0930bc76aa4bc7d64c85250730bd7c855cb2b2db6532b3540a
Opcode Fuzzy Hash: 5757bc3562e7fd28978ac45cc7d9905cf04a78579febaaeea46e845b0a190490
Instruction Fuzzy Hash: F9F0E1B2A04104BFDB01DBE4EE88DEEB7BCEB08305B104466F601F5190C674AD018B35

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BDA0), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 42daf7e862d24205765a2c482219e26c12b6d25ebfb053d7a945aa5fdfa94cc8
Instruction ID: b353f613be9e85a79a94993a8857fa9d5f5277bee054f22ce4286571968d2ed5
Opcode Fuzzy Hash: 42daf7e862d24205765a2c482219e26c12b6d25ebfb053d7a945aa5fdfa94cc8
Instruction Fuzzy Hash: 4A016D31948285EFEB416BB0AE0AFDABF74EB65305F144479F141B62E2C77810058B6E

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction ID: bea79b3a0ece1bc6ad67d762bc59202c8df9b0d3ac543b92a9f7cfbf89d94624
Opcode Fuzzy Hash: 9bf1345347551ad99251b033a374dd29c38f8ee43bbdf8c6824fc78253d04776
Instruction Fuzzy Hash: 6B217471A44109BEDF019FB0C94AFAD7B75EF44748F20413AF502B61D1D6B8A941DB18

Function 00405A3E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,Antegrade\Fravristelse213.Sto226,?,00405AB2,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 00405A4C
CharNextW.USER32(00000000), ref: 00405A51
CharNextW.USER32(00000000), ref: 00405A69

Strings

Antegrade\Fravristelse213.Sto226, xrefs: 00405A3F

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharNext
String ID: Antegrade\Fravristelse213.Sto226
API String ID: 3213498283-844488938
Opcode ID: 21c909a7070704e5dbb7e9601562fce6107f8a8183e885fdad65ddb46c3d8f9e
Instruction ID: 3370e48302fb4b38b4c5194c943d3a4fd1b010f94388a0a3dcc183d660c6baaf
Opcode Fuzzy Hash: 21c909a7070704e5dbb7e9601562fce6107f8a8183e885fdad65ddb46c3d8f9e
Instruction Fuzzy Hash: 2CF09651F10B2295DF3177A44CC5E7B57B8EB58760B04853BE601B72C0E3B84D818F9A

Function 00405993 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 00405999
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403344,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75923420,00403542), ref: 004059A3
lstrcatW.KERNEL32(?,00409014), ref: 004059B5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405993

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: a3647a5b8e032715a8ecc0c41ac115d98c53e42c85c632df021e5d83325ae185
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: 74D0A731101930AAD212BB548C04DDF739CEE45301740407BF605B30A1C77C1D418BFD

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E8F: wsprintfW.USER32 ref: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction ID: 99fd8a33424c76a20816063d32e2a6550cff77f564c1afe2c3b0238effae22d3
Opcode Fuzzy Hash: 3b082d3ae56cd80e188a89b5e125e5232bc00da1bbd486e0c7b94093934bebb9
Instruction Fuzzy Hash: 93113675A00108AECB00DFA5C945DAEBBBAEF44344F20407AF905F62E1D7349E50DB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051F2: lstrlenW.KERNEL32(004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000,?), ref: 0040522A
Part of subcall function 004051F2: lstrlenW.KERNEL32(00402D94,004216C8,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D94,00000000), ref: 0040523A
Part of subcall function 004051F2: lstrcatW.KERNEL32(004216C8,00402D94), ref: 0040524D
Part of subcall function 004051F2: SetWindowTextW.USER32(004216C8,004216C8), ref: 0040525F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405285
Part of subcall function 004051F2: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040529F
Part of subcall function 004051F2: SendMessageW.USER32(?,00001013,?,00000000), ref: 004052AD

Part of subcall function 004056C3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
Part of subcall function 004056C3: CloseHandle.KERNEL32(?), ref: 004056F5

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 31d36f602dcab66d188b5b3b2e777ee9953d6626e675800b0e1fc5d87eda0f2f
Instruction ID: 663650117de36b32c607de2b5c5339e49b80fcfff4c178b035665d2e4b1c7066
Opcode Fuzzy Hash: 31d36f602dcab66d188b5b3b2e777ee9953d6626e675800b0e1fc5d87eda0f2f
Instruction Fuzzy Hash: 8811A131E00204EBCF109FA0CD449EF7AB5EB44315F20447BE505B62E0C7798A82DBA9

Function 00405A9B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405F48: lstrcpynW.KERNEL32(?,?,00000400,004033C8,00428200,NSIS Error), ref: 00405F55

Part of subcall function 00405A3E: CharNextW.USER32(?,?,Antegrade\Fravristelse213.Sto226,?,00405AB2,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 00405A4C
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A51
Part of subcall function 00405A3E: CharNextW.USER32(00000000), ref: 00405A69

lstrlenW.KERNEL32(Antegrade\Fravristelse213.Sto226,00000000,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0,"C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe"), ref: 00405AF4
GetFileAttributesW.KERNEL32(Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,00000000,Antegrade\Fravristelse213.Sto226,Antegrade\Fravristelse213.Sto226,?,?,75922EE0,004057F0,?,C:\Users\user\AppData\Local\Temp\,75922EE0), ref: 00405B04

Strings

Antegrade\Fravristelse213.Sto226, xrefs: 00405AA1, 00405AA6, 00405AAC, 00405AED, 00405AF3, 00405AFB, 00405B03

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: Antegrade\Fravristelse213.Sto226
API String ID: 3248276644-844488938
Opcode ID: 7ce201bf88eaf48813c7c66b2d703cb578c55b534477fae0be54905458882fdd
Instruction ID: d8ec0bb6260b8bc6bf9377f80a5ae864fb4799106b1aa2bc96123f944ca7c929
Opcode Fuzzy Hash: 7ce201bf88eaf48813c7c66b2d703cb578c55b534477fae0be54905458882fdd
Instruction Fuzzy Hash: 61F0A425305E5259EA22323A5C85AAF3548CF82364759077FF852B22D2DB3C8D43DDBE

Function 00405166 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405195
CallWindowProcW.USER32(?,?,?,?), ref: 004051E6

Part of subcall function 004041E6: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004041F8

Strings

, xrefs: 00405176

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction ID: 7fff49106f067b4291516d9fc604604598bdb5380bd5c908914395e8565309e0
Opcode Fuzzy Hash: 843aab861ffb3f3227d1c446d01b64cf4776ac7e98eef2f295c4549480fb80e8
Instruction Fuzzy Hash: 26015E71900609BBDB205F51ED84B6B3A26E794364F604037FA007A2D1D77A9C919F69

Function 004056C3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256F0,Error launching installer), ref: 004056E8
CloseHandle.KERNEL32(?), ref: 004056F5

Strings

Error launching installer, xrefs: 004056D6

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction ID: 0bf1ed3311e3e942e0a1389e84d80c76f41ccd0b69acab1f7eccde3b1b9dfef0
Opcode Fuzzy Hash: e8775a5d6321f0dea89ce82b90cc6292b7a3bd0044cb503c25c375156348e7c2
Instruction Fuzzy Hash: D7E0E674E0020AAFDB009F64DD05D6B7B7DF710304F808521A915F2250D7B5E8108A7D

Function 0040388A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75922EE0,00403861,75923420,0040366C,?), ref: 004038A4
GlobalFree.KERNEL32(?), ref: 004038AB

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040389C

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
Instruction ID: 78adfbc6f23a2b3c20b59446217b09faef23a1eee4c9d5cf742f1d2697954a66
Opcode Fuzzy Hash: dd483a302f27d7fd5815fa17d0cc140b668f4dc35d1ba6fe7e243829f05c23e7
Instruction Fuzzy Hash: 2FE08C339041205BC621AF25AC08B1AB7A86F89B32F0581B6F9807B2A183746C624BD9

Function 004059DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 004059E5
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E28,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,C:\Users\user\Desktop\debit-note-19-08-dn-2024.exe,80000000,00000003), ref: 004059F5

Strings

C:\Users\user\Desktop, xrefs: 004059DF

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: c27c0225baf4744af390cb43684771b46df34b65c4403afa93d532b781e968ba
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: A8D05EB3400920DAD3226B04DC0199F73ACEF1131074644AAF501A21A5DB785D808BBD

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.4584996770.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.4584981457.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585012105.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.4585025776.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B19 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B29
lstrcmpiA.KERNEL32(00405D53,00000000), ref: 00405B41
CharNextA.USER32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B52
lstrlenA.KERNEL32(00405D53,?,00000000,00405D53,00000000,[Rename],00000000,00000000,00000000), ref: 00405B5B

Memory Dump Source

Source File: 00000000.00000002.4580703996.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.4580689277.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580717735.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000433000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580731245.0000000000449000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4580820888.000000000044D000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_debit-note-19-08-dn-2024.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 19ad592fd5dcf9c9bc99336752ee576fec3eb52e2d0cc5b6bc7cc78b570e8094
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 5FF06231A04958AFC7129BA5DD4099FBBB8EF06350B2540A6F801F7251D674FE019BA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report debit-note-19-08-dn-2024.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\App.ini

C:\Users\user\AppData\Local\Temp\nso4DFA.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsq44F1.tmp

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\brugerlicensaftalerne\Anam.Tra

C:\Users\user\brugerlicensaftalerne\Isidora\gaadefulde.txt

C:\Users\user\brugerlicensaftalerne\Isidora\mininetwork.bil

C:\Users\user\brugerlicensaftalerne\Photostatting.bak

C:\Users\user\brugerlicensaftalerne\armless.ude

C:\Users\user\brugerlicensaftalerne\buxus.bog

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Windows Analysis Report
debit-note-19-08-dn-2024.exe

Function 0040335A Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 383
stringfilecomCOMMON

Function 00405331 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F6A Relevance: 19.5, APIs: 8, Strings: 3, Instructions: 207
stringCOMMON

Function 004057D0 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403CC2 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 0040391F Relevance: 52.7, APIs: 16, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402DBC Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00402573 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142
fileCOMMON

Function 004051F2 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00402331 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 00402B7A Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00405E15 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON