Edit tour

Windows Analysis Report
INVOICE NO. USF23-24072 IGR23110.exe

Overview

General Information

Sample name:	INVOICE NO. USF23-24072 IGR23110.exe
Analysis ID:	1572502
MD5:	8f1fc72d3ee9e32761d1adb4df2653bb
SHA1:	3964bbdef5772138a8676c009441a15e1ccd2d66
SHA256:	6b72b7309b58b078cbca3445adad522360f9032bd607f1389d98f99ed0f7fafb
Tags:	exeuser-lowmal3
Infos:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Initial sample is a PE file and has a suspicious name

Installs a global keyboard hook

Machine Learning detection for sample

Maps a DLL or memory area into another process

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Outbound SMTP Connections

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

INVOICE NO. USF23-24072 IGR23110.exe (PID: 2884 cmdline: "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe" MD5: 8F1FC72D3EE9E32761D1ADB4DF2653BB)

RegSvcs.exe (PID: 4196 cmdline: "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alltoursegypt.com", "Username": "admin@alltoursegypt.com", "Password": "OPldome23#12klein"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34edb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3526b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: INVOICE NO. USF23-24072 IGR23110.exe PID: 2884	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: INVOICE NO. USF23-24072 IGR23110.exe PID: 2884	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegSvcs.exe PID: 4196	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 4196	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 8 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34edb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3526b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
2.2.RegSvcs.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x34edb:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x34f4d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x34fd7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x35069:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x350d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x35145:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x351db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3526b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack	INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID	Detects executables referencing Windows vault credential objects. Observed in infostealers	ditekSHen	0x330db:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5 0x3314d:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55 0x331d7:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F 0x33269:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28 0x332d3:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29 0x33345:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC 0x333db:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B 0x3346b:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
Click to see the 4 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Outbound SMTP Connections

Source: Network Connection

Author: frack113: Data: DestinationIp: 192.254.186.165, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 4196, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49709

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 2.2.RegSvcs.exe.400000.0.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.alltoursegypt.com", "Username": "admin@alltoursegypt.com", "Password": "OPldome23#12klein"}

Multi AV Scanner detection for submitted file

Source: INVOICE NO. USF23-24072 IGR23110.exe

ReversingLabs: Detection: 50%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: INVOICE NO. USF23-24072 IGR23110.exe

Joe Sandbox ML: detected

Source: INVOICE NO. USF23-24072 IGR23110.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49707 version: TLS 1.2

Source:	Binary string: wntdll.pdbUGP source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2121865849.0000000003820000.00000004.00001000.00020000.00000000.sdmp, INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2126570572.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2121865849.0000000003820000.00000004.00001000.00020000.00000000.sdmp, INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2126570572.0000000003A10000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005E445A
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EC6D1 FindFirstFileW,FindClose,	0_2_005EC6D1
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005EC75C
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005EEF95
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005EF0F2
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005EF3F3
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005E37EF
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005E3B12
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005EBCBC

Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View	IP Address: 104.26.13.205 104.26.13.205

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005F22EE InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_005F22EE

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: mail.alltoursegypt.com

Source: RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://alltoursegypt.com
Source: RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.alltoursegypt.com
Source: RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.i.lencr.org/01
Source: RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r10.o.lencr.org0#
Source: RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://account.dyn.com/
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707

Source: unknown

HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49707 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, NmHr1WHWKO.cs

.Net Code: lhg

Installs a global keyboard hook

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005F4164

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005F4164 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_005F4164

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005F3F66 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_005F3F66

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005E001C GetKeyboardState,SetKeyboardState,GetAsyncKeyState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_005E001C

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_0060CABC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_0060CABC

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00583B3A
Source: INVOICE NO. USF23-24072 IGR23110.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_b58caf39-9
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_bcb3801b-8
Source: INVOICE NO. USF23-24072 IGR23110.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_d27432c6-8
Source: INVOICE NO. USF23-24072 IGR23110.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer`	memstr_2e58187f-2

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: INVOICE NO. USF23-24072 IGR23110.exe

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005EA1EF: GetFullPathNameW,__swprintf,CreateDirectoryW,CreateFileW,_memset,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,

0_2_005EA1EF

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005D8310 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_005D8310

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005E51BD ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_005E51BD

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005AD975	0_2_005AD975
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A21C5	0_2_005A21C5
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B62D2	0_2_005B62D2
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_006003DA	0_2_006003DA
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B242E	0_2_005B242E
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A25FA	0_2_005A25FA
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005DE616	0_2_005DE616
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005966E1	0_2_005966E1
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_0058E6A0	0_2_0058E6A0
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B878F	0_2_005B878F
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B6844	0_2_005B6844
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00600857	0_2_00600857
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00598808	0_2_00598808
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E8889	0_2_005E8889
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005ACB21	0_2_005ACB21
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B6DB6	0_2_005B6DB6
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00596F9E	0_2_00596F9E
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00593030	0_2_00593030
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005AF1D9	0_2_005AF1D9
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A3187	0_2_005A3187
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00581287	0_2_00581287
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A1484	0_2_005A1484
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00595520	0_2_00595520
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A7696	0_2_005A7696
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00595760	0_2_00595760
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A1978	0_2_005A1978
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005B9AB5	0_2_005B9AB5
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_0058FCE0	0_2_0058FCE0
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00607DDB	0_2_00607DDB
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A1D90	0_2_005A1D90
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005ABDA6	0_2_005ABDA6
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_0058DF00	0_2_0058DF00
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00593FE0	0_2_00593FE0
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00F99810	0_2_00F99810
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0163A1B0	2_2_0163A1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0163A978	2_2_0163A978
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01634A98	2_2_01634A98
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01633E80	2_2_01633E80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_016341C8	2_2_016341C8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_0163F9C8	2_2_0163F9C8

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: String function: 00587DE1 appears 35 times
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: String function: 005A0AE3 appears 70 times
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: String function: 005A8900 appears 42 times

Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2123697553.0000000003B3D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE NO. USF23-24072 IGR23110.exe
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilename106790a0-b81d-4bde-9832-48ebd9bb7fec.exe4 vs INVOICE NO. USF23-24072 IGR23110.exe
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2123184913.0000000003993000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs INVOICE NO. USF23-24072 IGR23110.exe

Source: INVOICE NO. USF23-24072 IGR23110.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers

Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, ISZbPXDvPz.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, nAXAT51m.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, YpS.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/4@2/2

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005EA06A GetLastError,FormatMessageW,

0_2_005EA06A

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005D81CB AdjustTokenPrivileges,CloseHandle,		0_2_005D81CB
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005D87E1 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_005D87E1

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005EB333 SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_005EB333

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005FEE0D CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_005FEE0D

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005EC397 CoInitialize,CoCreateInstance,CoUninitialize,

0_2_005EC397

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_00584E89 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00584E89

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

File created: C:\Users\user\AppData\Local\Temp\aut3D4.tmp

Jump to behavior

Source: INVOICE NO. USF23-24072 IGR23110.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: INVOICE NO. USF23-24072 IGR23110.exe

ReversingLabs: Detection: 50%

Source: unknown	Process created: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Source: INVOICE NO. USF23-24072 IGR23110.exe

Static file information: File size 1067520 > 1048576

Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: INVOICE NO. USF23-24072 IGR23110.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2121865849.0000000003820000.00000004.00001000.00020000.00000000.sdmp, INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2126570572.0000000003A10000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2121865849.0000000003820000.00000004.00001000.00020000.00000000.sdmp, INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000003.2126570572.0000000003A10000.00000004.00001000.00020000.00000000.sdmp

Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: INVOICE NO. USF23-24072 IGR23110.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_00584B37 LoadLibraryA,GetProcAddress,

0_2_00584B37

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005A8945 push ecx; ret	0_2_005A8958
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01630C45 push ebx; retf	2_2_01630C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01630C53 push ebx; retf	2_2_01630C52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 2_2_01630CCB push edi; retf	2_2_01630C7A

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_005848D7
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00605376 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00605376

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005A3187 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_005A3187

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

API/Special instruction interceptor: Address: F99434

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128115651.000000000101D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCMON.EXE?[Q
Source: INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2127846188.0000000000F18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXER

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 2916			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 6927			Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

API coverage: 4.7 %

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E445A GetFileAttributesW,FindFirstFileW,FindClose,	0_2_005E445A
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EC6D1 FindFirstFileW,FindClose,	0_2_005EC6D1
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EC75C FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_005EC75C
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EEF95 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005EEF95
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EF0F2 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_005EF0F2
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EF3F3 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005EF3F3
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E37EF FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005E37EF
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005E3B12 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_005E3B12
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005EBCBC FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_005EBCBC

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005849A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 100000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99451	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99196	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 99091	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98954	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98542	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 98109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 97015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96795	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96687	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96578	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96468	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96359	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96249	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96128	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 96000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95887	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95729	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95554	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95438	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 95093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94984	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94874	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94764	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94546	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 94109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93999	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 93890	Jump to behavior

Source: RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	API call chain: ExitProcess graph end node			graph_0-100776
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	API call chain: ExitProcess graph end node			graph_0-100994

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005F3F09 BlockInput,

0_2_005F3F09

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_00583B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00583B3A

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005B5A7C EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_005B5A7C

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_00584B37 LoadLibraryA,GetProcAddress,

0_2_00584B37

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00F98040 mov eax, dword ptr fs:[00000030h]	0_2_00F98040
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00F996A0 mov eax, dword ptr fs:[00000030h]	0_2_00F996A0
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_00F99700 mov eax, dword ptr fs:[00000030h]	0_2_00F99700

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005D80A9 GetTokenInformation,GetLastError,GetProcessHeap,HeapAlloc,GetTokenInformation,

0_2_005D80A9

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005AA155 SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_005AA155
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005AA124 SetUnhandledExceptionFilter,		0_2_005AA124

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1136008

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005D87B1 LogonUserW,

0_2_005D87B1

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_00583B3A GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00583B3A

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005848D7 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_005848D7

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005E4C53 mouse_event,

0_2_005E4C53

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"

Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005D7CAF GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_005D7CAF

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005D874B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_005D874B

Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005A862B cpuid

0_2_005A862B

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005B4E87 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_005B4E87

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005C1E06 GetUserNameW,

0_2_005C1E06

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005B3F3A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_005B3F3A

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe

Code function: 0_2_005849A0 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_005849A0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE NO. USF23-24072 IGR23110.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_81
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_XP
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_XPe
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_VISTA
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_7
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: WIN_8
Source: INVOICE NO. USF23-24072 IGR23110.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE NO. USF23-24072 IGR23110.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.INVOICE NO. USF23-24072 IGR23110.exe.3490000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: INVOICE NO. USF23-24072 IGR23110.exe PID: 2884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 4196, type: MEMORYSTR

Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005F6283 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_005F6283
Source: C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe	Code function: 0_2_005F6747 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_005F6747

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	2 Valid Accounts	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	221 Input Capture	1 Account Discovery	Remote Desktop Protocol	2 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	2 Obfuscated Files or Information	1 Credentials in Registry	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	138 System Information Discovery	Distributed Component Object Model	221 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	2 Valid Accounts	LSA Secrets	341 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	121 Virtualization/Sandbox Evasion	Cached Domain Credentials	121 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	212 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	Dynamic API Resolution	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
INVOICE NO. USF23-24072 IGR23110.exe	50%	ReversingLabs	Win32.Trojan.AutoitInject
INVOICE NO. USF23-24072 IGR23110.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
http://mail.alltoursegypt.com	0%	Avira URL Cloud	safe
http://alltoursegypt.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	104.26.13.205	true	false	high
alltoursegypt.com	192.254.186.165	true	true	unknown
mail.alltoursegypt.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://mail.alltoursegypt.com	RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org	INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
http://r10.o.lencr.org0#	RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	false		high
http://r10.i.lencr.org/01	RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	false		high
https://account.dyn.com/	INVOICE NO. USF23-24072 IGR23110.exe, 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp	false		high
https://api.ipify.org/t	RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000002.00000002.4598348904.00000000033F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.i.lencr.org/0	RegSvcs.exe, 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600188483.000000000685C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4600029380.00000000067D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4597968115.0000000001726000.00000004.00000020.00020000.00000000.sdmp	false		high
http://alltoursegypt.com	RegSvcs.exe, 00000002.00000002.4598348904.00000000034FB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.13.205	api.ipify.org	United States		13335	CLOUDFLARENETUS	false
192.254.186.165	alltoursegypt.com	United States		46606	UNIFIEDLAYER-AS-1US	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1572502
Start date and time:	2024-12-10 16:30:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	INVOICE NO. USF23-24072 IGR23110.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/4@2/2
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 100% Number of executed functions: 59 Number of non-executed functions: 276
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.63, 4.175.87.197
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 4196 because it is empty
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
VT rate limit hit for: INVOICE NO. USF23-24072 IGR23110.exe

Simulations

Behavior and APIs

Time	Type	Description
10:31:00	API Interceptor	10415657x Sleep call for process: RegSvcs.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.26.13.205	BiXS3FRoLe.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	lEUy79aLAW.exe	Get hash	malicious	TrojanRansom	Browse	api.ipify.org/
	Simple1.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	2b7cu0KwZl.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
192.254.186.165	Shipping Documents 72908672134.exe	Get hash	malicious	AgentTesla	Browse
192.254.186.165	PUK ITALIA PO 120610549.EXE.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	EEMsLiXoiTzoaDd.scr	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	172.67.74.152
	Statement 2024-11-29 (K07234).exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205
	Employee_Letter.pdf	Get hash	malicious	HTMLPhisher	Browse	104.26.13.205
	1mr7lpFIVI.exe	Get hash	malicious	Unknown	Browse	104.26.12.205
	jKDBppzWTb.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	enyi.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	104.26.13.205
	proforma invoice.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	x.ps1	Get hash	malicious	PureLog Stealer, Quasar	Browse	104.26.12.205
	file.exe	Get hash	malicious	Quasar	Browse	104.26.13.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.21.67.152
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.177.134
	http://abercombie.com	Get hash	malicious	Unknown	Browse	104.18.86.42
	https://listafrica.org/Receipt.html	Get hash	malicious	WinSearchAbuse	Browse	172.64.41.3
	https://github.com/Matty77o/malware-samples-m-h/blob/main/TheTrueFriend.exe	Get hash	malicious	Unknown	Browse	162.159.135.232
	https://wetransfer.com/downloads/a83584fea59b11ef1e94d36869e8790020241209234540/89744b9472f9ce1b5e3b4ada79f2184c20241209234540/7041ff?t_exp=1734047140&t_lsid=42d44d78-6d8f-48db-8db5-5efa0c86786d&t_network=email&t_rid=ZW1haWx8Njc0ZjQ5YTNiNjM1NTFjNmY2NTg0N2Zj&t_s=download_link&t_ts=1733787940&utm_campaign=TRN_TDL_01&utm_source=sendgrid&utm_medium=email&trk=TRN_TDL_01	Get hash	malicious	Unknown	Browse	104.26.1.90
	https://webradiojaguar.net/FNB-POP.pdf	Get hash	malicious	Unknown	Browse	1.1.1.1
	PO2412010.exe	Get hash	malicious	FormBook	Browse	104.21.64.1
	https://zfrmz.com/wE0Jw9HNvGeKZ1fn5cBU	Get hash	malicious	Unknown	Browse	104.17.25.14
UNIFIEDLAYER-AS-1US	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	192.254.225.136
	ExternalREMITTANCE ACH SCHEDULED 1210241424bec0c449d38092c0dbd844252d73 (24.0 KB).msg	Get hash	malicious	Unknown	Browse	69.49.245.172
	la.bot.arm6.elf	Get hash	malicious	Mirai	Browse	162.215.31.89
	la.bot.powerpc.elf	Get hash	malicious	Mirai	Browse	198.58.93.231
	https://xxx.cloudlawservices.com/fROBJ/	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	Play_VM-NowCRQW.html	Get hash	malicious	HTMLPhisher	Browse	69.49.230.198
	https://webservice.ucampaign.unear.net/UmailTracking/t.aspx?p=64620006&c=MTI2NjMxOA==&up=46435316&e=jlim@vvblawyers.com&l=MTczODQ=&i=1126&u=aHR0cHM6Ly9zcGhleGFtcy5jb20vLndlbGwta25vdy8/MHM1N2RiPU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbWIySnhkRWN6SmtRMEprMTFiSGR5VkdoSGVVdFpMaTQ1U2pOWU5sSnlhbVk2Y2tZMEpqTXpKblY1Wm5VdWIyWmxaV3BwTXpNbVJUUW1kSFJpYldReE15WnZZbkYwUkRRbVFqRW1SalFtYlc1MWFVY3pKa1EwSmtJeEprWTBKbnBsY0dOSE15WkVOQ1pDTVNaR05DWjZaWEJqUkRRbVFqRW1SalFtWldKbWFVY3pKa1EwSmtJeEprWTBKbVp0ZW5WMFJ6TW1SRFFtTVRNbU1UTW1NVE1tTVRNbVFqRW1SVGdtTVRNbU1UTW1NVE1tTVRNbU1UTW1NVE1tTVRNbU1UTW1RakVtUXpRbWIyWmxaV3BwTVRNbVFqUW1lblZxYldwamFuUnFkekV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKakV6SmpFekpqRXpKa0l4SmtNMEptWjFhbWw0TVRNbVFqUW1jM0J0Y0dReE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkRPQ1l4TXlaMWVXWjFMbTltWldWcWFTOHhNeVl4TXlZeE15WXhNeVl4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1ptYlhwMWRFUTBKakV6SmpFekpqRXpKakV6SmtJeEprWTBKbVp0ZFdwMVJ6TW1SRFFtWm01d1NVWTBKbVp0ZFdwMVJEUW1NVE1tTVRNbU1UTW1NVE1tUWpFbVJ6TW1LekV6Sm1aek1UTW1aV1ZpTVRNbVJUUW1SVFFtUlRRbVJUUW1SVFFtUlRRbVJEUW1NVE1tSzBjekpqRXpKakV6SmtZMEpqTXpKa1UwSmpFelkyczJSR054UjFoamIwTkdaWHRYU0dWemVtZHNkSHBtYVdkdWMydGxhVFF6SmtjekptWnpSek1tWldSSE15WjRjRzlzTG0xdFpuZ3ZSek1tYUhOd0wyWnRZbTl3YW50aWIzTm1kVzlxYjJadVlrY3pKa2N6SmtJMEpuUnhkWFZwUlRRbWJYTjJRelFtTXpNekprVTBKblZ2Wm5WdmNHUXhNeVl6TXlacGRHWnpaMlp6TXpNbVJUUW1kMnAyY21ZdWNYVjFhVEV6Sm1KMVptNUVOQ1l4TXlZeE15WXhNeVl4TXlaQ01TWkdOQ1l6TXlZNUxrZFZWak16SmtVMEpuVm1kSE5pYVdReE15WmlkV1p1UkRRbU1UTW1NVE1tTVRNbU1UTW1RakVtUmpRbVpXSm1hVVEwSmtJeEprWTBKbTF1ZFdsRU5DWkNNU1pHTkNadlluRjBSek1tUkRRbVpHczNhRnBXUkRRbWRIczFUVVUwSmt4WWJYZ3hUMUZuWkZoUVdYTjdOWGRIT1h0UlJUWW1RMDlHTkNZek15WjFlV1oxTG05bVpXVnFhVE16SmtVMEpuUjBZbTFrTVRNbWIySnhkRVEwSmtJeEpnPT0=	Get hash	malicious	HTMLPhisher	Browse	192.185.25.241
	http://crissertaoericardo.com.br/images/document.pif.rar	Get hash	malicious	GuLoader	Browse	192.185.217.125
	https://mpleho.com/wd/	Get hash	malicious	Phisher	Browse	69.49.234.173
	AWB_5771388044 Documente de expediere.exe	Get hash	malicious	FormBook	Browse	108.179.253.197

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	SPECIFICATIONS.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	ST07933.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	104.26.13.205
	fiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx .exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	104.26.13.205
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	Ref_31020563.exe	Get hash	malicious	Unknown	Browse	104.26.13.205
	xUPaeKk5wQ.msi	Get hash	malicious	AteraAgent	Browse	104.26.13.205
	7gBUqzSN3y.msi	Get hash	malicious	AteraAgent	Browse	104.26.13.205
	PO-8776-2024.js	Get hash	malicious	Remcos	Browse	104.26.13.205
	New Order Enquiry.js	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	Bunker_STS_pdf.vbs	Get hash	malicious	Unknown	Browse	104.26.13.205

Process:	C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe
File Type:	data
Category:	dropped
Size (bytes):	159638
Entropy (8bit):	7.94161914525211
Encrypted:	false
SSDEEP:	3072:CbkVs/W5hvJ6+gLoSX2zi+QPoq2JJ+ShTjpNgSPaMoZgdgq3m:C4Vs/oI+IoLzAAqfSNpNg8C3q2
MD5:	488BC5C2E4A0EA835D3CD7CE90346465
SHA1:	739011331959ECA2841459FF4943874E958059A6
SHA-256:	BE44A4B30D6AE3160DD46893894D5FC3335397A5373BD124C3182ACFC44AA372
SHA-512:	FC674BAB388E31DA175B50C880A49D4025FE8BA1D00938D8DF166D1A83DD2C012F3B17EE9B42E4182C51B17B0AFE14545F7C20D6681FC3DE624A56448778AD65
Malicious:	false
Reputation:	low
Preview:	EA06.........ej.T..f.]/>.F......Z..4..r...V..J5D._5...q......7.{........5..!4.O.2.z3'.......c1......fUf..`q..ZA?...[...l..5F.Q.L....s]Z.bcO....l.sD..9...Mj....cE../4J...\..\`....P..U.. ...Q .J5BC3......j.D...P.?...f....wS:$......(......S.....V.....q.T/ ...j..p.q....38.....\l..@....#.J&......i.Tj.....V....5F....k....Q.......Q.T.(~.l......x...-...S...!....J.N...U+S...7../.V..._.............]....B..)...7L..}m.~.@.v..m..I@..&~Z]....Q..,.q....4]'.=....4.]^}..]k.].Cw.`.6y,.7......'w.1.w'T[O.......-.....L ..o.w..M....U@.H..Y.^.K...z.........'..8.F.q....m.Jc?....y..a....98..+....<..g. ..V..O.9...1/.E"@..T....~.@..n..Z.........=...@.n.E+~.s..8..4oif....ZFjI..ZsZ.D....C..>.&s.........."..FM3.E-.:=^.U..'.z........Z.&cP.M..Z..z..2..U....q...[...r..\|ik5n......y@s.F......0.....9.X..&.M,.J.N.!..RyU.7...b.YE~x......].Vh.9.No}..(...._k..h.Je....C...\.aD.^h...b...VjW..bZ.xO....r.n..fs:5cOP.S.UY=.5...s...3.P......M......!..Q.4...D.......~..m5Z...F..../..L

C:\Users\user\AppData\Local\Temp\aut414.tmp

Download File

Process:	C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe
File Type:	data
Category:	dropped
Size (bytes):	14636
Entropy (8bit):	7.6294422433662685
Encrypted:	false
SSDEEP:	384:ITYznwBBBovI7dbhz2j6ovJO7vTRSc0SkQVVJSRgIB:IAwrBoQphAvRcJMaW
MD5:	18C43D81C3A29F8F2B6DE0C14E1C0972
SHA1:	98D697293462E6C804F3C5DC65501685EDFB5211
SHA-256:	C4B888AC896BFD7E086AC809FD2F3E5DB856C6C45433E1BDBD834FC580884318
SHA-512:	3E377ECBAB9F8DAB97947AAFC7B484D498FBF4A132791E19D07FB371EE6690710B1463ABF28C29C8BDB6B19E282196E532EC4779AC5EB6B66D36136003E89C09
Malicious:	false
Reputation:	low
Preview:	EA06..0..[.....+x..f....... .V......71...@.x..L........`......8............`.......Z\|3@...@.........K.X@0.2.Z..Z>)..w.e....l !..m..;...\| !.....;....;.....l.;.0./.<.;...m..rd.....@->.....4....f.C.5..;.............r.....X.<>`.O..p.........!.........h.=..........<\|3.....c...h.. -...... ...X.Z?......(...(.G..4.h....x....M@N.......Z?.I.......N@R... ...5.(..,.._...k`........R...._.K..?d...B.... 7W.......n.../.~.....)...@...!K....h\|!._....ga._.5.1.....`v/.......NA...,...7.7.,..!6.b...Z?.K(-...0.h..&.._....' -.............-..........G.6.....d_.T......"....d_.(M..57....n.....`...L....K.L..6.s.A.?..L.......Bg>...w.36.... !...L...}....\|V.4..r......$............r..9....>.....2... ...b....`......k.(.....!`....,......V1`..f....X.>i.v'.3c.........G.4....E.?......9..X.......7...l.`..."...\.61*........f.....\|.`.O.......,`........nl,....C.`....p...Y......`....@n?..;g....0...d...l ...P.?'....}...........0...4.X...>y.....1......x...L.\.i.....)...@n?............b...@.>y...

C:\Users\user\AppData\Local\Temp\iodization

Download File

Process:	C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe
File Type:	ASCII text, with very long lines (65536), with no line terminators
Category:	dropped
Size (bytes):	143378
Entropy (8bit):	2.993594682206911
Encrypted:	false
SSDEEP:	96:AIXLr46+F05BvDMo3I+0FlPFpA6Fxcg+GcuD9IlycuS3wrWVjjJqnBaAJZdjureP:H3NjwPOhGcuD9IlycuS3wrWVhqnBaA
MD5:	CDD1D3A70B00DE957C239DFFFF68BBB6
SHA1:	D3B4EDF37E27DF830BE8FAF3CD28362B2E9D2EAD
SHA-256:	F5243FFF9519BCA3EE79AD7B81C11C9E03FB48D373E81613F4BCFBD7EB30C451
SHA-512:	07C71B08BBDAF852E7C2E60F97686CC89FD698353387C4B1593CBBF57C8D4C7EDD577F40AF353A1464A838A25772978EAD6800C3BA4A8819B1C931D2DC9991BB
Malicious:	false
Reputation:	low
Preview:	dowp0dowpxdowp5dowp5dowp8dowpbdowpedowpcdowp8dowp1dowpedowpcdowpcdowpcdowp0dowp2dowp0dowp0dowp0dowp0dowp5dowp6dowp5dowp7dowpbdowp8dowp6dowpbdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowp4dowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowp6dowpbdowpadowp7dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowp8dowpbdowp8dowp6dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp8dowpadowpbdowp9dowp6dowp5dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp8dowpcdowpbdowpadowp6dowpcdowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp8dowpedowpbdowp8dowp3dowp3dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowp5dowp9dowp0dowpbdowp9dowp3dowp2dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp4dowpddowp9dowp2dowpbdowpadowp2dowpedowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9dowp5dowp5dowp9dowp4dowpbdowp8dowp6dowp4dowp0dowp0dowp0dowp0dowp0dowp0dowp6dowp6dowp8dowp9

C:\Users\user\AppData\Local\Temp\undiscernibly

Download File

Process:	C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe
File Type:	data
Category:	dropped
Size (bytes):	247296
Entropy (8bit):	6.736120444191032
Encrypted:	false
SSDEEP:	6144:5vEeHHLX6WwUu2zrBvs3no66xSh70dX/Hz6:5ZHHL8Uu2zrBvsXpyShSfO
MD5:	6CE23D04DE22B81CBD6A684F1198DBE7
SHA1:	0FCC331CAA1D12EB956093AF84F0EFC038B6E9F2
SHA-256:	F0A4241C97BAF6F46D7F89B3B3628593268CDC70EA596526A6AD3CC82863A683
SHA-512:	CC583E71394F90E9649E45DC75C576E2D612EF0D74E39283D896235D723FF22561CD4E30003CA3ABE933B0A55A0B56C078A8E13AFBDCD9633201A9C4C0614BCA
Malicious:	false
Reputation:	low
Preview:	...QLZSTGM5U..DF.FP139DZ.VQOZSTCM5UZ0DFQFP139DZYVQOZSTCM5UZ0.FQF^..7D.P.p.[..b.]<).44>!"P^.';78>;z11c?@;zYf....^V ?w[\E~STCM5UZ`.FQ.Q23M.<VQOZSTCM.UX1OGZFP.09DRYVQOZS.N5Uz0DF.EP13yDZyVQOXSTGM5UZ0DFUFP139DZYvUOZQTCM5UZ2D..FP!39TZYVQ_ZSDCM5UZ0TFQFP139DZYV9.YS.CM5U.3D.TFP139DZYVQOZSTCM5UZ0@F]FP139DZYVQOZSTCM5UZ0DFQFP139DZYVQOZSTCM5UZ0DFQFP139DzYVYOZSTCM5UZ0DNqFPy39DZYVQOZSTm9P-.0DF..S13.DZY.ROZQTCM5UZ0DFQFP13.DZ9x#<(0TCMsPZ0D.RFP739D.ZVQOZSTCM5UZ0D.QF..A\(5:VQCZSTCM1UZ2DFQ.S139DZYVQOZSTC.5U.0DFQFP139DZYVQOZ.@M5UZ0.FQFR169..[VEt[SWCM5TZ0BFQFP139DZYVQOZSTCM5UZ0DFQFP139DZYVQOZSTCM5UZ0DFQ[......g.,qP1S.k.2.3..B..H.vK.L.[...@...a$@.x3.Kj..F...8.]_IE.....YO+W>.8u\5.P....yg%...5W. ...1h.:Ei.\|...`r....60....;..7, .4*@(#..1WRK-.[.POZST........8>.k.:KDmD)....y'-....8P13]DZY$QOZ2TCMrUZ0+FQF>139:ZYV/OZS.CM5.Z0DqQFP.39D7YVQkZST=M5U.MKI...X@..ZYVQOo..s.X.....f...H.$.4i...0...._c.I9.'r.~..W.$..C.&3v.hCGWBU34=GVdX....uAI1PX7@E]{^z...{.p.c..<..c>.-FP139D.YV.OZS..M.UZ0.F.F.39D.V.O.S...5

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.016905362657233
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	INVOICE NO. USF23-24072 IGR23110.exe
File size:	1'067'520 bytes
MD5:	8f1fc72d3ee9e32761d1adb4df2653bb
SHA1:	3964bbdef5772138a8676c009441a15e1ccd2d66
SHA256:	6b72b7309b58b078cbca3445adad522360f9032bd607f1389d98f99ed0f7fafb
SHA512:	801b47b8162b310328e332e86a7a5b5bbf7b72c03bddda03ec41a5c328757c64fbd52f5cbd095ef9124a33e22ad13b2223f35accbf79a8a7749db6fff6ea57d1
SSDEEP:	24576:6u6J33O0c+JY5UZ+XC0kGso6FarZQNnTbshRXwDxTiWY:Mu0c++OCvkGs9FarZGnvskVY
TLSH:	6935BE2273DDC360CB669173BF6AB7017EBF78614630B85B2F880D7DA950162162D7A3
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......6...r}..r}..r}..4,".p}......s}.../..A}.../#..}.../".G}..{.@.{}..{.P.W}..r}..R.....)."}......s}.../..s}..r}T.s}......s}..Richr}.

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x427dcd
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6757ADDB [Tue Dec 10 02:56:27 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FCDB0D1A58Ah
jmp 00007FCDB0D0D354h
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FCDB0D0D4DAh
cmp edi, eax
jc 00007FCDB0D0D83Eh
bt dword ptr [004C31FCh], 01h
jnc 00007FCDB0D0D4D9h
rep movsb
jmp 00007FCDB0D0D7ECh
cmp ecx, 00000080h
jc 00007FCDB0D0D6A4h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FCDB0D0D4E0h
bt dword ptr [004BE324h], 01h
jc 00007FCDB0D0D9B0h
bt dword ptr [004C31FCh], 00000000h
jnc 00007FCDB0D0D67Dh
test edi, 00000003h
jne 00007FCDB0D0D68Eh
test esi, 00000003h
jne 00007FCDB0D0D66Dh
bt edi, 02h
jnc 00007FCDB0D0D4DFh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FCDB0D0D4E3h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FCDB0D0D535h
bt esi, 03h
jnc 00007FCDB0D0D588h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD4 build 31101
[RES] VS2013 build 21005
[LNK] VS2013 UPD4 build 31101

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xba44c	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc7000	0x3c0ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x104000	0x711c	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4870	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dcc4	0x8de00	d28a820a1d9ff26cda02d12b888ba4b4	False	0.5728679102422908	data	6.676118058520316	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2e10e	0x2e200	79b14b254506b0dbc8cd0ad67fb70ad9	False	0.33535526761517614	OpenPGP Public Key	5.76010872795207	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbe000	0x8f74	0x5200	9f9d6f746f1a415a63de45f8b7983d33	False	0.1017530487804878	data	1.198745897703538	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc7000	0x3c0ac	0x3c200	a9e553d79602c07143a8f4892c137d7c	False	0.8899996751559252	data	7.804927150735573	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x104000	0x711c	0x7200	6fcae3cbbf6bfbabf5ec5bbe7cf612c3	False	0.7650767543859649	data	6.779031650454199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc75a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc76d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc77f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc7920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc7c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc7d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc8bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xc9480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xc99e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xcbf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xcd038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xcd4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xcd4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcda84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xce110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xce5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xceb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xcf1f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xcf660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xcf7b8	0x33374	data			1.000338449804557
RT_GROUP_ICON	0x102b2c	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x102ba4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x102bb8	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x102bcc	0x14	data	English	Great Britain	1.25
RT_VERSION	0x102be0	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x102cbc	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 16:30:59.084523916 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:30:59.084578991 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:30:59.084654093 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:30:59.098597050 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:30:59.098630905 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.327152967 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.327295065 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:00.331748009 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:00.331758022 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.332065105 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.382637024 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:00.385401964 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:00.431344986 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.771522045 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.771583080 CET	443	49707	104.26.13.205	192.168.2.6
Dec 10, 2024 16:31:00.771677971 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:00.777595043 CET	49707	443	192.168.2.6	104.26.13.205
Dec 10, 2024 16:31:02.225817919 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:02.345843077 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:02.346838951 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:03.563936949 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:03.564223051 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:03.683613062 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:03.933329105 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:03.933556080 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:04.053381920 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.320590019 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.321125984 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:04.441595078 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.697359085 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.697504044 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.697510958 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:04.697592974 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:04.714478970 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:04.834217072 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.080815077 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.132620096 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:05.144998074 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:05.265642881 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.512510061 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.522357941 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:05.641602993 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.889512062 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:05.894212961 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:06.016861916 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:06.323050022 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:06.323339939 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:06.442735910 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:06.689057112 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:06.689879894 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:06.813528061 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.072756052 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.075015068 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.194885015 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.441435099 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.442004919 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.442054987 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.442076921 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.442090034 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.565371037 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.565457106 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.565665960 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.565769911 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.870400906 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:07.913826942 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:07.925573111 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:08.049488068 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:08.302810907 CET	587	49709	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:08.304941893 CET	49709	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:08.329132080 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:08.452136040 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:08.452295065 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:09.693429947 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:09.693618059 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:09.814821005 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.065458059 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.065675020 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:10.185520887 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.433116913 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.433617115 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:10.552961111 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.816917896 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.817120075 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.817126989 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:10.817218065 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:10.818758011 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:10.939469099 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.206837893 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.207988024 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:11.329091072 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.576476097 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.576983929 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:11.696439981 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.943671942 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:11.943928957 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:12.066242933 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:12.325453043 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:12.325697899 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:12.446293116 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:12.694267988 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:12.694555044 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:12.814254999 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.072896957 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.073369980 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.195785046 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.446688890 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.448030949 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448110104 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448142052 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448177099 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448221922 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448256969 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448291063 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448317051 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448340893 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.448364973 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:31:13.569062948 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569087029 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569125891 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569165945 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569428921 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569482088 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569494009 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569535971 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569570065 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.569577932 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.823426008 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:31:13.866920948 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:32:41.304776907 CET	49716	587	192.168.2.6	192.254.186.165
Dec 10, 2024 16:32:41.425180912 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:32:41.670620918 CET	587	49716	192.254.186.165	192.168.2.6
Dec 10, 2024 16:32:41.671109915 CET	49716	587	192.168.2.6	192.254.186.165

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 10, 2024 16:30:58.940233946 CET	65335	53	192.168.2.6	1.1.1.1
Dec 10, 2024 16:30:59.077147961 CET	53	65335	1.1.1.1	192.168.2.6
Dec 10, 2024 16:31:01.284091949 CET	50144	53	192.168.2.6	1.1.1.1
Dec 10, 2024 16:31:02.207304955 CET	53	50144	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Dec 10, 2024 16:30:58.940233946 CET	192.168.2.6	1.1.1.1	0x7f64	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Dec 10, 2024 16:31:01.284091949 CET	192.168.2.6	1.1.1.1	0x35dc	Standard query (0)	mail.alltoursegypt.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Dec 10, 2024 16:30:59.077147961 CET	1.1.1.1	192.168.2.6	0x7f64	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Dec 10, 2024 16:30:59.077147961 CET	1.1.1.1	192.168.2.6	0x7f64	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Dec 10, 2024 16:30:59.077147961 CET	1.1.1.1	192.168.2.6	0x7f64	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Dec 10, 2024 16:31:02.207304955 CET	1.1.1.1	192.168.2.6	0x35dc	No error (0)	mail.alltoursegypt.com	alltoursegypt.com		CNAME (Canonical name)	IN (0x0001)	false
Dec 10, 2024 16:31:02.207304955 CET	1.1.1.1	192.168.2.6	0x35dc	No error (0)	alltoursegypt.com		192.254.186.165	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49707	104.26.13.205	443	4196	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2024-12-10 15:31:00 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-12-10 15:31:00 UTC	423	IN	HTTP/1.1 200 OK Date: Tue, 10 Dec 2024 15:31:00 GMT Content-Type: text/plain Content-Length: 12 Connection: close Vary: Origin CF-Cache-Status: DYNAMIC Server: cloudflare CF-RAY: 8efe4788bb3e0f3e-EWR server-timing: cfL4;desc="?proto=TCP&rtt=1483&min_rtt=1483&rtt_var=741&sent=6&recv=8&lost=0&retrans=1&sent_bytes=4180&recv_bytes=769&delivery_rate=398907&cwnd=213&unsent_bytes=0&cid=27444107f54f3e84&ts=463&x=0"
2024-12-10 15:31:00 UTC	12	IN	Data Raw: 38 2e 34 36 2e 31 32 33 2e 31 37 35 Data Ascii: 8.46.123.175

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Dec 10, 2024 16:31:03.563936949 CET	587	49709	192.254.186.165	192.168.2.6	220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Tue, 10 Dec 2024 09:31:03 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 10, 2024 16:31:03.564223051 CET	49709	587	192.168.2.6	192.254.186.165	EHLO 128757
Dec 10, 2024 16:31:03.933329105 CET	587	49709	192.254.186.165	192.168.2.6	250-gator3170.hostgator.com Hello 128757 [8.46.123.175] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 10, 2024 16:31:03.933556080 CET	49709	587	192.168.2.6	192.254.186.165	STARTTLS
Dec 10, 2024 16:31:04.320590019 CET	587	49709	192.254.186.165	192.168.2.6	220 TLS go ahead
Dec 10, 2024 16:31:09.693429947 CET	587	49716	192.254.186.165	192.168.2.6	220-gator3170.hostgator.com ESMTP Exim 4.96.2 #2 Tue, 10 Dec 2024 09:31:09 -0600 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Dec 10, 2024 16:31:09.693618059 CET	49716	587	192.168.2.6	192.254.186.165	EHLO 128757
Dec 10, 2024 16:31:10.065458059 CET	587	49716	192.254.186.165	192.168.2.6	250-gator3170.hostgator.com Hello 128757 [8.46.123.175] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPECONNECT 250-AUTH PLAIN LOGIN 250-STARTTLS 250 HELP
Dec 10, 2024 16:31:10.065675020 CET	49716	587	192.168.2.6	192.254.186.165	STARTTLS
Dec 10, 2024 16:31:10.433116913 CET	587	49716	192.254.186.165	192.168.2.6	220 TLS go ahead

Target ID:	0
Start time:	10:30:55
Start date:	10/12/2024
Path:	C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"
Imagebase:	0x580000
File size:	1'067'520 bytes
MD5 hash:	8F1FC72D3EE9E32761D1ADB4DF2653BB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000000.00000002.2128556752.0000000003490000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:30:56
Start date:	10/12/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\INVOICE NO. USF23-24072 IGR23110.exe"
Imagebase:	0xf80000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4598348904.0000000003474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4597237290.0000000000402000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4598348904.000000000346C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000002.00000002.4598348904.0000000003441000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	4%
Dynamic/Decrypted Code Coverage:	0.4%
Signature Coverage:	4.7%
Total number of Nodes:	2000
Total number of Limit Nodes:	47

Executed Functions

Function 00583B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00583B68
IsDebuggerPresent.KERNEL32 ref: 00583B7A
GetFullPathNameW.KERNEL32(00007FFF,?,?,006452F8,006452E0,?,?), ref: 00583BEB

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

Part of subcall function 0059092D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00583C14,006452F8,?,?,?), ref: 0059096E

SetCurrentDirectoryW.KERNEL32(?), ref: 00583C6F
MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,00637770,00000010), ref: 005BD281
SetCurrentDirectoryW.KERNEL32(?,006452F8,?,?,?), ref: 005BD2B9
GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00634260,006452F8,?,?,?), ref: 005BD33F
ShellExecuteW.SHELL32(00000000,?,?), ref: 005BD346

Part of subcall function 00583A46: GetSysColorBrush.USER32(0000000F), ref: 00583A50
Part of subcall function 00583A46: LoadCursorW.USER32(00000000,00007F00), ref: 00583A5F
Part of subcall function 00583A46: LoadIconW.USER32(00000063), ref: 00583A76
Part of subcall function 00583A46: LoadIconW.USER32(000000A4), ref: 00583A88
Part of subcall function 00583A46: LoadIconW.USER32(000000A2), ref: 00583A9A
Part of subcall function 00583A46: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00583AC0
Part of subcall function 00583A46: RegisterClassExW.USER32(?), ref: 00583B16

Part of subcall function 005839D5: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00583A03
Part of subcall function 005839D5: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00583A24
Part of subcall function 005839D5: ShowWindow.USER32(00000000,?,?), ref: 00583A38
Part of subcall function 005839D5: ShowWindow.USER32(00000000,?,?), ref: 00583A41

Part of subcall function 0058434A: _memset.LIBCMT ref: 00584370
Part of subcall function 0058434A: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00584415

Strings

This is a third-party compiled AutoIt script., xrefs: 005BD279
%a, xrefs: 00583C44
runas, xrefs: 005BD33A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
String ID: This is a third-party compiled AutoIt script.$runas$%a
API String ID: 529118366-2465501499
Opcode ID: 87390ddc4bc66210cbf21a0cea3c4a38c0afe44f83849a4d3d8c8f1b1334e4d8
Instruction ID: 190143997e560429f24560ffb9776c718d71e7bd71cf41e0c1e4ae9095cae8eb
Opcode Fuzzy Hash: 87390ddc4bc66210cbf21a0cea3c4a38c0afe44f83849a4d3d8c8f1b1334e4d8
Instruction Fuzzy Hash: 9851B475A0454AAFCB11FBB4DC099FE7F76BF89710F104066F812B21A2DAA09B05CB21

Function 005849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 005849CD

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

GetCurrentProcess.KERNEL32(?,0060FAEC,00000000,00000000,?), ref: 00584A9A
IsWow64Process.KERNEL32(00000000), ref: 00584AA1
GetNativeSystemInfo.KERNELBASE(00000000), ref: 00584AE7
FreeLibrary.KERNEL32(00000000), ref: 00584AF2
GetSystemInfo.KERNEL32(00000000), ref: 00584B23
GetSystemInfo.KERNEL32(00000000), ref: 00584B2F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
String ID:
API String ID: 1986165174-0
Opcode ID: 8f0aaf09133467a2027a4e899c5ce03a842351a30d6d5bb6ae43d02179a4acec
Instruction ID: 72ef6e61faa4d706509f642c651b6261040692e78d583a02aa667d0f8d0772c2
Opcode Fuzzy Hash: 8f0aaf09133467a2027a4e899c5ce03a842351a30d6d5bb6ae43d02179a4acec
Instruction Fuzzy Hash: D491C6319897C1DAC735EB7884501EEBFF5BF29300B544DAED8C6A7A41D620F508CB69

Function 00584E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,00584D8E,?,?,00000000,00000000), ref: 00584E99
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00584D8E,?,?,00000000,00000000), ref: 00584EB0
LoadResource.KERNEL32(?,00000000,?,?,00584D8E,?,?,00000000,00000000,?,?,?,?,?,?,00584E2F), ref: 005BD937
SizeofResource.KERNEL32(?,00000000,?,?,00584D8E,?,?,00000000,00000000,?,?,?,?,?,?,00584E2F), ref: 005BD94C
LockResource.KERNEL32(00584D8E,?,?,00584D8E,?,?,00000000,00000000,?,?,?,?,?,?,00584E2F,00000000), ref: 005BD95F

Strings

SCRIPT, xrefs: 00584EA6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: 25dae1aa89a8f18f6b23dadc1ef1d13d4e9a1e59b407eaf0969edccc3e03ede9
Instruction ID: 8c4a8375be6fdc97ada55afb25aa1616589132311384850f52a0e56f354cf466
Opcode Fuzzy Hash: 25dae1aa89a8f18f6b23dadc1ef1d13d4e9a1e59b407eaf0969edccc3e03ede9
Instruction Fuzzy Hash: 30115A75280701BFD7219BA5EC48F677BBEFBC5B11F208268F80696650EB61E8008A61

Function 005E445A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,005BE398), ref: 005E446A
FindFirstFileW.KERNELBASE(?,?), ref: 005E447B
FindClose.KERNEL32(00000000), ref: 005E448B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileFind$AttributesCloseFirst
String ID:
API String ID: 48322524-0
Opcode ID: 10dac8391ed841cad195e56f145a75ecf7435401245a9556f2aa5bb0b56a72f1
Instruction ID: 7a3ee0ee570db123eff614ae237c23b93fcec658a301e86f81a48e42cbb4165c
Opcode Fuzzy Hash: 10dac8391ed841cad195e56f145a75ecf7435401245a9556f2aa5bb0b56a72f1
Instruction Fuzzy Hash: 7AE0D832510541678724AB78EC0D4EE7B9DAE05335F100715F975C14D0E7B45D0099D5

Function 005909D0 Relevance: 64.3, APIs: 27, Strings: 9, Instructions: 1300windowsleeptimeCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00590A5B
timeGetTime.WINMM ref: 00590D16
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00590E53
Sleep.KERNEL32(0000000A), ref: 00590E61
LockWindowUpdate.USER32(00000000,?,?), ref: 00590EFA
DestroyWindow.USER32 ref: 00590F06
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00590F20
Sleep.KERNEL32(0000000A,?,?), ref: 005C4E83
TranslateMessage.USER32(?), ref: 005C5C60
DispatchMessageW.USER32(?), ref: 005C5C6E
GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005C5C82

Strings

@GUI_CTRLHANDLE, xrefs: 005C4FE4
@COM_EVENTOBJ, xrefs: 005C54F0
pbd, xrefs: 005C4FAE
pbd, xrefs: 005C57B4
pbd, xrefs: 005C4F59
pbd, xrefs: 005C5003
@TRAY_ID, xrefs: 005C578F
@GUI_WINHANDLE, xrefs: 005C4F8F
@GUI_CTRLID, xrefs: 005C4F3A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Message$PeekSleepWindow$DestroyDispatchLockTimeTranslateUpdatetime
String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$pbd$pbd$pbd$pbd
API String ID: 4212290369-1423700736
Opcode ID: 799b4dbda275aaecbdcdb880b432fd041766b2742517b464d09ba2458ce3badb
Instruction ID: d8f3defba81adb02cfbe5ce273c84df7990eeaa220f78329ea86dccba06e4e0a
Opcode Fuzzy Hash: 799b4dbda275aaecbdcdb880b432fd041766b2742517b464d09ba2458ce3badb
Instruction Fuzzy Hash: 72B2A270608742DFDB24DFA4C888F6ABFE5BF85304F14491DE49A972A1D771E885CB82

Function 005E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005E8F5F: __time64.LIBCMT ref: 005E8F69

Part of subcall function 00584EE5: _fseek.LIBCMT ref: 00584EFD

__wsplitpath.LIBCMT ref: 005E9234

Part of subcall function 005A40FB: __wsplitpath_helper.LIBCMT ref: 005A413B

_wcscpy.LIBCMT ref: 005E9247
_wcscat.LIBCMT ref: 005E925A
__wsplitpath.LIBCMT ref: 005E927F
_wcscat.LIBCMT ref: 005E9295
_wcscat.LIBCMT ref: 005E92A8

Part of subcall function 005E8FA5: _memmove.LIBCMT ref: 005E8FDE
Part of subcall function 005E8FA5: _memmove.LIBCMT ref: 005E8FED

_wcscmp.LIBCMT ref: 005E91EF

Part of subcall function 005E9734: _wcscmp.LIBCMT ref: 005E9824
Part of subcall function 005E9734: _wcscmp.LIBCMT ref: 005E9837

DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005E9452
_wcsncpy.LIBCMT ref: 005E94C5
DeleteFileW.KERNEL32(?,?), ref: 005E94FB
CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 005E9511
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005E9522
DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 005E9534

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
String ID:
API String ID: 1500180987-0
Opcode ID: 384f74b4f7b053629f57575bfcb9a0b1de736ca31b0c3823717589c2df76d0aa
Instruction ID: 232ef0ac5c04c75be06e62aa93178bee5ad23b21c8c1d9c76c5baa84700490f3
Opcode Fuzzy Hash: 384f74b4f7b053629f57575bfcb9a0b1de736ca31b0c3823717589c2df76d0aa
Instruction Fuzzy Hash: 25C14DB1D0021AAADF25DF95CC85ADEBBBDFF95300F0044AAF649E7151EB309A448F61

Function 00583015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583074
RegisterClassExW.USER32(00000030), ref: 0058309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005830AF
InitCommonControlsEx.COMCTL32(?), ref: 005830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005830DC
LoadIconW.USER32(000000A9), ref: 005830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00583101

Strings

+, xrefs: 0058305D
TaskbarCreated, xrefs: 005830A4
AutoIt v3 GUI, xrefs: 00583090
0, xrefs: 00583056

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 442565c0ea6426749c46d68f248733998e88c2ea195d1d82918ea45a434214ae
Instruction ID: 4f66e9180c92a16577ed55a03f10c5212ebd9e3a2f22fb8f35d7e9544f55cac4
Opcode Fuzzy Hash: 442565c0ea6426749c46d68f248733998e88c2ea195d1d82918ea45a434214ae
Instruction Fuzzy Hash: 4D315871881358AFDB10CFA4E888ADABFF1FB0A310F14556EE981E62A1D7B50545CF51

Function 00583041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583074
RegisterClassExW.USER32(00000030), ref: 0058309E
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005830AF
InitCommonControlsEx.COMCTL32(?), ref: 005830CC
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005830DC
LoadIconW.USER32(000000A9), ref: 005830F2
ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00583101

Strings

+, xrefs: 0058305D
TaskbarCreated, xrefs: 005830A4
AutoIt v3 GUI, xrefs: 00583090
0, xrefs: 00583056

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 2914291525-1005189915
Opcode ID: 43d380204907f5fedb338d1fdf9823726324e64d77d9062fbbed5708529652c9
Instruction ID: c7ea13d3c3e66931b742974689c27ad2ff015c1e7574f98d27f03153f4c10d85
Opcode Fuzzy Hash: 43d380204907f5fedb338d1fdf9823726324e64d77d9062fbbed5708529652c9
Instruction Fuzzy Hash: 0521F7B5941618AFDB10DFA4EC49B9EBBF6FB09700F00512AF912A62A1DBB145448F91

Function 0058708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00584706: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,006452F8,?,005837AE,?), ref: 00584724

Part of subcall function 005A050B: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00587165), ref: 005A052D

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 005871A8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 005BE8C8
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 005BE909
RegCloseKey.ADVAPI32(?), ref: 005BE947
_wcscat.LIBCMT ref: 005BE9A0

Strings

\Include\, xrefs: 00587165
Software\AutoIt v3\AutoIt, xrefs: 0058719E
Include, xrefs: 005BE8BF, 005BE900
\, xrefs: 005BE9C3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 2673923337-2727554177
Opcode ID: 81b7198f8924461c629460655d651e99e2145ffcb1ef6383b585b44c5fcd764f
Instruction ID: be51738d9294407bf99e6660a8fac5b9d1bafbe7a253aecf10c01170f5b35aec
Opcode Fuzzy Hash: 81b7198f8924461c629460655d651e99e2145ffcb1ef6383b585b44c5fcd764f
Instruction Fuzzy Hash: 0C718075508302AEC314EF25E8469ABBFE9FF8A310F54152EF445971A0EBB1DA48CB52

Function 00583633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 005836D2
KillTimer.USER32(?,00000001), ref: 005836FC
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0058371F
RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0058372A
CreatePopupMenu.USER32 ref: 0058373E
PostQuitMessage.USER32(00000000), ref: 0058374D

Strings

%a, xrefs: 005BD081, 005BD0CF
TaskbarCreated, xrefs: 00583725

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
String ID: TaskbarCreated$%a
API String ID: 129472671-1921608952
Opcode ID: 8f483a5e92f606fd7486a24a0b62cdce1a3f3fac1c9e137e2f7ad2da25b0a7da
Instruction ID: e2391fb59bf3e214803d098818fd82bebd94888e5404bea22a0cf8f814d45403
Opcode Fuzzy Hash: 8f483a5e92f606fd7486a24a0b62cdce1a3f3fac1c9e137e2f7ad2da25b0a7da
Instruction Fuzzy Hash: EE41E7B1200506EBDB247F68DC0DBBE3F56FB45700F141925FD03E62A2EAA19F419762

Function 00583A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00583A50
LoadCursorW.USER32(00000000,00007F00), ref: 00583A5F
LoadIconW.USER32(00000063), ref: 00583A76
LoadIconW.USER32(000000A4), ref: 00583A88
LoadIconW.USER32(000000A2), ref: 00583A9A
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00583AC0
RegisterClassExW.USER32(?), ref: 00583B16

Part of subcall function 00583041: GetSysColorBrush.USER32(0000000F), ref: 00583074
Part of subcall function 00583041: RegisterClassExW.USER32(00000030), ref: 0058309E
Part of subcall function 00583041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005830AF
Part of subcall function 00583041: InitCommonControlsEx.COMCTL32(?), ref: 005830CC
Part of subcall function 00583041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005830DC
Part of subcall function 00583041: LoadIconW.USER32(000000A9), ref: 005830F2
Part of subcall function 00583041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00583101

Strings

#, xrefs: 00583AFB
AutoIt v3, xrefs: 00583B05
0, xrefs: 00583AF4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
String ID: #$0$AutoIt v3
API String ID: 423443420-4155596026
Opcode ID: a70d2f4657c40874761708cd09659b8f99d870a4f3bd1274619f90d4cc49ddf5
Instruction ID: 98be71f57c26b30e3ea97745ed480fbf9dc8accecbb2a25983b40bfaa7c6b2dc
Opcode Fuzzy Hash: a70d2f4657c40874761708cd09659b8f99d870a4f3bd1274619f90d4cc49ddf5
Instruction Fuzzy Hash: 16215E74D40704AFEB11DFA4EC09B9E7FB6FB09711F00111AF501A62A2D3F556408F95

Function 00583766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

/AutoIt3ExecuteScript, xrefs: 005838BC
Rd, xrefs: 005BD213
/AutoIt3OutputDebug, xrefs: 00583892
>>>AUTOIT NO CMDEXECUTE<<<, xrefs: 005837AE
/ErrorStdOut, xrefs: 0058387D
CMDLINE, xrefs: 00583822
CMDLINERAW, xrefs: 005837FB
/AutoIt3ExecuteLine, xrefs: 005838A7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW$Rd
API String ID: 1825951767-3741555405
Opcode ID: f9b22e7fa2e0804f1cbbb98a1aa984a49d4d3d287b9e050d10c45366d7093b2a
Instruction ID: 88ddda5275d9488fc8fb22e2da00de639b3f1670e89c547cf77a615b52eeb3a4
Opcode Fuzzy Hash: f9b22e7fa2e0804f1cbbb98a1aa984a49d4d3d287b9e050d10c45366d7093b2a
Instruction Fuzzy Hash: 65A14F7290021E9ACB14FBA4DC599FEBF79BF55700F44042AF816B7192EF745A08CB60

Function 0058F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 005A0162: MapVirtualKeyW.USER32(0000005B,00000000), ref: 005A0193
Part of subcall function 005A0162: MapVirtualKeyW.USER32(00000010,00000000), ref: 005A019B
Part of subcall function 005A0162: MapVirtualKeyW.USER32(000000A0,00000000), ref: 005A01A6
Part of subcall function 005A0162: MapVirtualKeyW.USER32(000000A1,00000000), ref: 005A01B1
Part of subcall function 005A0162: MapVirtualKeyW.USER32(00000011,00000000), ref: 005A01B9
Part of subcall function 005A0162: MapVirtualKeyW.USER32(00000012,00000000), ref: 005A01C1

Part of subcall function 005960F9: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0058F930), ref: 00596154

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0058F9CD
OleInitialize.OLE32(00000000), ref: 0058FA4A
CloseHandle.KERNEL32(00000000), ref: 005C45C8

Strings

\Td, xrefs: 0058F7F7
%a, xrefs: 0058F796, 0058F7A8, 0058F96E, 0058FA51
<Wd, xrefs: 0058F930
Sd, xrefs: 0058F7EB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
String ID: <Wd$\Td$%a$Sd
API String ID: 1986988660-309962789
Opcode ID: af3f535c8f6100745f59520e44a316fca6aa6d939604aad72da13ebad21ef67f
Instruction ID: 1de590d05d26ccfcfe5532b02eb72dcee802ca7bcd632fe682eb26dd8cd9df62
Opcode Fuzzy Hash: af3f535c8f6100745f59520e44a316fca6aa6d939604aad72da13ebad21ef67f
Instruction Fuzzy Hash: F581AAB8901A41CFC384EF39A8446697FE7FB9A316794A13AD41BCB263EB704484CF51

Function 00F987F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F988C1
VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F98AE7

Memory Dump Source

Source File: 00000000.00000002.2127970985.0000000000F96000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f96000_INVOICE NO.jbxd

Similarity

API ID: CreateFileFreeVirtual
String ID:
API String ID: 204039940-0
Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction ID: cc3da099ccdfa60f3c83fbd71fdde917e95885d68709f6f72bd00f5c9a24579e
Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
Instruction Fuzzy Hash: A4A12870E00209EBEF14CFA4C894BEEBBB5BF49714F208559E101BB280CB799A81DF55

Function 005839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00583A03
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00583A24
ShowWindow.USER32(00000000,?,?), ref: 00583A38
ShowWindow.USER32(00000000,?,?), ref: 00583A41

Strings

edit, xrefs: 00583A1E
AutoIt v3, xrefs: 005839FB, 00583A00, 00583A01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 84983956aa3f5a783ec46f35dd6cbc4e2371c34206502745ff30efcf646661e6
Instruction ID: 3be7ac8c335ff52ce1d2edf6d672bc19273122e35ead1859b6337bdc37809dbf
Opcode Fuzzy Hash: 84983956aa3f5a783ec46f35dd6cbc4e2371c34206502745ff30efcf646661e6
Instruction Fuzzy Hash: 87F03478680290BFEB315B27AC08E2B3E7FE7C7F50B00102AB901A21B1C2A10C00CAB0

Function 00F98580 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00F98470: Sleep.KERNELBASE(000001F4), ref: 00F98481

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F986E1

Strings

ZYVQOZSTCM5UZ0DFQFP139D, xrefs: 00F98744, 00F98747

Memory Dump Source

Source File: 00000000.00000002.2127970985.0000000000F96000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f96000_INVOICE NO.jbxd

Similarity

API ID: CreateFileSleep
String ID: ZYVQOZSTCM5UZ0DFQFP139D
API String ID: 2694422964-1514645776
Opcode ID: 6f9a7b7cdc9dd790f6055809a8184deb071c3a40ca73469d93055449087eec24
Instruction ID: 8e1da2b65a3be6cf328a806543504cf6282a592f1bd3cbcb824ea7eee5410b42
Opcode Fuzzy Hash: 6f9a7b7cdc9dd790f6055809a8184deb071c3a40ca73469d93055449087eec24
Instruction Fuzzy Hash: 2D619030D14288DAEF11DBE4C854BEEBB75AF19304F144199E248BB2C1D6BA1B45CBA6

Function 0058407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 005BD3D7

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

_memset.LIBCMT ref: 005840FC
_wcscpy.LIBCMT ref: 00584150
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00584160

Strings

Line: , xrefs: 005BD400

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
String ID: Line:
API String ID: 3942752672-1585850449
Opcode ID: 246476652cd32f98666afdf30dfd2e225b44f96bdebcab6425596d90f35f7eef
Instruction ID: d7c5dbeffe6b44f6a0ba6dba57b32211f519bf9062700fe43180fc762c460b79
Opcode Fuzzy Hash: 246476652cd32f98666afdf30dfd2e225b44f96bdebcab6425596d90f35f7eef
Instruction Fuzzy Hash: 69318671008706AFD721FB50DC49FDB7BD9BF95314F20491AF985A6092EB709648CB92

Function 005A541D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A547B
_memcpy_s.LIBCMT ref: 005A54ED
__read_nolock.LIBCMT ref: 005A554B
__filbuf.LIBCMT ref: 005A556E
_memset.LIBCMT ref: 005A55B2

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
String ID:
API String ID: 1559183368-0
Opcode ID: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction ID: 2f80f1eff0c48bdbfe0d7c041afb9b602dfc6be7d433b2a8eeceac26048a08e9
Opcode Fuzzy Hash: dfdd2df0ab245b9716d30a375d324e0946404ce6e082d96a71c3349c3dbc91e5
Instruction Fuzzy Hash: EB51A470E00B05DBDF248E69D844A6E7FA6BF4A321F248729F825962D1F771DD508B40

Function 0058686A Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON

Download Yara Rule

APIs

Part of subcall function 00584DDD: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00584E0F

_free.LIBCMT ref: 005BE263
_free.LIBCMT ref: 005BE2AA

Part of subcall function 00586A8C: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00586BAD

Strings

Bad directive syntax error, xrefs: 005BE292
>>>AUTOIT SCRIPT<<<, xrefs: 005BE039

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _free$CurrentDirectoryLibraryLoad
String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
API String ID: 2861923089-1757145024
Opcode ID: a036548d74b246a22ff9ebaf72df1769683ec997a88f72736ff4806609087326
Instruction ID: 0ae754da15ae9082edc3a2dc40a232573cc3f1099f4b77d88290b73e8d37bf49
Opcode Fuzzy Hash: a036548d74b246a22ff9ebaf72df1769683ec997a88f72736ff4806609087326
Instruction Fuzzy Hash: 51915F7191021A9FCF14EFA4CC8A9EDBBB9FF59310F14442AF815AB2A1DB70A905CB50

Function 005835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005835A1,SwapMouseButtons,00000004,?), ref: 005835D4
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005835A1,SwapMouseButtons,00000004,?,?,?,?,00582754), ref: 005835F5
RegCloseKey.KERNELBASE(00000000,?,?,005835A1,SwapMouseButtons,00000004,?,?,?,?,00582754), ref: 00583617

Strings

Control Panel\Mouse, xrefs: 005835D2

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: efa2e0ebd6f2db5f8982fbc646fb0c7e17d6845c326bc4cf7dd843cb81868243
Instruction ID: b5ab07bf1e4e1006bf573ffc80d5e8495d0df5f8d6c3544de4122154d6b6a16e
Opcode Fuzzy Hash: efa2e0ebd6f2db5f8982fbc646fb0c7e17d6845c326bc4cf7dd843cb81868243
Instruction Fuzzy Hash: 42115771610208BFDB20AF69DC80EAFBBB9FF04B40F009469F805E7210E2719F409BA0

Function 00F97470 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F97C9D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F97CC1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F97CE3

Memory Dump Source

Source File: 00000000.00000002.2127970985.0000000000F96000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f96000_INVOICE NO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
Instruction ID: 5e24be73d34010fdaf5dead104d307a5c1500ce99dce45eaf2a23b6e723c3a7b
Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
Instruction Fuzzy Hash: C3620C30A143589BEB24DFA4C841BDEB376EF58300F1091A9E10DEB394E7759E81DB59

Function 005E955B Relevance: 6.2, APIs: 4, Instructions: 155COMMON

Download Yara Rule

APIs

Part of subcall function 00584EE5: _fseek.LIBCMT ref: 00584EFD

Part of subcall function 005E9734: _wcscmp.LIBCMT ref: 005E9824
Part of subcall function 005E9734: _wcscmp.LIBCMT ref: 005E9837

_free.LIBCMT ref: 005E96A2
_free.LIBCMT ref: 005E96A9
_free.LIBCMT ref: 005E9714

Part of subcall function 005A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,005A9A24), ref: 005A2D69
Part of subcall function 005A2D55: GetLastError.KERNEL32(00000000,?,005A9A24), ref: 005A2D7B

_free.LIBCMT ref: 005E971C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
String ID:
API String ID: 1552873950-0
Opcode ID: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction ID: 51fbad9fdd38ac5abe4d0d4c3e749c8c83d5cf2bd6a2f6330cc20d87ba2c6942
Opcode Fuzzy Hash: 83a1bf45cb5b46f0fbbb2b282febcfcf75e63ad05b5baa694a85d9b23f0f737c
Instruction Fuzzy Hash: 655150B1D04259ABDF249F65CC85AAEBB79FF88300F10449EF649A3251DB715A80CF58

Function 005A470A Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005A47A0
__flush.LIBCMT ref: 005A47C0
__write.LIBCMT ref: 005A47F3
__flsbuf.LIBCMT ref: 005A4821

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __flsbuf__flush__getptd_noexit__write_memmove
String ID:
API String ID: 2782032738-0
Opcode ID: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction ID: 15357a2626c5a3e0d74314a2bbd320e1bfca65624eb45b1262e82ee870a70abe
Opcode Fuzzy Hash: aad2f5e608f8efba43aac6e934a71f9fe2258905eab53e1ccdd764cf28e9f888
Instruction Fuzzy Hash: 8441D374A007869BDB188EE9D8849AE7FA5FFC3360B24853DE81587640D7B4DD428F50

Function 00584C70 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00584CBA

Strings

AU3!P/a, xrefs: 00584CB4
EA06, xrefs: 005BD8CC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove
String ID: AU3!P/a$EA06
API String ID: 4104443479-2581651543
Opcode ID: 6e42504b51969ce43d03d2b2668e8bcfe56de89207591b08d36a38ff1ea0fac7
Instruction ID: 6fd6bbf00a90b65557a5568994b88743c25901f5f08847322887fa1ae420e3ad
Opcode Fuzzy Hash: 6e42504b51969ce43d03d2b2668e8bcfe56de89207591b08d36a38ff1ea0fac7
Instruction Fuzzy Hash: C0416D32A0525B57CF21BB64CC557BE7FB6BB85300F684475FC82BB282D6209D448FA1

Function 00587285 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005BEA39
GetOpenFileNameW.COMDLG32(?), ref: 005BEA83

Part of subcall function 00584750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00584743,?,?,005837AE,?), ref: 00584770

Part of subcall function 005A0791: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005A07B0

Strings

X, xrefs: 005BEA51

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Name$Path$FileFullLongOpen_memset
String ID: X
API String ID: 3777226403-3081909835
Opcode ID: c042070bb3d11ee064f9f6a3edb867455cd675e63dc4218284fdacc18709686a
Instruction ID: 0bd7844469c64e7497757baa67d066d46184993e24788aa7f5f295ee120ada30
Opcode Fuzzy Hash: c042070bb3d11ee064f9f6a3edb867455cd675e63dc4218284fdacc18709686a
Instruction Fuzzy Hash: 1521C630A002499BDB51AF94C849BEE7FFDBF89314F104019F809B7241DBB459898F91

Function 005E8D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E8DAC
__fread_nolock.LIBCMT ref: 005E8DC1

Strings

EA06, xrefs: 005E8DF3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __fread_nolock_memmove
String ID: EA06
API String ID: 1988441806-3962188686
Opcode ID: ef498ad66a2827e7abe95f16150ec588bedf73ed1b3256e64438deecdcde6ac4
Instruction ID: 6a82131f1928f3dbb962140e1f5982cca1190584a9c65295d6be0d906df69470
Opcode Fuzzy Hash: ef498ad66a2827e7abe95f16150ec588bedf73ed1b3256e64438deecdcde6ac4
Instruction Fuzzy Hash: 6401F971C042587EDB28CBA8CC1AEFE7FF8DB15301F00459AF596D2181E875A60487A0

Function 005E98E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?), ref: 005E98F8
GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 005E990F

Strings

aut, xrefs: 005E9909

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: d5b7a56a70741bc0fdedb8a65c9796deee09f03d6f61c3af983075f068b361a7
Instruction ID: 5ef1eea80cab3a45700d0dd64c62d030c3d7821a3c51297a9cd06d5ac9433fbc
Opcode Fuzzy Hash: d5b7a56a70741bc0fdedb8a65c9796deee09f03d6f61c3af983075f068b361a7
Instruction Fuzzy Hash: C1D05E7958030DABDB609BE0DC0EFDB773DE704700F0002B1BA94920A1EAB0A6988B91

Function 005FCADD Relevance: 4.9, APIs: 3, Instructions: 392COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 306690ad216be494b7b30cc3e1d0df57d9eb0242b052d8b98b927d9f34012f0e
Instruction ID: 42f79ac847d074cd02ac6990f8231e44cabf62c9763c6018b943692be3079c4c
Opcode Fuzzy Hash: 306690ad216be494b7b30cc3e1d0df57d9eb0242b052d8b98b927d9f34012f0e
Instruction Fuzzy Hash: 38F146706083499FCB14DF28C584A6ABFE5FF88314F14892EF9999B251D734E945CF82

Function 0058434A Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00584370
Shell_NotifyIconW.SHELL32(00000000,?), ref: 00584415
Shell_NotifyIconW.SHELL32(00000001,?), ref: 00584432

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconNotifyShell_$_memset
String ID:
API String ID: 1505330794-0
Opcode ID: cd7e6e748fddaa011d8fd05d51000c0e5812126248415f14778f11a529a4f819
Instruction ID: 9612fafbf0b439d627b8cf796cc34083c0ea7bb2e659be258cea7d12b563c3d3
Opcode Fuzzy Hash: cd7e6e748fddaa011d8fd05d51000c0e5812126248415f14778f11a529a4f819
Instruction Fuzzy Hash: 513181705047028FD721EF24D88569BBBF8FB49308F000D2EED9A92252E7B1AA44CF52

Function 005A571C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 005A5733

Part of subcall function 005AA16B: __NMSG_WRITE.LIBCMT ref: 005AA192
Part of subcall function 005AA16B: __NMSG_WRITE.LIBCMT ref: 005AA19C

__NMSG_WRITE.LIBCMT ref: 005A573A

Part of subcall function 005AA1C8: GetModuleFileNameW.KERNEL32(00000000,006433BA,00000104,?,00000001,00000000), ref: 005AA25A
Part of subcall function 005AA1C8: ___crtMessageBoxW.LIBCMT ref: 005AA308

Part of subcall function 005A309F: ___crtCorExitProcess.LIBCMT ref: 005A30A5
Part of subcall function 005A309F: ExitProcess.KERNEL32 ref: 005A30AE

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,005A0DD3,?), ref: 005A575F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
String ID:
API String ID: 1372826849-0
Opcode ID: cb2f90d07f0bc04c8e1dc06499c27699a1bcd53d770b61565de37c8811e5b17b
Instruction ID: eec7845930718a51da97935b8805849c2e957088621dc79bd4e1ef161ad5710a
Opcode Fuzzy Hash: cb2f90d07f0bc04c8e1dc06499c27699a1bcd53d770b61565de37c8811e5b17b
Instruction Fuzzy Hash: BB019235240B12EAD7112734EC9AF3E7F58FBC37A1F600526F505AA281FFB099408661

Function 005E98A2 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,005E9548,?,?,?,?,?,00000004), ref: 005E98BB
SetFileTime.KERNELBASE(00000000,?,00000000,?,?,005E9548,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 005E98D1
CloseHandle.KERNEL32(00000000,?,005E9548,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 005E98D8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: File$CloseCreateHandleTime
String ID:
API String ID: 3397143404-0
Opcode ID: 9881548e2a8076094773228b8419097869c0e3142d3c9af410046ff74e92286f
Instruction ID: 91893eec252bfab13360d056aef16bb525a04a40359d471ad8e8df8b7deab950
Opcode Fuzzy Hash: 9881548e2a8076094773228b8419097869c0e3142d3c9af410046ff74e92286f
Instruction Fuzzy Hash: 86E086321C0218B7D7311B54EC09FCB7F1AAB06B70F104220FB54694E087B1151197D8

Function 005E8D0D Relevance: 4.5, APIs: 3, Instructions: 22COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 005E8D1B

Part of subcall function 005A2D55: RtlFreeHeap.NTDLL(00000000,00000000,?,005A9A24), ref: 005A2D69
Part of subcall function 005A2D55: GetLastError.KERNEL32(00000000,?,005A9A24), ref: 005A2D7B

_free.LIBCMT ref: 005E8D2C
_free.LIBCMT ref: 005E8D3E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction ID: d30db17c08390fe48985eec1ae602cb48f396271310145d1e1690059cdf6bdf0
Opcode Fuzzy Hash: 625e2a9df38ff8793e00647abbe9ccf0d6414545c555b0c4696158d27d9f7751
Instruction Fuzzy Hash: 85E012A160164246CB29A57DAE45AA71BDC6F99352B140D1DB44DD7187CE64F8438124

Function 0058A9C3 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON

Download Yara Rule

Strings

CALL, xrefs: 005BFC01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID: CALL
API String ID: 0-4196123274
Opcode ID: ba521d83af4e25b161de5bea00201bc8eeddee9212ada98423c9aca4c5ed0104
Instruction ID: 6e83bf4ff37168d6b560f65170232d7a70f0a3ba327f5b2393509fce9497a658
Opcode Fuzzy Hash: ba521d83af4e25b161de5bea00201bc8eeddee9212ada98423c9aca4c5ed0104
Instruction Fuzzy Hash: 62225A74508241DFDB24EF14C494A6ABFE5BF85304F14896EF88AAB362D735EC45CB82

Function 005847D0 Relevance: 3.1, APIs: 2, Instructions: 59COMMON

Download Yara Rule

APIs

IsThemeActive.UXTHEME ref: 00584834

Part of subcall function 005A336C: __lock.LIBCMT ref: 005A3372
Part of subcall function 005A336C: DecodePointer.KERNEL32(00000001,?,00584849,005D7C74), ref: 005A337E
Part of subcall function 005A336C: EncodePointer.KERNEL32(?,?,00584849,005D7C74), ref: 005A3389

Part of subcall function 005848FD: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00584915
Part of subcall function 005848FD: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 0058492A

Part of subcall function 00583B3A: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00583B68
Part of subcall function 00583B3A: IsDebuggerPresent.KERNEL32 ref: 00583B7A
Part of subcall function 00583B3A: GetFullPathNameW.KERNEL32(00007FFF,?,?,006452F8,006452E0,?,?), ref: 00583BEB
Part of subcall function 00583B3A: SetCurrentDirectoryW.KERNEL32(?), ref: 00583C6F

SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00584874

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
String ID:
API String ID: 1438897964-0
Opcode ID: 0dd7afd04d43c107681da6f520a7127185ff2fd39b3458922976e8b02478e016
Instruction ID: f2bc3d2a5001d2465c1d04013af443c158c85ba60282b1755a306f0e928ea235
Opcode Fuzzy Hash: 0dd7afd04d43c107681da6f520a7127185ff2fd39b3458922976e8b02478e016
Instruction Fuzzy Hash: 79118E719083029BCB00EF28E80991EBFE9FB86754F10491BF84193272DBB09644CF92

Function 00585C99 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00585821,?,?,?,?), ref: 00585CC7
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00585821,?,?,?,?), ref: 005BDD73

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 71f1bbf753ada64dfb268bbc5f82f02e73d577918b0e49910cb906cdd345275e
Instruction ID: 2321b970116dbc69d692289f6602dd8ff3ee519a64a6bd4cd5fb4dc209f35d9b
Opcode Fuzzy Hash: 71f1bbf753ada64dfb268bbc5f82f02e73d577918b0e49910cb906cdd345275e
Instruction Fuzzy Hash: F8014070284708BEF7245E24CC8AF763ADCBB05768F108719BEE5AA1E0D6B55C498F54

Function 005A0DB6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A571C: __FF_MSGBANNER.LIBCMT ref: 005A5733
Part of subcall function 005A571C: __NMSG_WRITE.LIBCMT ref: 005A573A
Part of subcall function 005A571C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,005A0DD3,?), ref: 005A575F

std::exception::exception.LIBCMT ref: 005A0DEC
__CxxThrowException@8.LIBCMT ref: 005A0E01

Part of subcall function 005A859B: RaiseException.KERNEL32(?,?,?,00639E78,00000000,?,?,?,?,005A0E06,?,00639E78,?,00000001), ref: 005A85F0

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
String ID:
API String ID: 3902256705-0
Opcode ID: 802a24e60907e534e2212b24b1788a94b07b189f43660d69ac29a40e7251b91d
Instruction ID: 42fdd077042b1606d255a57a0eb5945709dbfe75b1587a9f1223a3c9e145389b
Opcode Fuzzy Hash: 802a24e60907e534e2212b24b1788a94b07b189f43660d69ac29a40e7251b91d
Instruction Fuzzy Hash: C5F0F93180021B66CF10BA94EC159EE7FACBF07310F000415FD0496181DF709A90D5E1

Function 005A55FD Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A562C
__lock_file.LIBCMT ref: 005A564D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __lock_file_memset
String ID:
API String ID: 26237723-0
Opcode ID: a2627084450b25f0967364cb7bd4e14f0aaad9985343dc69414a9a1967c29dbb
Instruction ID: b03bc87bb54d1f9bed4d6d4d0c811966d8dbcf17a3894dd3c153e92eedd9dfcc
Opcode Fuzzy Hash: a2627084450b25f0967364cb7bd4e14f0aaad9985343dc69414a9a1967c29dbb
Instruction Fuzzy Hash: 8D018471800A0AABCF12AF689D0ACAE7F71BFD3361F544115F9151B191EB318A51DF91

Function 005A53A6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

__lock_file.LIBCMT ref: 005A53EB

Part of subcall function 005A6C11: __lock.LIBCMT ref: 005A6C34

__fclose_nolock.LIBCMT ref: 005A53F6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __fclose_nolock__getptd_noexit__lock__lock_file
String ID:
API String ID: 2800547568-0
Opcode ID: b0f910a57403a37d8ab34970c9e1744c42d6f97b9d31d5e06140125b934762d7
Instruction ID: 4f4f676b4c8458c8b248b4b46c13de3511b850ca5cb889447ae7bb49180a7f5a
Opcode Fuzzy Hash: b0f910a57403a37d8ab34970c9e1744c42d6f97b9d31d5e06140125b934762d7
Instruction Fuzzy Hash: 1EF09631800A069ADF106F659809BBE7EE07FC3374F258905E464AB1C1EBBC49415B61

Function 00588061 Relevance: 2.6, APIs: 2, Instructions: 54COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,00000000,?,?,?,0058542F,?,?,?,?,?), ref: 0058807A
MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000001,00000000,?,?,?,0058542F,?,?,?,?,?), ref: 005880AD

Part of subcall function 0058774D: _memmove.LIBCMT ref: 00587789

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ByteCharMultiWide$_memmove
String ID:
API String ID: 3033907384-0
Opcode ID: 347f82a4a0d58017bced3451a4f851b5a021c74b4902c52581cb98d099e07c3f
Instruction ID: daff2d5425b50cdf0efcd849097b4101cdd9f656ff7fe883cadd146fb0faf10b
Opcode Fuzzy Hash: 347f82a4a0d58017bced3451a4f851b5a021c74b4902c52581cb98d099e07c3f
Instruction Fuzzy Hash: 9A018F31201105BEEB247B21DC4AE7B3F6DEB8A360F108029FD05DE190DA6098009661

Function 00F9746D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00F97C9D
Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F97CC1
ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F97CE3

Memory Dump Source

Source File: 00000000.00000002.2127970985.0000000000F96000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f96000_INVOICE NO.jbxd

Similarity

API ID: Process$ContextCreateMemoryReadThreadWow64
String ID:
API String ID: 2438371351-0
Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction ID: 1bdccb19627e81433caebc6ccb58640e1216c3e77ba3bd6d81c2a23db65ca8c0
Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
Instruction Fuzzy Hash: D612C124E28658C6EB24DF64D8507DEB232EF68300F1050E9910DEB7A5E77A4F85CF5A

Function 0058F290 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de56835962733d50a9d3357f821c916755190b2de2af136395288b47b82b31f0
Instruction ID: 0665db7a839fd27015172107d8eb5fb203d849f361efe566415232df82fc0044
Opcode Fuzzy Hash: de56835962733d50a9d3357f821c916755190b2de2af136395288b47b82b31f0
Instruction Fuzzy Hash: E2617A746002469FCB10EF54C895E7ABBE9FF89304F14886DED06A7291DB75ED50CB90

Function 00591FC3 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c71a35e2688291dc2fb31f95ece3518974e7e7067cc88aba113e9e52ecbfb7f8
Instruction ID: baefbd78e710066bbdb100b19a9172b0c9526b3da995ff6e0a0c842d2a0ac7d0
Opcode Fuzzy Hash: c71a35e2688291dc2fb31f95ece3518974e7e7067cc88aba113e9e52ecbfb7f8
Instruction Fuzzy Hash: BD517131600605AFCF14FB68C999FAE7FA6BF85310F144569F806AB392DA30ED01DB51

Function 00585AEE Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00585B96

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 211e38863c46c63db05cdb2c53317384d1f4fe7e2a2cefc5e4104ee1bc604e4f
Instruction ID: 4521f63e38f585d541b8a329605af26dfeb61a3533fd75d114e66300b336a748
Opcode Fuzzy Hash: 211e38863c46c63db05cdb2c53317384d1f4fe7e2a2cefc5e4104ee1bc604e4f
Instruction Fuzzy Hash: 71313C31A00A06AFCB18EF6CC484AADBBB5FF94311F148629DC16A3710E770BD90CB91

Function 005A0C08 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 005A0CB7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: 68df50c90c69abbd09ba1ea1f0408f76b97f7d49583fe2ecbd282ccc5e2a755b
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 7831D370A101059BC718DF58C4A4A6DFBA6FB5A320B64A7A5E80ACB391D731EDD1DBC0

Function 005BFCAC Relevance: 1.6, APIs: 1, Instructions: 88COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005BFCB7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: d9e9c4514b1c39e68a5de426c081d5120e350631aa4370252a47a938b6a8ca1c
Instruction ID: 9d92beeac28220b823bcd4997670747aa1506637a5d8ac077613ab37ef9ef2fe
Opcode Fuzzy Hash: d9e9c4514b1c39e68a5de426c081d5120e350631aa4370252a47a938b6a8ca1c
Instruction Fuzzy Hash: 5141E7745043419FDB24DF14C458B1ABFE1BF85314F0988ACE8999B762C731EC45CB52

Function 005859B9 Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00585A01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: fffb3be7f04a05edc248804624d98f785d820c5879578716562dd4e183b2f255
Instruction ID: b03111ec4aabdade87bec4d739b0cb059d3d500c140c858d182d9d1baaf7d01c
Opcode Fuzzy Hash: fffb3be7f04a05edc248804624d98f785d820c5879578716562dd4e183b2f255
Instruction Fuzzy Hash: 3B213D71500A09EBCB14AF51EC856AE7FF9FF44310F21886AE486D6051F7B0E8D0DBA5

Function 0058C5A7 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

_wcscmp.LIBCMT ref: 0058C5DD

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscmp
String ID:
API String ID: 856254489-0
Opcode ID: e0208fb52a7636246a25e25758ec41045253bbe551b039999dca276987d211a5
Instruction ID: 2352cb2b6702a49c4bf001dd2e2434b36ce8ec39910447210f362be5ea906c13
Opcode Fuzzy Hash: e0208fb52a7636246a25e25758ec41045253bbe551b039999dca276987d211a5
Instruction Fuzzy Hash: E4116D3290051AABCF14BBA9CC459EEBF79FB95360F50412AFC11B7190EA709A05DBA0

Function 00584DDD Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00584BB5: FreeLibrary.KERNEL32(00000000,?), ref: 00584BEF

Part of subcall function 005A525B: __wfsopen.LIBCMT ref: 005A5266

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,006452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00584E0F

Part of subcall function 00584B6A: FreeLibrary.KERNEL32(00000000), ref: 00584BA4

Part of subcall function 00584C70: _memmove.LIBCMT ref: 00584CBA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Library$Free$Load__wfsopen_memmove
String ID:
API String ID: 1396898556-0
Opcode ID: 2e069d1bf366a1c37a558920b40cd6280d07a9d236b9b445a99c37ad44e8023e
Instruction ID: e89b63dd0bad622d6e78761eb02e56b341f0f053f2669ab6dba38c845f17280a
Opcode Fuzzy Hash: 2e069d1bf366a1c37a558920b40cd6280d07a9d236b9b445a99c37ad44e8023e
Instruction Fuzzy Hash: D5119131640707ABCF25BF74C81AFAE7BA9BF84711F108829FD41B7181EA719A019F61

Function 005BFD85 Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32(?), ref: 005BFD91

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClearVariant
String ID:
API String ID: 1473721057-0
Opcode ID: 3407facd47e5fafa0b00bc3888c4c24e5bb3af91d7f6c994f87468fffb8a2939
Instruction ID: 352c3d3519bbbbcd1d044e0ac532cc62d4e7bae4048306c8fe688842e5b05001
Opcode Fuzzy Hash: 3407facd47e5fafa0b00bc3888c4c24e5bb3af91d7f6c994f87468fffb8a2939
Instruction Fuzzy Hash: BB212474508342DFDB24EF64C444B2ABBE5BF89314F05896CF88AA7762D731E805CB92

Function 00585BC0 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,005856A7,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00585C16

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: d1ba46a6d864e1ea1dcc749ae5aca9cb0b3e92b4b56f8b2b228662c9a94af204
Instruction ID: cadf717b25cf0600ac7a24d0979e8f76e657ba26487483a426e825a027f3a077
Opcode Fuzzy Hash: d1ba46a6d864e1ea1dcc749ae5aca9cb0b3e92b4b56f8b2b228662c9a94af204
Instruction Fuzzy Hash: 5B113631200B059FD330DF19C880B62BBE9FF54761F10C92EE9AA97A51E7B0E844CB60

Function 00585A7A Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005BDD18

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction ID: a9f241954533463b44c1770902df88c4a3bed1e6eeb1b428ace01f2e7c409f9b
Opcode Fuzzy Hash: 9f3ded07322f352e8a10de6e5b29e511e5eed242f4c9ed39c3b1c7becfd31a48
Instruction Fuzzy Hash: DB0184B5200502AFC305EB29C445D2AFBA9FFC6310714456AE959C7702E731FC21CBE0

Function 005A4863 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__lock_file.LIBCMT ref: 005A48A6

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __getptd_noexit__lock_file
String ID:
API String ID: 2597487223-0
Opcode ID: f9f856a283635fd7d09d2a2ca5ee76f80df67113aa51c398be80d43c65a2b67e
Instruction ID: 72e20644cba15b786bcb30c1f9b2caee1018a257294ffbcd491d25a516995a83
Opcode Fuzzy Hash: f9f856a283635fd7d09d2a2ca5ee76f80df67113aa51c398be80d43c65a2b67e
Instruction Fuzzy Hash: C0F0AF3190064BABDF11AFA49C0A7AE3EA1BF82325F158414B4249B192DBFC8951DF51

Function 00584E4A Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,006452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00584E7E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: a973fce0f89c6d8abecd0f35b947c90c70f792d3b91afd600dfb81742322e77c
Instruction ID: 25f9c34fab97ccea9a40703381041e1f2c680f9786b167631233b8ee8fb74661
Opcode Fuzzy Hash: a973fce0f89c6d8abecd0f35b947c90c70f792d3b91afd600dfb81742322e77c
Instruction Fuzzy Hash: 41F03971505712CFCB34AF64E494827BFE9BF553293208E7EEAD692620C7329840DF41

Function 005A0791 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005A07B0

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LongNamePath_memmove
String ID:
API String ID: 2514874351-0
Opcode ID: 4929596300bd938efce4cec6627cf552f961179cea7b06c2f6cdc448acb42273
Instruction ID: b9d25b5802d4f8a2ed394fb16aa4435039d3ab83fd4059f6fc7952914b99c83b
Opcode Fuzzy Hash: 4929596300bd938efce4cec6627cf552f961179cea7b06c2f6cdc448acb42273
Instruction Fuzzy Hash: 43E0CD3694412957C730E6989C09FEA77DDEFCC7A1F0441B5FC0CD7205D960AD8086D0

Function 005E8E9F Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

__fread_nolock.LIBCMT ref: 005E8EC1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction ID: aada5e6a2870eb41d92d23ac636a916b9e080aa58af2ea209918d1a22be77686
Opcode Fuzzy Hash: 36e66934677415102e9643fee0822ecf6e22e0db5db5ed1a6e3653ba213ae753
Instruction Fuzzy Hash: 29E092B0504B405BD7388A24D800BB377E5BB0A304F04081DF6EA83241EB6278458759

Function 00585C4E Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,005BDD42,?,?,00000000), ref: 00585C5F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d657ac3de90a4cb01c081a0f94a1f389f940a9741b5cf991e5d39496bb81bc4a
Instruction ID: 77e27b3df041d68326edcd03aef773eff53add46ef163778926d157fb68befec
Opcode Fuzzy Hash: d657ac3de90a4cb01c081a0f94a1f389f940a9741b5cf991e5d39496bb81bc4a
Instruction Fuzzy Hash: F1D0C77464020CBFE710DB80DC46FAA777DD705710F1001D4FD0456690D6B27D508795

Function 005A525B Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

__wfsopen.LIBCMT ref: 005A5266

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __wfsopen
String ID:
API String ID: 197181222-0
Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction ID: 135d067670b5a2c2ad4b68f74ab6b4324e6d3b6d66b7af861d79cc537035c601
Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
Instruction Fuzzy Hash: 8FB0927A44020C77CE012A92EC02F893F19AB82764F408020FB0C18162A673A6649A89

Function 005ED07B Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000002,00000000), ref: 005ED1FF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorLast
String ID:
API String ID: 1452528299-0
Opcode ID: 4b5501dd8b8bd4546317760b8397dfe016241f02d7be0e608b47c67f430e3840
Instruction ID: 56b1a3a0ad40768bf4fd9d045d1577cffbe9c09e214a485e254a84c3b1f5a7b8
Opcode Fuzzy Hash: 4b5501dd8b8bd4546317760b8397dfe016241f02d7be0e608b47c67f430e3840
Instruction Fuzzy Hash: 8A717E356043428FC708EF25C495A6EBBF1BF89354F14492DF9969B3A2DB30E905CB62

Function 00F98470 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00F98481

Memory Dump Source

Source File: 00000000.00000002.2127970985.0000000000F96000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F96000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_f96000_INVOICE NO.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 64bfe16e91d6aea51bab41c93be328d526f706ae486ee860bf7e6c5d11675e7b
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 0AE0E67498020EEFDB00EFB8D54969E7FB4EF04701F104161FD05D2280DA319D509A62

Non-executed Functions

Function 0060CABC Relevance: 75.9, APIs: 40, Strings: 3, Instructions: 632windowkeyboardCOMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0060CB37
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0060CB95
GetWindowLongW.USER32(?,000000F0), ref: 0060CBD6
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0060CC00
SendMessageW.USER32 ref: 0060CC29
_wcsncpy.LIBCMT ref: 0060CC95
GetKeyState.USER32(00000011), ref: 0060CCB6
GetKeyState.USER32(00000009), ref: 0060CCC3
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0060CCD9
GetKeyState.USER32(00000010), ref: 0060CCE3
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0060CD0C
SendMessageW.USER32 ref: 0060CD33
SendMessageW.USER32(?,00001030,?,0060B348), ref: 0060CE37
ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0060CE4D
ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0060CE60
SetCapture.USER32(?), ref: 0060CE69
ClientToScreen.USER32(?,?), ref: 0060CECE
ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0060CEDB
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0060CEF5
ReleaseCapture.USER32 ref: 0060CF00
GetCursorPos.USER32(?), ref: 0060CF3A
ScreenToClient.USER32(?,?), ref: 0060CF47
SendMessageW.USER32(?,00001012,00000000,?), ref: 0060CFA3
SendMessageW.USER32 ref: 0060CFD1
SendMessageW.USER32(?,00001111,00000000,?), ref: 0060D00E
SendMessageW.USER32 ref: 0060D03D
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0060D05E
SendMessageW.USER32(?,0000110B,00000009,?), ref: 0060D06D
GetCursorPos.USER32(?), ref: 0060D08D
ScreenToClient.USER32(?,?), ref: 0060D09A
GetParent.USER32(?), ref: 0060D0BA
SendMessageW.USER32(?,00001012,00000000,?), ref: 0060D123
SendMessageW.USER32 ref: 0060D154
ClientToScreen.USER32(?,?), ref: 0060D1B2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0060D1E2
SendMessageW.USER32(?,00001111,00000000,?), ref: 0060D20C
SendMessageW.USER32 ref: 0060D22F
ClientToScreen.USER32(?,?), ref: 0060D281
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0060D2B5

Part of subcall function 005825DB: GetWindowLongW.USER32(?,000000EB), ref: 005825EC

GetWindowLongW.USER32(?,000000F0), ref: 0060D351

Strings

pbd, xrefs: 0060CEAF
F, xrefs: 0060D235
@GUI_DRAGID, xrefs: 0060CE9C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
String ID: @GUI_DRAGID$F$pbd
API String ID: 3977979337-1219780232
Opcode ID: 52eb65cfeed31492661a502c356a76b82efe75034979e0f18abf8f8a853992b6
Instruction ID: 55af85cd6b0d1c666b17ca657b4523a90fd53a761dac2fe8b2097d1b1dee2918
Opcode Fuzzy Hash: 52eb65cfeed31492661a502c356a76b82efe75034979e0f18abf8f8a853992b6
Instruction Fuzzy Hash: 0942AC74244241AFDB28DF68C848AABBBE6FF49320F140629F556972F1CB71DC41DB52

Function 00596F9E Relevance: 55.8, APIs: 19, Strings: 10, Instructions: 5018COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005971C3
_memset.LIBCMT ref: 00597539
_memmove.LIBCMT ref: 005976AC

Strings

DEFINE, xrefs: 005D2103
3cY, xrefs: 005D23A0
[:<:]], xrefs: 00597479
\b(?=\w), xrefs: 005D3769
\b(?<=\w), xrefs: 005D3773
Q\E, xrefs: 00597FCB
[:>:]], xrefs: 00597492
]c, xrefs: 005D1A22
_Y, xrefs: 005D23CB
P\c, xrefs: 005D1AB8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove$_memset
String ID: ]c$3cY$DEFINE$P\c$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)$_Y
API String ID: 1357608183-3080999908
Opcode ID: 5623a98b481c1ef7ec3b7ca550784a59afd884122a0f831e8fc1215de04c021d
Instruction ID: c1e79e491631d14d9e5b56908234e8c5a72f622be8663958f311301cb231f032
Opcode Fuzzy Hash: 5623a98b481c1ef7ec3b7ca550784a59afd884122a0f831e8fc1215de04c021d
Instruction Fuzzy Hash: 4F939275A04219DBDF24CF98C881BADBBB1FF58710F24856BE945AB391E7709E81CB40

Function 005848D7 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,?), ref: 005848DF
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 005BD665
IsIconic.USER32(?), ref: 005BD66E
ShowWindow.USER32(?,00000009), ref: 005BD67B
SetForegroundWindow.USER32(?), ref: 005BD685
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005BD69B
GetCurrentThreadId.KERNEL32 ref: 005BD6A2
GetWindowThreadProcessId.USER32(?,00000000), ref: 005BD6AE
AttachThreadInput.USER32(?,00000000,00000001), ref: 005BD6BF
AttachThreadInput.USER32(?,00000000,00000001), ref: 005BD6C7
AttachThreadInput.USER32(00000000,?,00000001), ref: 005BD6CF
SetForegroundWindow.USER32(?), ref: 005BD6D2
MapVirtualKeyW.USER32(00000012,00000000), ref: 005BD6E7
keybd_event.USER32(00000012,00000000), ref: 005BD6F2
MapVirtualKeyW.USER32(00000012,00000000), ref: 005BD6FC
keybd_event.USER32(00000012,00000000), ref: 005BD701
MapVirtualKeyW.USER32(00000012,00000000), ref: 005BD70A
keybd_event.USER32(00000012,00000000), ref: 005BD70F
MapVirtualKeyW.USER32(00000012,00000000), ref: 005BD719
keybd_event.USER32(00000012,00000000), ref: 005BD71E
SetForegroundWindow.USER32(?), ref: 005BD721
AttachThreadInput.USER32(?,?,00000000), ref: 005BD748

Strings

Shell_TrayWnd, xrefs: 005BD660

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: 28a48155eeb8e07ee68c358935b660a3ce990403abbad628310733056456b2cb
Instruction ID: 8603f4f0c5a8ee57c1bd80eb58a8d493789360e879c31a03567146e1fbe3bf1e
Opcode Fuzzy Hash: 28a48155eeb8e07ee68c358935b660a3ce990403abbad628310733056456b2cb
Instruction Fuzzy Hash: 55315071A80318BAEB316F619C89FBF7F6DEB44B50F104025FA04EA1D1DAB15D01ABB1

Function 005D8310 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON

Download Yara Rule

APIs

Part of subcall function 005D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D882B
Part of subcall function 005D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D8858
Part of subcall function 005D87E1: GetLastError.KERNEL32 ref: 005D8865

_memset.LIBCMT ref: 005D8353
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005D83A5
CloseHandle.KERNEL32(?), ref: 005D83B6
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005D83CD
GetProcessWindowStation.USER32 ref: 005D83E6
SetProcessWindowStation.USER32(00000000), ref: 005D83F0
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005D840A

Part of subcall function 005D81CB: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005D8309), ref: 005D81E0
Part of subcall function 005D81CB: CloseHandle.KERNEL32(?,?,005D8309), ref: 005D81F2

Strings

, xrefs: 005D8362
default, xrefs: 005D8405
winsta0, xrefs: 005D83C8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
String ID: $default$winsta0
API String ID: 2063423040-1027155976
Opcode ID: 6d24009911bbd1a7c42e5599414b6ac1f6e12efb5bc269c1c67a5e8927ac4da8
Instruction ID: a997a90bd52196d44ae9cb257c725a381822c959bf3b494b70c8b8373ca6ebb6
Opcode Fuzzy Hash: 6d24009911bbd1a7c42e5599414b6ac1f6e12efb5bc269c1c67a5e8927ac4da8
Instruction Fuzzy Hash: 648116B1900209BFDF219FA8DC49ABEBFB9FF04304F14416BF915A6261DB319A15DB60

Function 005EC75C Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005EC78D
FindClose.KERNEL32(00000000), ref: 005EC7E1
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005EC806
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 005EC81D
FileTimeToSystemTime.KERNEL32(?,?), ref: 005EC844
__swprintf.LIBCMT ref: 005EC890
__swprintf.LIBCMT ref: 005EC8D3

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

__swprintf.LIBCMT ref: 005EC927

Part of subcall function 005A3698: __woutput_l.LIBCMT ref: 005A36F1

__swprintf.LIBCMT ref: 005EC975

Part of subcall function 005A3698: __flsbuf.LIBCMT ref: 005A3713
Part of subcall function 005A3698: __flsbuf.LIBCMT ref: 005A372B

__swprintf.LIBCMT ref: 005EC9C4
__swprintf.LIBCMT ref: 005ECA13
__swprintf.LIBCMT ref: 005ECA62

Strings

%02d, xrefs: 005EC91B, 005EC925, 005EC973, 005EC9C2, 005ECA11, 005ECA60
%4d, xrefs: 005EC8CD
%4d%02d%02d%02d%02d%02d, xrefs: 005EC88A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
API String ID: 3953360268-2428617273
Opcode ID: a6c3642e3fa5e94350a47c50e454292908e604a90e4e30ff72eb2f1b6fa63ee8
Instruction ID: e31ed2a7676532f196cb3f2a60cfa5aeb0a268f5cbca06a8ab098f41a40af794
Opcode Fuzzy Hash: a6c3642e3fa5e94350a47c50e454292908e604a90e4e30ff72eb2f1b6fa63ee8
Instruction Fuzzy Hash: 9EA11DB1408346ABC754FB94C88ADBFBBECFFD4704F440919F99596191EA30DA09CB62

Function 005EEF95 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005EEFB6
_wcscmp.LIBCMT ref: 005EEFCB
_wcscmp.LIBCMT ref: 005EEFE2
GetFileAttributesW.KERNEL32(?), ref: 005EEFF4
SetFileAttributesW.KERNEL32(?,?), ref: 005EF00E
FindNextFileW.KERNEL32(00000000,?), ref: 005EF026
FindClose.KERNEL32(00000000), ref: 005EF031
FindFirstFileW.KERNEL32(*.*,?), ref: 005EF04D
_wcscmp.LIBCMT ref: 005EF074
_wcscmp.LIBCMT ref: 005EF08B
SetCurrentDirectoryW.KERNEL32(?), ref: 005EF09D
SetCurrentDirectoryW.KERNEL32(00638920), ref: 005EF0BB
FindNextFileW.KERNEL32(00000000,00000010), ref: 005EF0C5
FindClose.KERNEL32(00000000), ref: 005EF0D2
FindClose.KERNEL32(00000000), ref: 005EF0E4

Strings

*.*, xrefs: 005EF048

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1803514871-438819550
Opcode ID: 10f2b1e3244bc57c2e3c0d7614fec8e8f6f6bd7868c43c41d8fa16f356133477
Instruction ID: ee7f04a7a44e1e3deb5a91eb44b95124667d32a25d87b3823cd6e626062eb9d5
Opcode Fuzzy Hash: 10f2b1e3244bc57c2e3c0d7614fec8e8f6f6bd7868c43c41d8fa16f356133477
Instruction Fuzzy Hash: C431D2325412496BCB28EFA5DC4DAEE7BAEAF49360F100175F841D3091EF71DA44CB61

Function 00600857 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00600953
RegCreateKeyExW.ADVAPI32(?,?,00000000,0060F910,00000000,?,00000000,?,?), ref: 006009C1
RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00600A09
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00600A92
RegCloseKey.ADVAPI32(?), ref: 00600DB2
RegCloseKey.ADVAPI32(00000000), ref: 00600DBF

Strings

REG_DWORD, xrefs: 00600C83
REG_QWORD, xrefs: 00600D00
REG_BINARY, xrefs: 00600D4D
REG_SZ, xrefs: 00600AD0
REG_MULTI_SZ, xrefs: 00600B7A
REG_EXPAND_SZ, xrefs: 00600A2F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Close$ConnectCreateRegistryValue
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 536824911-966354055
Opcode ID: f9221424c34f1d1d5cf7b5598993fbfa809908576cf214b1e4e6a1069edcd58e
Instruction ID: b625d02963763e720f05ef704f14aed477dc2470dba9f6ebe7e4b29139625c0d
Opcode Fuzzy Hash: f9221424c34f1d1d5cf7b5598993fbfa809908576cf214b1e4e6a1069edcd58e
Instruction Fuzzy Hash: 93024B756046029FDB14EF18C855E6ABBE5FF89314F04845DF88AAB3A2DB30ED41CB91

Function 005966E1 Relevance: 25.9, Strings: 20, Instructions: 889COMMON

Download Yara Rule

Strings

CR), xrefs: 005D1287
ANY), xrefs: 005D12DE
BSR_UNICODE), xrefs: 005D1338
0Db, xrefs: 00596733
UTF), xrefs: 005D10FA
CRLF), xrefs: 005D12C1
pGb, xrefs: 00596751
0Eb, xrefs: 0059673D
ANYCRLF), xrefs: 005D12FB
UTF16), xrefs: 005D10CF
_Y, xrefs: 005D1465, 005D150C, 005D15B4
UCP), xrefs: 005D110D
LIMIT_MATCH=, xrefs: 005D1170
3cY, xrefs: 005968FF
BSR_ANYCRLF), xrefs: 005D131E
NO_AUTO_POSSESS), xrefs: 005D112E
LF), xrefs: 005D12A4
NO_START_OPT), xrefs: 005D114F
0Fb, xrefs: 00596747
LIMIT_RECURSION=, xrefs: 005D11FC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID: 0Db$0Eb$0Fb$3cY$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$pGb$_Y
API String ID: 0-2937731933
Opcode ID: f9bdb4d5a6671ff55976cc294cd7479679f3b64835604316f313fe0c58d6bb9c
Instruction ID: ac47112faed2a8ac3fdde5911493325521272dcfa0b84b62cf15cabce2f3e6d3
Opcode Fuzzy Hash: f9bdb4d5a6671ff55976cc294cd7479679f3b64835604316f313fe0c58d6bb9c
Instruction Fuzzy Hash: 7C725C75E006199BDF24CF59D8807AEBBB5FF44310F14856BE809EB380EB749A85CB94

Function 005EF0F2 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 005EF113
_wcscmp.LIBCMT ref: 005EF128
_wcscmp.LIBCMT ref: 005EF13F

Part of subcall function 005E4385: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 005E43A0

FindNextFileW.KERNEL32(00000000,?), ref: 005EF16E
FindClose.KERNEL32(00000000), ref: 005EF179
FindFirstFileW.KERNEL32(*.*,?), ref: 005EF195
_wcscmp.LIBCMT ref: 005EF1BC
_wcscmp.LIBCMT ref: 005EF1D3
SetCurrentDirectoryW.KERNEL32(?), ref: 005EF1E5
SetCurrentDirectoryW.KERNEL32(00638920), ref: 005EF203
FindNextFileW.KERNEL32(00000000,00000010), ref: 005EF20D
FindClose.KERNEL32(00000000), ref: 005EF21A
FindClose.KERNEL32(00000000), ref: 005EF22C

Strings

*.*, xrefs: 005EF190

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 1824444939-438819550
Opcode ID: 7b73b2bf520e034cd14d680e214548fb8429f6045858136b923a2f0f395880ae
Instruction ID: a81a103aee3007c856110fc40b4313bc13a5f9b11abc2cd63ce3ca95899955b1
Opcode Fuzzy Hash: 7b73b2bf520e034cd14d680e214548fb8429f6045858136b923a2f0f395880ae
Instruction Fuzzy Hash: 4B31D73654025E6ADB28AFA5EC49AEE7B6DAF49360F110171F944A30D0DF30DE45CB54

Function 005EA1EF Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 005EA20F
__swprintf.LIBCMT ref: 005EA231
CreateDirectoryW.KERNEL32(?,00000000), ref: 005EA26E
CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 005EA293
_memset.LIBCMT ref: 005EA2B2
_wcsncpy.LIBCMT ref: 005EA2EE
DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 005EA323
CloseHandle.KERNEL32(00000000), ref: 005EA32E
RemoveDirectoryW.KERNEL32(?), ref: 005EA337
CloseHandle.KERNEL32(00000000), ref: 005EA341

Strings

\??\%s, xrefs: 005EA22B
:, xrefs: 005EA252
\, xrefs: 005EA247

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
String ID: :$\$\??\%s
API String ID: 2733774712-3457252023
Opcode ID: 9c2ddf3b1cb1386432f5e860618cb931fd83e34576f90893b43a89685c80d4bd
Instruction ID: 50a24793671c5409d045bef244e6154df9eb8bf207392f3ec4d6e3e7f8229dba
Opcode Fuzzy Hash: 9c2ddf3b1cb1386432f5e860618cb931fd83e34576f90893b43a89685c80d4bd
Instruction Fuzzy Hash: E631A07550024AABDB20DFA1DC49FEF3BBDBF89700F1040B6F609D6160E770A6448B65

Function 005E001C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 005E0097
SetKeyboardState.USER32(?), ref: 005E0102
GetAsyncKeyState.USER32(000000A0), ref: 005E0122
GetKeyState.USER32(000000A0), ref: 005E0139
GetAsyncKeyState.USER32(000000A1), ref: 005E0168
GetKeyState.USER32(000000A1), ref: 005E0179
GetAsyncKeyState.USER32(00000011), ref: 005E01A5
GetKeyState.USER32(00000011), ref: 005E01B3
GetAsyncKeyState.USER32(00000012), ref: 005E01DC
GetKeyState.USER32(00000012), ref: 005E01EA
GetAsyncKeyState.USER32(0000005B), ref: 005E0213
GetKeyState.USER32(0000005B), ref: 005E0221

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: c874249cd51d347dd2c21c0f67f9448a7f765c46cfc1b49e724d4f0a06e3aaab
Instruction ID: e040721eb4992b4e094b610eb78782cc21dd9446e71b6a2c5d8c24426540a930
Opcode Fuzzy Hash: c874249cd51d347dd2c21c0f67f9448a7f765c46cfc1b49e724d4f0a06e3aaab
Instruction Fuzzy Hash: 8A51F9249047C929FB3DDBA188187EABFB4AF01380F48559AC5C65A5C2DAE49BCCC761

Function 006003DA Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00600E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005FFDAD,?,?), ref: 00600E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006004AC

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0060054B
RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006005E3
RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00600822
RegCloseKey.ADVAPI32(00000000), ref: 0060082F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
String ID:
API String ID: 1240663315-0
Opcode ID: 878e4b15b9c128423e85b909f3d3ab5d91ef8eded1e89980f8b560f2d1539cb2
Instruction ID: 8b4f244e6c62e76b8fc8073cb580b51da83df53810c1d44ead92ed5d307b98e3
Opcode Fuzzy Hash: 878e4b15b9c128423e85b909f3d3ab5d91ef8eded1e89980f8b560f2d1539cb2
Instruction Fuzzy Hash: 28E14D71204205AFDB14DF28C895E6BBBE9FF89314F04856DF84ADB2A1DA31ED05CB91

Function 005F4164 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 005F418B
EmptyClipboard.USER32 ref: 005F4191
GlobalAlloc.KERNEL32(00000002,?), ref: 005F41A6
CloseClipboard.USER32 ref: 005F4245

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 8386713b2c7371580db86666558949b5c6464ece72c57c8c4fe0c2c430d75361
Instruction ID: 4114751de7c3e0446902d4c90c27d08765fba081431c82ffa111a8956db902dc
Opcode Fuzzy Hash: 8386713b2c7371580db86666558949b5c6464ece72c57c8c4fe0c2c430d75361
Instruction Fuzzy Hash: B72188352402159FDB20AF64EC09B7A7BA9FB45310F14802AFA469B2A2DB34A901CF84

Function 005E37EF Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00584750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00584743,?,?,005837AE,?), ref: 00584770

Part of subcall function 005E4A31: GetFileAttributesW.KERNEL32(?,005E370B), ref: 005E4A32

FindFirstFileW.KERNEL32(?,?), ref: 005E38A3
DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 005E394B
MoveFileW.KERNEL32(?,?), ref: 005E395E
DeleteFileW.KERNEL32(?,?,?,?,?), ref: 005E397B
FindNextFileW.KERNEL32(00000000,00000010), ref: 005E399D
FindClose.KERNEL32(00000000,?,?,?,?), ref: 005E39B9

Strings

\*.*, xrefs: 005E384E, 005E3857, 005E386C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 4002782344-1173974218
Opcode ID: f491f8ea43bc4f8fc7eb7d4fe168966d5b78a32b857f333dcfb46249d2a50f87
Instruction ID: 4b7635ffe24947209e89dc48386022d52cd80d7c0e6fc9e12587004327ec8adc
Opcode Fuzzy Hash: f491f8ea43bc4f8fc7eb7d4fe168966d5b78a32b857f333dcfb46249d2a50f87
Instruction Fuzzy Hash: 5B51613180518E9ACF19FFA1D99A9EDBF79BF54310F600069F845B7192EB216F09CB50

Function 005EF3F3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 005EF440
Sleep.KERNEL32(0000000A), ref: 005EF470
_wcscmp.LIBCMT ref: 005EF484
_wcscmp.LIBCMT ref: 005EF49F
FindNextFileW.KERNEL32(?,?), ref: 005EF53D
FindClose.KERNEL32(00000000), ref: 005EF553

Strings

*.*, xrefs: 005EF425

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
String ID: *.*
API String ID: 713712311-438819550
Opcode ID: b98d530870a627ad01b3ff104867f61a76e15b2839504410cb54080b5ba2f570
Instruction ID: cf21c46be0a9d51d4d7f650d549fe27f378231fb0d93668f382933ea951cfbe4
Opcode Fuzzy Hash: b98d530870a627ad01b3ff104867f61a76e15b2839504410cb54080b5ba2f570
Instruction Fuzzy Hash: 68418C7190024AAFCF18EF68DC49AEEBFB4FF59314F104466E855A3191EB309E44CB90

Function 00593030 Relevance: 11.1, APIs: 4, Strings: 2, Instructions: 587COMMON

Download Yara Rule

Strings

3cY, xrefs: 00593225
_Y, xrefs: 00593322

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __itow__swprintf
String ID: 3cY$_Y
API String ID: 674341424-2284220399
Opcode ID: 95ec31e27defac915a3d06bc3763de2471f248800e8257815fe367686b00809c
Instruction ID: b45a0f18487db562c75c061a21637c760b7c48f281929a5a79746569252e2463
Opcode Fuzzy Hash: 95ec31e27defac915a3d06bc3763de2471f248800e8257815fe367686b00809c
Instruction Fuzzy Hash: 642268716083029FCB24EF54C885B6EBBE4BFC5314F14492DF99A97291DB71EA04CB92

Function 00595760 Relevance: 11.0, APIs: 7, Instructions: 532COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005958A5
_memmove.LIBCMT ref: 005958F5
_memmove.LIBCMT ref: 0059595B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ac145aa73aa5815e72d1ff19bf9397236e5e3a6aa1e0725fed4dd4c547ad87b6
Instruction ID: e6c20e1bab573586f468fbdd9d82108394a7fe8a8746c10902cd100a6fddcdfc
Opcode Fuzzy Hash: ac145aa73aa5815e72d1ff19bf9397236e5e3a6aa1e0725fed4dd4c547ad87b6
Instruction Fuzzy Hash: 6F129270A0060ADFDF14DFA5D945AAEBBF5FF88300F10552AE806E7291EB35AD25CB50

Function 005E3B12 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00584750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00584743,?,?,005837AE,?), ref: 00584770

Part of subcall function 005E4A31: GetFileAttributesW.KERNEL32(?,005E370B), ref: 005E4A32

FindFirstFileW.KERNEL32(?,?), ref: 005E3B89
DeleteFileW.KERNEL32(?,?,?,?), ref: 005E3BD9
FindNextFileW.KERNEL32(00000000,00000010), ref: 005E3BEA
FindClose.KERNEL32(00000000), ref: 005E3C01
FindClose.KERNEL32(00000000), ref: 005E3C0A

Strings

\*.*, xrefs: 005E3B5B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: bdae2fb260f80198c601366766dbe81f2dddb021c0332697df08603e3df08f0f
Instruction ID: 37de47e1c4549ca70a6c0c7fe0f8d53392546c09141d127b137d56bb03a3bb77
Opcode Fuzzy Hash: bdae2fb260f80198c601366766dbe81f2dddb021c0332697df08603e3df08f0f
Instruction Fuzzy Hash: 49316F310083869BC305FF64D8998AFBFA9BE95314F444D2DF8D5A3191EB21DA09CB97

Function 005E51BD Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 005D87E1: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D882B
Part of subcall function 005D87E1: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D8858
Part of subcall function 005D87E1: GetLastError.KERNEL32 ref: 005D8865

ExitWindowsEx.USER32(?,00000000), ref: 005E51F9

Strings

@, xrefs: 005E51EC
SeShutdownPrivilege, xrefs: 005E51C9
, xrefs: 005E51E7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $@$SeShutdownPrivilege
API String ID: 2234035333-194228
Opcode ID: dc102536f477d360167a702d372824f88b90e29e47303890e3b8868cf29f63c0
Instruction ID: e55b20a21bfb2a126eb25073af1e9f8014b3efe6565956e9700bb5df61c80550
Opcode Fuzzy Hash: dc102536f477d360167a702d372824f88b90e29e47303890e3b8868cf29f63c0
Instruction Fuzzy Hash: 6A01F7396916526BE73C676AAC9AFBB7A98FB05348F600821FBC3E21D2F9511C008590

Function 0058FCE0 Relevance: 9.8, APIs: 3, Strings: 2, Instructions: 1040COMMON

Download Yara Rule

Strings

%a, xrefs: 0058FCF3
pbd, xrefs: 005C49B9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharUpper
String ID: pbd$%a
API String ID: 3964851224-2549464515
Opcode ID: 9e251c03f409a1a5676bb6a3599cdca56b1f554b9990fdc14970446a2cb5cf53
Instruction ID: db81013acbefda8a0a6913b6cd11efa87d5688de8cbcf9320449aa176d0c5e16
Opcode Fuzzy Hash: 9e251c03f409a1a5676bb6a3599cdca56b1f554b9990fdc14970446a2cb5cf53
Instruction Fuzzy Hash: 9F927A706083419FDB20DF14C494B2ABBE5FF89304F14996DE98A9B3A2D771EC45CB92

Function 005F6283 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000001,00000006), ref: 005F62DC
WSAGetLastError.WSOCK32(00000000), ref: 005F62EB
bind.WSOCK32(00000000,?,00000010), ref: 005F6307
listen.WSOCK32(00000000,00000005), ref: 005F6316
WSAGetLastError.WSOCK32(00000000), ref: 005F6330
closesocket.WSOCK32(00000000), ref: 005F6344

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorLast$bindclosesocketlistensocket
String ID:
API String ID: 1279440585-0
Opcode ID: d396007377ac6ade2dc73c7e0ef7600308ced3b3e2afc64f2e42c902cdd04d8c
Instruction ID: 868364c073d164d216eec19d9e787b70701d2147190b1f725ca9c80614f66788
Opcode Fuzzy Hash: d396007377ac6ade2dc73c7e0ef7600308ced3b3e2afc64f2e42c902cdd04d8c
Instruction Fuzzy Hash: 5721CE346002099FCB10EF68D849A7EBBB9FF88320F148559EA16A73D1CB74AC05CB51

Function 00595520 Relevance: 8.0, APIs: 5, Instructions: 516COMMON

Download Yara Rule

APIs

Part of subcall function 005A0DB6: std::exception::exception.LIBCMT ref: 005A0DEC
Part of subcall function 005A0DB6: __CxxThrowException@8.LIBCMT ref: 005A0E01

_memmove.LIBCMT ref: 005D0258
_memmove.LIBCMT ref: 005D036D
_memmove.LIBCMT ref: 005D0414

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove$Exception@8Throwstd::exception::exception
String ID:
API String ID: 1300846289-0
Opcode ID: bf1be098beb6f6d00417ccefa0408e335b4f478e2123eaa4534640c19c2a2801
Instruction ID: 2f85ccefd9039bc78242668669732f28d7e224136e4eb343aa8c3fab9923e81c
Opcode Fuzzy Hash: bf1be098beb6f6d00417ccefa0408e335b4f478e2123eaa4534640c19c2a2801
Instruction Fuzzy Hash: E102A170A0020ADBCF15DF68D985AAE7FB5FF84300F54846AE806EB395EB35D950CB91

Function 00581287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

DefDlgProcW.USER32(?,?,?,?,?), ref: 005819FA
GetSysColor.USER32(0000000F), ref: 00581A4E
SetBkColor.GDI32(?,00000000), ref: 00581A61

Part of subcall function 00581290: DefDlgProcW.USER32(?,00000020,?), ref: 005812D8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ColorProc$LongWindow
String ID:
API String ID: 3744519093-0
Opcode ID: 8877cf20e1e55ffea1c951c2387adb1c5f329f9d9ad0e8ea691214703d50623b
Instruction ID: f901660cb2d586e4a1447cd370f8cf8ba256a2037a0a77879eeb70ef8a4f8a8e
Opcode Fuzzy Hash: 8877cf20e1e55ffea1c951c2387adb1c5f329f9d9ad0e8ea691214703d50623b
Instruction Fuzzy Hash: FEA10871102D55FAE72CBB39CC48DBB2E5EFB42351B14061AFD02F6192DA949D0293BD

Function 005F6747 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005F7D8B: inet_addr.WSOCK32(00000000), ref: 005F7DB6

socket.WSOCK32(00000002,00000002,00000011), ref: 005F679E
WSAGetLastError.WSOCK32(00000000), ref: 005F67C7
bind.WSOCK32(00000000,?,00000010), ref: 005F6800
WSAGetLastError.WSOCK32(00000000), ref: 005F680D
closesocket.WSOCK32(00000000), ref: 005F6821

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorLast$bindclosesocketinet_addrsocket
String ID:
API String ID: 99427753-0
Opcode ID: 86d8d8d117ff5a9edbf29f2f10e6ab39d84ac18694e0f753ae7e3d03dc0bf5df
Instruction ID: 39b992293eb8367196758128ae6494be3f030bbe397ca99dfce20e69d3ac5993
Opcode Fuzzy Hash: 86d8d8d117ff5a9edbf29f2f10e6ab39d84ac18694e0f753ae7e3d03dc0bf5df
Instruction Fuzzy Hash: C241B475640205AFDB50BF248C8AF7E7BA9FB85714F448458FE16AB3C2CA749D018B91

Function 00605376 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32 ref: 006053C5
IsWindowEnabled.USER32 ref: 006053D3
GetForegroundWindow.USER32(?,?,00000001), ref: 006053E0
IsIconic.USER32 ref: 006053EE
IsZoomed.USER32 ref: 006053FC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$EnabledForegroundIconicVisibleZoomed
String ID:
API String ID: 292994002-0
Opcode ID: aceb2cdfde5da6fff73ca9d1de51ac9a3e01506d233ffdf1895e7dcfd3998aea
Instruction ID: 9d69753849887b26dd5f481b2fa6866905d342cc3dac1787261a10963f5c7001
Opcode Fuzzy Hash: aceb2cdfde5da6fff73ca9d1de51ac9a3e01506d233ffdf1895e7dcfd3998aea
Instruction Fuzzy Hash: 9411B6313809115BEB396F269C48AAB7B9AFF847A1B444029F847D3281DBB09C018FA4

Function 005D80A9 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005D80C0
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005D80CA
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005D80D9
HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005D80E0
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005D80F6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: f134b2c13b66eb96a5847d207dccd5e4bbf622c0ebef4c1e5495d4da2ae97d9e
Instruction ID: 9bf8313ea852c3fdf4e902f0079d601eaf47855280f966308bb11ddb9b7b2fa6
Opcode Fuzzy Hash: f134b2c13b66eb96a5847d207dccd5e4bbf622c0ebef4c1e5495d4da2ae97d9e
Instruction Fuzzy Hash: ABF06231280304AFEB304FA9EC8DE773FADFF49B55B000026F945C6250CB619C85DA60

Function 0058E6A0 Relevance: 7.4, Strings: 5, Instructions: 1102COMMON

Download Yara Rule

Strings

Ddd, xrefs: 005C3AF5
Ddd, xrefs: 0058EAC1
Ddd, xrefs: 005C3B2E
Ddd, xrefs: 0058EABA
Variable must be of type 'Object'., xrefs: 005C3E62

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID: Ddd$Ddd$Ddd$Ddd$Variable must be of type 'Object'.
API String ID: 0-2865629308
Opcode ID: 17d7f5c04a8702f60576949e25e01c561185d9b14d14490df75d84aa44a100dd
Instruction ID: 16f3feaf9061d96b67ceecaae6581bac17bde615607b3a0259195992aaac1e99
Opcode Fuzzy Hash: 17d7f5c04a8702f60576949e25e01c561185d9b14d14490df75d84aa44a100dd
Instruction Fuzzy Hash: E6A29D74A00219CFCB24EF94C486AAEBBB6FF59314F248459ED06AB351D770ED42CB91

Function 005EC397 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005EC432
CoCreateInstance.OLE32(00612D6C,00000000,00000001,00612BDC,?), ref: 005EC44A

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

CoUninitialize.OLE32 ref: 005EC6B7

Strings

.lnk, xrefs: 005EC3C6, 005EC3EE, 005EC3F8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_memmove
String ID: .lnk
API String ID: 2683427295-24824748
Opcode ID: 75d1b663e25e663bb88e60b9ae9a496357fc1814bda03002fd2598967b4e76ed
Instruction ID: 33469d969f416e9724fae975ab6339c6d1ce229a551dbe05287609b40cb545c6
Opcode Fuzzy Hash: 75d1b663e25e663bb88e60b9ae9a496357fc1814bda03002fd2598967b4e76ed
Instruction Fuzzy Hash: B2A13A71104206AFD700EF54C885EABBBECFFC8358F044919F596A7192EB71E949CB92

Function 00584B37 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00584AD0), ref: 00584B45
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00584B57

Strings

kernel32.dll, xrefs: 00584B40
GetNativeSystemInfo, xrefs: 00584B51

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetNativeSystemInfo$kernel32.dll
API String ID: 2574300362-192647395
Opcode ID: 4e3fbbc3d35353b04e8a133b58d14d382b5cd4426f4c8e4d455580f0bc984ba2
Instruction ID: 3e0ee857ea9bf3fd643245cf46cc95a75951b9b97b82cfea5c617242c1681aff
Opcode Fuzzy Hash: 4e3fbbc3d35353b04e8a133b58d14d382b5cd4426f4c8e4d455580f0bc984ba2
Instruction Fuzzy Hash: 36D01234A50713CFDB30AF31D818B0776D5BF05351B11887998C5D6990E770D480CF54

Function 005FEE0D Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005FEE3D
Process32FirstW.KERNEL32(00000000,?), ref: 005FEE4B

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Process32NextW.KERNEL32(00000000,?), ref: 005FEF0B
CloseHandle.KERNEL32(00000000,?,?,?), ref: 005FEF1A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
String ID:
API String ID: 2576544623-0
Opcode ID: d40c6c0afe529da6fa610852ebe5d536e0f9b9710e015bb5cf33e97e826129a5
Instruction ID: be8af72366c8b240e4a43f265c4524d2f23bab91cdaae6d2adfc6cb4b5af3f59
Opcode Fuzzy Hash: d40c6c0afe529da6fa610852ebe5d536e0f9b9710e015bb5cf33e97e826129a5
Instruction Fuzzy Hash: 3F5151715043169FD310EF24DC86E6BBBE8FF94710F54482DF995A62A1EB70E904CB92

Function 005DE616 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 005DE628

Strings

|, xrefs: 005DE658
(, xrefs: 005DE66E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: lstrlen
String ID: ($|
API String ID: 1659193697-1631851259
Opcode ID: 65e283b8f76e4bd9b80e7eb3f08f4b6586a40ae6a1f9be3a971770b667bab144
Instruction ID: c39afc0a3875a20ad7a6391e0ae1512dba5786c3d604c8b8d91d65cdbaf89e1d
Opcode Fuzzy Hash: 65e283b8f76e4bd9b80e7eb3f08f4b6586a40ae6a1f9be3a971770b667bab144
Instruction Fuzzy Hash: 43321275A006059FDB28DF19D4819AABBF1FF48320B15C46FE89ADB3A1E770E941CB40

Function 005F22EE Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,005F180A,00000000), ref: 005F23E1
InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 005F2418

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Internet$AvailableDataFileQueryRead
String ID:
API String ID: 599397726-0
Opcode ID: e33e35caef42a4ef1a765e782ce689f388f439ae63c09db9549625cfc431e3c3
Instruction ID: 1db0395b3e2223e22cc89962060807b03c8e79ace130d20ab2e95e633ff5c8c0
Opcode Fuzzy Hash: e33e35caef42a4ef1a765e782ce689f388f439ae63c09db9549625cfc431e3c3
Instruction Fuzzy Hash: BC41A3F150420DBFEF20DE95DC89EBBBBADFB80314F10446AF701A6180EAB99E419650

Function 005EB333 Relevance: 4.6, APIs: 3, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EB343
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 005EB39D
SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 005EB3EA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 66e96c69d1f13340b3d1a20f6e503ce58b9cc35bc2d7a27a2ee8e2611e784337
Instruction ID: 23929b24ec78db3d700f803c3e74013b9aa0457ec7fa5ee66b5f984cdd2ce0d0
Opcode Fuzzy Hash: 66e96c69d1f13340b3d1a20f6e503ce58b9cc35bc2d7a27a2ee8e2611e784337
Instruction Fuzzy Hash: 5C217135A00109EFCB00EFA5D885AEEBFB9FF89314F1480AAE945AB351DB319915CF51

Function 005D87E1 Relevance: 4.6, APIs: 3, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 005A0DB6: std::exception::exception.LIBCMT ref: 005A0DEC
Part of subcall function 005A0DB6: __CxxThrowException@8.LIBCMT ref: 005A0E01

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005D882B
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005D8858
GetLastError.KERNEL32 ref: 005D8865

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
String ID:
API String ID: 1922334811-0
Opcode ID: a8fe767b1c985b067c4d1134fe20e2338474c55e97a98d062edcbd849cef7670
Instruction ID: 3f0be111fded88f78952e4e84b2bbf473528f0ddba6816f961ecf5740de942ba
Opcode Fuzzy Hash: a8fe767b1c985b067c4d1134fe20e2338474c55e97a98d062edcbd849cef7670
Instruction Fuzzy Hash: 541160B2414205AFE728EF58DC85D6BBBADFB45710B10852EE45697741DA30BC408B60

Function 005D874B Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 005D8774
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 005D878B
FreeSid.ADVAPI32(?), ref: 005D879B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: 198f5f0d991e9b9b135bdef17930eb67f254fe0ceae8d8c67543b2005efdac9d
Instruction ID: 381d94e2913d0f86e52dba2d46468727079dcab0b7e50c623f510c47b5b0dbb8
Opcode Fuzzy Hash: 198f5f0d991e9b9b135bdef17930eb67f254fe0ceae8d8c67543b2005efdac9d
Instruction Fuzzy Hash: 94F04975A5130CBFDF10DFF4DC99ABEBBBDEF08601F1044A9A902E2681E6716A448B50

Function 005E8889 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__time64.LIBCMT ref: 005E889B

Part of subcall function 005A520A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,005E8F6E,00000000,?,?,?,?,005E911F,00000000,?), ref: 005A5213
Part of subcall function 005A520A: __aulldiv.LIBCMT ref: 005A5233

Strings

0ed, xrefs: 005E8892

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Time$FileSystem__aulldiv__time64
String ID: 0ed
API String ID: 2893107130-2306803233
Opcode ID: 4b6e00d30329207da091942aacd2e69749a77bca54229c2ccfed6e92dab62b76
Instruction ID: b22891245b61a21d7e8b274d2409104a56620bbc29fb1c83ecf5ec3efef93c95
Opcode Fuzzy Hash: 4b6e00d30329207da091942aacd2e69749a77bca54229c2ccfed6e92dab62b76
Instruction Fuzzy Hash: 1021B436635510CBC72DCF25D841A62B7E2EFA6311B688E6CE5F9CB2C0CA34B945CB54

Function 005EC6D1 Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 005EC6FB
FindClose.KERNEL32(00000000), ref: 005EC72B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: e54563b2a0c2dd9b01e57a5fdfe1e83684fa743f67874f655844664e811d2ebb
Instruction ID: 8913382a447741da1368564ff26a352ecbaf2810902611f0fd093cf17af80f88
Opcode Fuzzy Hash: e54563b2a0c2dd9b01e57a5fdfe1e83684fa743f67874f655844664e811d2ebb
Instruction Fuzzy Hash: 301182716002019FDB14EF29D84992AFBE5FF85324F04851EF9A697291DB30EC05CF81

Function 005EA06A Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,005F9468,?,0060FB84,?), ref: 005EA097
FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,005F9468,?,0060FB84,?), ref: 005EA0A9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 3dc45ddb29425888882ebaf8c1e6907afc2a45f05bb3a9ce7bcdfbdc4ba58044
Instruction ID: bf5130487d76de2a2e7a860a62c41e51e55ca19929b2df42898595ca0f3c720a
Opcode Fuzzy Hash: 3dc45ddb29425888882ebaf8c1e6907afc2a45f05bb3a9ce7bcdfbdc4ba58044
Instruction Fuzzy Hash: F6F0823554622DABDB61AFA4CC4CFEA7B6DBF08361F004165F949D6181D670AA40CBA1

Function 005D81CB Relevance: 3.0, APIs: 2, Instructions: 22COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005D8309), ref: 005D81E0
CloseHandle.KERNEL32(?,?,005D8309), ref: 005D81F2

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: cf783d58bc86f956139ba4f4d1dd4be8361a0898ae189ba451ff144c09cceb1b
Instruction ID: 40215329047ecd5b5d6210bd3eca642bc286a9e09fc4a05d447da8ce102268e2
Opcode Fuzzy Hash: cf783d58bc86f956139ba4f4d1dd4be8361a0898ae189ba451ff144c09cceb1b
Instruction Fuzzy Hash: 9AE0E671010611AFEB352B64EC09D777BEEFF44310714982DF45684470DB615C91DB50

Function 005AA155 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(00000000,?,005A8D57,?,?,?,00000001), ref: 005AA15A
UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005AA163

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 78d3a800b4b2b904554d9793cbc7f3177d9c12182f442bce423e99436926e98e
Instruction ID: df8c448ed63c9dbd55d204e309d7347267f905cfb9aba45d31ce868458728936
Opcode Fuzzy Hash: 78d3a800b4b2b904554d9793cbc7f3177d9c12182f442bce423e99436926e98e
Instruction Fuzzy Hash: 53B09231098208ABCB142B91EC09B8A3F6AEB45AB2F406020F60D84860CF6254508AD1

Function 005AF1D9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24f7e8b0add034c6129538ea5f46d89858c692194800dcac52d03b3e7879bc68
Instruction ID: 384ad2289c0979ddde9cac6a9c474ebb16cfd5767a263bdb172eba3ddd9edebb
Opcode Fuzzy Hash: 24f7e8b0add034c6129538ea5f46d89858c692194800dcac52d03b3e7879bc68
Instruction Fuzzy Hash: F7320621D69F414DD7239A34D83233AA659BFB73D4F15D737F81AB59A6EB28C4834200

Function 005B242E Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83d6acbafcdad0512c691af3935182d5158abf71171146fd1fd0f942b87836a8
Instruction ID: e2c9abbc21ba6f43cc1b17ec3cdf4adb1bc7e6c0469b91435590dd3bcf4658a1
Opcode Fuzzy Hash: 83d6acbafcdad0512c691af3935182d5158abf71171146fd1fd0f942b87836a8
Instruction Fuzzy Hash: 37B1F030E2AF414DD32396798831336BA9DAFBB2D5F55E71BFC2A74D22EB2185834141

Function 005E4C53 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 005E4C76

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: mouse_event
String ID:
API String ID: 2434400541-0
Opcode ID: 56f3571293429696ff2d06c7a2e85604b2b568c01712c1d15011e5903078b645
Instruction ID: bde909935b3e7a5e1c4e0467d7d377a32c516f523baace2375dc2787d7d071bc
Opcode Fuzzy Hash: 56f3571293429696ff2d06c7a2e85604b2b568c01712c1d15011e5903078b645
Instruction Fuzzy Hash: 28D05EA016228938EF2C07228D4FF7A1909F3C0F81FA595CA72C9C70C0E8D05C00A834

Function 005D87B1 Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005D8389), ref: 005D87D1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LogonUser
String ID:
API String ID: 1244722697-0
Opcode ID: ceee1dd046588535e9fc9583e1493ede2a1e99a59b5c664affde6ac5bdc069d2
Instruction ID: 6140dfc03ef617dd1674a9c173ba3c26dfadf257aa4b70ae29d35a77972682d0
Opcode Fuzzy Hash: ceee1dd046588535e9fc9583e1493ede2a1e99a59b5c664affde6ac5bdc069d2
Instruction Fuzzy Hash: 63D05E322A050EABEF018FA4DC01EAF3B6AEB04B01F408111FE16C50A1C775D835AB60

Function 005AA124 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(?), ref: 005AA12A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: e36624f0b0ed8dd393ee163498c14c4f6c8b1e33e7a72af29b07570397f56931
Instruction ID: 6b21b2ca911a52155ce86f6494b8e95cf97cdfffda4a95d38faecf27379ce0d9
Opcode Fuzzy Hash: e36624f0b0ed8dd393ee163498c14c4f6c8b1e33e7a72af29b07570397f56931
Instruction Fuzzy Hash: B3A0123004410CA7CB001B41EC044457F5DD6001A07005020F40C404218F32541045C0

Function 00598808 Relevance: .6, Instructions: 590COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccf4ae06ddb8289e88d661c39c9215398c6a3acbfb92cd076978a89026da5969
Instruction ID: 9ac1bed78d14f7983b63c5298d3329746ca1eafb6db6071e94d7392639b497f7
Opcode Fuzzy Hash: ccf4ae06ddb8289e88d661c39c9215398c6a3acbfb92cd076978a89026da5969
Instruction Fuzzy Hash: C9221330A04506CBDF388A68C49477CBFA1FF42354F38886BD9968B692EB70DD91CA41

Function 005A21C5 Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction ID: 548443703cbca80b0684de924417bd1558c7695e3e901be638cf98e6ea5e71c0
Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
Instruction Fuzzy Hash: 37C183362055A30ADF2D463E843513EBEA17FA37B1B1A076DD8B3DB1D4EE20C925D620

Function 005A25FA Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction ID: 36acbdaa0572f1309fd0121bf561ca615cc78ef2d400f77a56ebf7706006ae6e
Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
Instruction Fuzzy Hash: 05C170322055A30ADF2D463E843513EBEA17FA37B1B1A076DE4B3DB1D5EE20C965D620

Function 005A1978 Relevance: .3, Instructions: 323COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction ID: 825d6aded47f26bc75495a82d6271e9ca7e6d643cba0b767aae26d5a5a8c2e2d
Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
Instruction Fuzzy Hash: A3C170322099A309DF2D463A847413EBFA17FA37B1B1A176DD4B3DB1C4EE20C925D664

Function 005F7806 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 005F785B
DeleteObject.GDI32(00000000), ref: 005F786D
DestroyWindow.USER32 ref: 005F787B
GetDesktopWindow.USER32 ref: 005F7895
GetWindowRect.USER32(00000000), ref: 005F789C
SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 005F79DD
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 005F79ED
CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7A35
GetClientRect.USER32(00000000,?), ref: 005F7A41
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 005F7A7B
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7A9D
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7AB0
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7ABB
GlobalLock.KERNEL32(00000000), ref: 005F7AC4
ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7AD3
GlobalUnlock.KERNEL32(00000000), ref: 005F7ADC
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7AE3
GlobalFree.KERNEL32(00000000), ref: 005F7AEE
CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7B00
OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00612CAC,00000000), ref: 005F7B16
GlobalFree.KERNEL32(00000000), ref: 005F7B26
CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 005F7B4C
SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 005F7B6B
SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7B8D
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 005F7D7A

Strings

DISPLAY, xrefs: 005F7BDD
, xrefs: 005F7D00
static, xrefs: 005F7A75, 005F7BCC
AutoIt v3, xrefs: 005F7A2D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 3c42a16a4d2ae6ba79ffe1f1157d47a6ef755267b1c766f7649332c47a48a073
Instruction ID: 09d7a31669eae970ec568cad54c8bab517b3dad5e875dae56b33b34328126e48
Opcode Fuzzy Hash: 3c42a16a4d2ae6ba79ffe1f1157d47a6ef755267b1c766f7649332c47a48a073
Instruction Fuzzy Hash: FA025A71900119EFDB14DFA4DD89EAF7BBAFB49310F148169F905AB2A1CB74AD01CB60

Function 0060356B Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,0060F910), ref: 00603627
IsWindowVisible.USER32(?), ref: 0060364B

Strings

EDITPASTE, xrefs: 0060395F
GETCURRENTSELECTION, xrefs: 006037E3
GETLINECOUNT, xrefs: 006038C6
GETSELECTED, xrefs: 006038A3
FINDSTRING, xrefs: 00603776
TABRIGHT, xrefs: 0060369D
ADDSTRING, xrefs: 00603716
UNCHECK, xrefs: 00603883
GETLINE, xrefs: 0060399B
SHOWDROPDOWN, xrefs: 006036E0
CURRENTTAB, xrefs: 006036BD
ISVISIBLE, xrefs: 00603637
GETCURRENTLINE, xrefs: 006038ED
ISENABLED, xrefs: 0060366B
DELSTRING, xrefs: 00603749
SENDCOMMANDID, xrefs: 006039DA
SETCURRENTSELECTION, xrefs: 006037B6
GETCURRENTCOL, xrefs: 00603928
ISCHECKED, xrefs: 00603839
HIDEDROPDOWN, xrefs: 00603700
SELECTSTRING, xrefs: 00603806
CHECK, xrefs: 0060386D
TABLEFT, xrefs: 00603687

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharUpperVisibleWindow
String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
API String ID: 4105515805-45149045
Opcode ID: 8137547c93396ea1bf734393157ab44d46113366ddec1b181c098de0ae64cdde
Instruction ID: a3379b43a28ebfafdad25c66c672e5fe53db1e71c8f642278b46dadc5b0e0c2d
Opcode Fuzzy Hash: 8137547c93396ea1bf734393157ab44d46113366ddec1b181c098de0ae64cdde
Instruction Fuzzy Hash: 17D193302543129BCB18EF10C459A6F7FAABF95345F184459F8825B3E2DB71DE0ACB91

Function 0060A5DA Relevance: 49.8, APIs: 33, Instructions: 260COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0060A630
GetSysColorBrush.USER32(0000000F), ref: 0060A661
GetSysColor.USER32(0000000F), ref: 0060A66D
SetBkColor.GDI32(?,000000FF), ref: 0060A687
SelectObject.GDI32(?,00000000), ref: 0060A696
InflateRect.USER32(?,000000FF,000000FF), ref: 0060A6C1
GetSysColor.USER32(00000010), ref: 0060A6C9
CreateSolidBrush.GDI32(00000000), ref: 0060A6D0
FrameRect.USER32(?,?,00000000), ref: 0060A6DF
DeleteObject.GDI32(00000000), ref: 0060A6E6
InflateRect.USER32(?,000000FE,000000FE), ref: 0060A731
FillRect.USER32(?,?,00000000), ref: 0060A763
GetWindowLongW.USER32(?,000000F0), ref: 0060A78E

Part of subcall function 0060A8CA: GetSysColor.USER32(00000012), ref: 0060A903
Part of subcall function 0060A8CA: SetTextColor.GDI32(?,?), ref: 0060A907
Part of subcall function 0060A8CA: GetSysColorBrush.USER32(0000000F), ref: 0060A91D
Part of subcall function 0060A8CA: GetSysColor.USER32(0000000F), ref: 0060A928
Part of subcall function 0060A8CA: GetSysColor.USER32(00000011), ref: 0060A945
Part of subcall function 0060A8CA: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0060A953
Part of subcall function 0060A8CA: SelectObject.GDI32(?,00000000), ref: 0060A964
Part of subcall function 0060A8CA: SetBkColor.GDI32(?,00000000), ref: 0060A96D
Part of subcall function 0060A8CA: SelectObject.GDI32(?,?), ref: 0060A97A
Part of subcall function 0060A8CA: InflateRect.USER32(?,000000FF,000000FF), ref: 0060A999
Part of subcall function 0060A8CA: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0060A9B0
Part of subcall function 0060A8CA: GetWindowLongW.USER32(00000000,000000F0), ref: 0060A9C5
Part of subcall function 0060A8CA: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0060A9ED

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
String ID:
API String ID: 3521893082-0
Opcode ID: 6f905c1ce943d3afc59e34a95834f397ff86121908e1761985506f6814e99d60
Instruction ID: f970d494eb7be89cf211e347ad8eafae0f7709c5aaa6db5fe167f833a24b004c
Opcode Fuzzy Hash: 6f905c1ce943d3afc59e34a95834f397ff86121908e1761985506f6814e99d60
Instruction Fuzzy Hash: E491AC72048301EFC7219FA4DC08A9B7BBAFF89320F105B29F9A2961E0D771D845CB52

Function 005F74AB Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 005F74DE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 005F759D
SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 005F75DB
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 005F75ED
CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 005F7633
GetClientRect.USER32(00000000,?), ref: 005F763F
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 005F7683
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 005F7692
GetStockObject.GDI32(00000011), ref: 005F76A2
SelectObject.GDI32(00000000,00000000), ref: 005F76A6
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 005F76B6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005F76BF
DeleteDC.GDI32(00000000), ref: 005F76C8
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 005F76F4
SendMessageW.USER32(00000030,00000000,00000001), ref: 005F770B
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 005F7746
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 005F775A
SendMessageW.USER32(00000404,00000001,00000000), ref: 005F776B
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 005F779B
GetStockObject.GDI32(00000011), ref: 005F77A6
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 005F77B1
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 005F77BB

Strings

DISPLAY, xrefs: 005F7688
static, xrefs: 005F767D, 005F7795
AutoIt v3, xrefs: 005F762B
msctls_progress32, xrefs: 005F773C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: cb0067d1528786e985ddfa12676915ab60027845abce457763e1eff007ee7361
Instruction ID: b45b5ddf9caaf660bdfdd7f1c5538cc4e7047515c2370080c12ad158d5b46b42
Opcode Fuzzy Hash: cb0067d1528786e985ddfa12676915ab60027845abce457763e1eff007ee7361
Instruction Fuzzy Hash: 4EA16F71A40609BFEB14DBA4DC4AFAF7BAAFB49710F044115FA15A72E1D7B4AD00CB60

Function 005EAD10 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EAD1E
GetDriveTypeW.KERNEL32(?,0060FAC0,?,\\.\,0060F910), ref: 005EADFB
SetErrorMode.KERNEL32(00000000,0060FAC0,?,\\.\,0060F910), ref: 005EAF59

Strings

CDROM, xrefs: 005EAE2F
RAMDisk, xrefs: 005EAE25
1394, xrefs: 005EAEDB
SSD, xrefs: 005EAE86
PhysicalDrive, xrefs: 005EADA7
\\.\, xrefs: 005EAD70
Removable, xrefs: 005EAE4D
ATAPI, xrefs: 005EAECD
Fibre, xrefs: 005EAEE9
RAID, xrefs: 005EAEF7
Fixed, xrefs: 005EAE43
MMC, xrefs: 005EAF1A
iSCSI, xrefs: 005EAEFE
Network, xrefs: 005EAE39
SSA, xrefs: 005EAEE2
USB, xrefs: 005EAEF0
SAS, xrefs: 005EAF05
SCSI, xrefs: 005EAEC6
FileBackedVirtual, xrefs: 005EAF28
Virtual, xrefs: 005EAF21
SATA, xrefs: 005EAF0C
ATA, xrefs: 005EAED4
Unknown, xrefs: 005EAE1B, 005EAEBF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: e6334d05e453d9cb9c5500e703ebda74f95e256ebe468c7e524fe05f5277f4f3
Instruction ID: b71abc107bb4168eb3a6579dfd0de51f046131b2a037c9984002b0216ac9da9d
Opcode Fuzzy Hash: e6334d05e453d9cb9c5500e703ebda74f95e256ebe468c7e524fe05f5277f4f3
Instruction Fuzzy Hash: 0E51C8B4644246DFCB18EB32C946CBD7FA2FF48700B214556F897A7291EA30BD01DB92

Function 005868DC Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 00586931
__wcsnicmp.LIBCMT ref: 00586949
__wcsnicmp.LIBCMT ref: 00586961
__wcsnicmp.LIBCMT ref: 00586979
__wcsnicmp.LIBCMT ref: 00586991
__wcsnicmp.LIBCMT ref: 005869A9
__wcsnicmp.LIBCMT ref: 005869C1
__wcsnicmp.LIBCMT ref: 005869D5
__wcsnicmp.LIBCMT ref: 00586A16
__wcsnicmp.LIBCMT ref: 00586A2A
__wcsnicmp.LIBCMT ref: 00586A3E
__wcsnicmp.LIBCMT ref: 00586A52

Strings

#include-once, xrefs: 0058698B
Bad directive syntax error, xrefs: 005BE31A
#comments-start, xrefs: 005869BB, 00586A10
#ce, xrefs: 00586A4C
#comments-end, xrefs: 00586A38
#OnAutoItStartRegister, xrefs: 00586973
Cannot parse #include, xrefs: 005BE3F0
#include, xrefs: 005869A3
Unterminated group of comments, xrefs: 005BE403
#pragma compile, xrefs: 0058692B
#notrayicon, xrefs: 00586943
#requireadmin, xrefs: 0058695B
#cs, xrefs: 005869CF, 00586A24

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 1038674560-86951937
Opcode ID: 5d17db25f0cd9e37432c81c0d2cfdfab788fc256630da2590e50220791c1676b
Instruction ID: 89a8cfe7d10e917a9aa8e8bf511492fa7860b9e6cba561fabda47d4b48bebf6d
Opcode Fuzzy Hash: 5d17db25f0cd9e37432c81c0d2cfdfab788fc256630da2590e50220791c1676b
Instruction Fuzzy Hash: 8581F3B0640206ABCB25BA60DC47FEE3FA9FF55700F080025FD45BA1D6EB60EA41D7A1

Function 00609A1C Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00609AD2
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00609B8B
SendMessageW.USER32(?,00001102,00000002,?), ref: 00609BA7

Strings

0, xrefs: 00609BE4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Window
String ID: 0
API String ID: 2326795674-4108050209
Opcode ID: 2c1d840b29ec524d9ff243fa8b128e2ed75fa471e092d48453bd1efdbc746254
Instruction ID: eedbb5ba99ebf6bd94f704c63f3b100a681b0a26b29b01857cafdd531afe66f9
Opcode Fuzzy Hash: 2c1d840b29ec524d9ff243fa8b128e2ed75fa471e092d48453bd1efdbc746254
Instruction Fuzzy Hash: 8E02BC30184201AFE729CF24C848BABBBE7FF89314F04852DF995962E2C775D845CB62

Function 0060A8CA Relevance: 39.2, APIs: 26, Instructions: 187windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 0060A903
SetTextColor.GDI32(?,?), ref: 0060A907
GetSysColorBrush.USER32(0000000F), ref: 0060A91D
GetSysColor.USER32(0000000F), ref: 0060A928
CreateSolidBrush.GDI32(?), ref: 0060A92D
GetSysColor.USER32(00000011), ref: 0060A945
CreatePen.GDI32(00000000,00000001,00743C00), ref: 0060A953
SelectObject.GDI32(?,00000000), ref: 0060A964
SetBkColor.GDI32(?,00000000), ref: 0060A96D
SelectObject.GDI32(?,?), ref: 0060A97A
InflateRect.USER32(?,000000FF,000000FF), ref: 0060A999
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0060A9B0
GetWindowLongW.USER32(00000000,000000F0), ref: 0060A9C5
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0060A9ED
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0060AA14
InflateRect.USER32(?,000000FD,000000FD), ref: 0060AA32
DrawFocusRect.USER32(?,?), ref: 0060AA3D
GetSysColor.USER32(00000011), ref: 0060AA4B
SetTextColor.GDI32(?,00000000), ref: 0060AA53
DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0060AA67
SelectObject.GDI32(?,0060A5FA), ref: 0060AA7E
DeleteObject.GDI32(?), ref: 0060AA89
SelectObject.GDI32(?,?), ref: 0060AA8F
DeleteObject.GDI32(?), ref: 0060AA94
SetTextColor.GDI32(?,?), ref: 0060AA9A
SetBkColor.GDI32(?,?), ref: 0060AAA4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 709c673f994793bd042b9eb2f4f9a8b13ee2cd00182bd5a7d549f53db5034862
Instruction ID: 7c9b584c90d3fc32ef0c6add71e301774f0150a9648633b95c4542e78c41141c
Opcode Fuzzy Hash: 709c673f994793bd042b9eb2f4f9a8b13ee2cd00182bd5a7d549f53db5034862
Instruction Fuzzy Hash: 97514971940208EFDB219FA4DC48EAFBBBAFB49320F115265F911AB2E1D7719940DF90

Function 006089D5 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00608AC1
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00608AD2
CharNextW.USER32(0000014E), ref: 00608B01
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00608B42
SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00608B58
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00608B69
SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00608B86
SetWindowTextW.USER32(?,0000014E), ref: 00608BD8
SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00608BEE
SendMessageW.USER32(?,00001002,00000000,?), ref: 00608C1F
_memset.LIBCMT ref: 00608C44
SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00608C8D
_memset.LIBCMT ref: 00608CEC
SendMessageW.USER32(?,00001053,000000FF,?), ref: 00608D16
SendMessageW.USER32(?,00001074,?,00000001), ref: 00608D6E
SendMessageW.USER32(?,0000133D,?,?), ref: 00608E1B
InvalidateRect.USER32(?,00000000,00000001), ref: 00608E3D
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00608E87
SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00608EB4
DrawMenuBar.USER32(?), ref: 00608EC3
SetWindowTextW.USER32(?,0000014E), ref: 00608EEB

Strings

0, xrefs: 00608E55

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
String ID: 0
API String ID: 1073566785-4108050209
Opcode ID: d57cc7b746fb02edcfd7184f5048bcc1c68d365f6ffca482812f360401af48d6
Instruction ID: a75c8ac4994c0a5b4bec1a3b78834794cd9380230f71c87f1e70cbe3b63cdcc7
Opcode Fuzzy Hash: d57cc7b746fb02edcfd7184f5048bcc1c68d365f6ffca482812f360401af48d6
Instruction Fuzzy Hash: 76E16D70940209AFDB24DF64CC88AEF7BBAEF05750F10815AF955AB2D1DB708981DF60

Function 0060488F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 006049CA
GetDesktopWindow.USER32 ref: 006049DF
GetWindowRect.USER32(00000000), ref: 006049E6
GetWindowLongW.USER32(?,000000F0), ref: 00604A48
DestroyWindow.USER32(?), ref: 00604A74
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00604A9D
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00604ABB
SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00604AE1
SendMessageW.USER32(?,00000421,?,?), ref: 00604AF6
SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00604B09
IsWindowVisible.USER32(?), ref: 00604B29
SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00604B44
SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00604B58
GetWindowRect.USER32(?,?), ref: 00604B70
MonitorFromPoint.USER32(?,?,00000002), ref: 00604B96
GetMonitorInfoW.USER32(00000000,?), ref: 00604BB0
CopyRect.USER32(?,?), ref: 00604BC7
SendMessageW.USER32(?,00000412,00000000), ref: 00604C32

Strings

(, xrefs: 00604BA3
tooltips_class32, xrefs: 00604A96
0, xrefs: 00604975

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: 25a79c7a3c8e3a9c68540f606499807f1f74333c46b15a14651fbf62c8b39a47
Instruction ID: 09dc18f94847da64b3642e7e7ab76809648133a3a81d646a756307c1343d7ff2
Opcode Fuzzy Hash: 25a79c7a3c8e3a9c68540f606499807f1f74333c46b15a14651fbf62c8b39a47
Instruction Fuzzy Hash: 67B18DB0648341AFD718DF64C848B6BBBE6BF84314F00891CF999AB2A1DB71EC05CB55

Function 005E449A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(?,?), ref: 005E44AC
GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 005E44D2
_wcscpy.LIBCMT ref: 005E4500
_wcscmp.LIBCMT ref: 005E450B
_wcscat.LIBCMT ref: 005E4521
_wcsstr.LIBCMT ref: 005E452C
VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 005E4548
_wcscat.LIBCMT ref: 005E4591
_wcscat.LIBCMT ref: 005E4598
_wcsncpy.LIBCMT ref: 005E45C3

Strings

\VarFileInfo\Translation, xrefs: 005E4540
StringFileInfo\, xrefs: 005E451B
%u.%u.%u.%u, xrefs: 005E4626
04090000, xrefs: 005E457E
DefaultLangCodepage, xrefs: 005E45AB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
API String ID: 699586101-1459072770
Opcode ID: 4e372a57e91088e803bb857d263226d61240d47960f030added6158f4fd9a594
Instruction ID: 1b3c63bbd53748aa6af6471978f73abae0546f91fc2ed11df0e7c2843402d1d8
Opcode Fuzzy Hash: 4e372a57e91088e803bb857d263226d61240d47960f030added6158f4fd9a594
Instruction Fuzzy Hash: 0541FA31A40201BBDB14AB759C4BEBF7FACFF87710F040466F945E61C2EB749A0196A5

Function 005827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005828BC
GetSystemMetrics.USER32(00000007), ref: 005828C4
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005828EF
GetSystemMetrics.USER32(00000008), ref: 005828F7
GetSystemMetrics.USER32(00000004), ref: 0058291C
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00582939
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00582949
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0058297C
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00582990
GetClientRect.USER32(00000000,000000FF), ref: 005829AE
GetStockObject.GDI32(00000011), ref: 005829CA
SendMessageW.USER32(00000000,00000030,00000000), ref: 005829D5

Part of subcall function 00582344: GetCursorPos.USER32(?), ref: 00582357
Part of subcall function 00582344: ScreenToClient.USER32(006457B0,?), ref: 00582374
Part of subcall function 00582344: GetAsyncKeyState.USER32(00000001), ref: 00582399
Part of subcall function 00582344: GetAsyncKeyState.USER32(00000002), ref: 005823A7

SetTimer.USER32(00000000,00000000,00000028,00581256), ref: 005829FC

Strings

AutoIt v3 GUI, xrefs: 00582974

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: 6f7fbc7efe6924d5a90b9a30a955d3c0e5f1ce658b07d7aa2e6b4cba27d8da9a
Instruction ID: 8dc4b363e9002aba7868b882c721fa69acbe7530d2764bcd964bcd413cdbd378
Opcode Fuzzy Hash: 6f7fbc7efe6924d5a90b9a30a955d3c0e5f1ce658b07d7aa2e6b4cba27d8da9a
Instruction Fuzzy Hash: D9B16E75A4020ADFDB14EFA8DC49BAE7FB5FB48710F104129FA16A7290DB74A841CF54

Function 005DA439 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005DA47A
__swprintf.LIBCMT ref: 005DA51B
_wcscmp.LIBCMT ref: 005DA52E
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005DA583
_wcscmp.LIBCMT ref: 005DA5BF
GetClassNameW.USER32(?,?,00000400), ref: 005DA5F6
GetDlgCtrlID.USER32(?), ref: 005DA648
GetWindowRect.USER32(?,?), ref: 005DA67E
GetParent.USER32(?), ref: 005DA69C
ScreenToClient.USER32(00000000), ref: 005DA6A3
GetClassNameW.USER32(?,?,00000100), ref: 005DA71D
_wcscmp.LIBCMT ref: 005DA731
GetWindowTextW.USER32(?,?,00000400), ref: 005DA757
_wcscmp.LIBCMT ref: 005DA76B

Part of subcall function 005A362C: _iswctype.LIBCMT ref: 005A3634

Strings

%s%u, xrefs: 005DA515

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
String ID: %s%u
API String ID: 3744389584-679674701
Opcode ID: 4b085aba67782b65ea2b01c3b9aa54f4a49ae7cc472f54676cdb2939910df6f5
Instruction ID: e5cd0ba05750a95cf038c67f3d27e3dcc59498414af85fb97255d7b9c2076c05
Opcode Fuzzy Hash: 4b085aba67782b65ea2b01c3b9aa54f4a49ae7cc472f54676cdb2939910df6f5
Instruction Fuzzy Hash: 88A1B371604606EFDB25DF68C884BABBBE8FF44314F00452BF999D2250DB30E955CB92

Function 005DAED4 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(00000008,?,00000400), ref: 005DAF18
_wcscmp.LIBCMT ref: 005DAF29
GetWindowTextW.USER32(00000001,?,00000400), ref: 005DAF51
CharUpperBuffW.USER32(?,00000000), ref: 005DAF6E
_wcscmp.LIBCMT ref: 005DAF8C
_wcsstr.LIBCMT ref: 005DAF9D
GetClassNameW.USER32(00000018,?,00000400), ref: 005DAFD5
_wcscmp.LIBCMT ref: 005DAFE5
GetWindowTextW.USER32(00000002,?,00000400), ref: 005DB00C
GetClassNameW.USER32(00000018,?,00000400), ref: 005DB055
_wcscmp.LIBCMT ref: 005DB065
GetClassNameW.USER32(00000010,?,00000400), ref: 005DB08D
GetWindowRect.USER32(00000004,?), ref: 005DB0F6

Strings

@, xrefs: 005DAEF9
ThumbnailClass, xrefs: 005DAFE0, 005DB060

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
String ID: @$ThumbnailClass
API String ID: 1788623398-1539354611
Opcode ID: b5fbfc9ef704180146c4148e69b1ac7d2967deb4a0c752b860bf43005b1efa30
Instruction ID: 4aeb1d669c1a4ec58e8ba3bef7667b626bca33cac0e18d6f4b9f0e99ec41a28f
Opcode Fuzzy Hash: b5fbfc9ef704180146c4148e69b1ac7d2967deb4a0c752b860bf43005b1efa30
Instruction Fuzzy Hash: 87818E71108206DBEB25DF18C889BAB7FE9FF84314F04846BFD859A291DB30D945CB62

Function 0060C5FE Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 181windowfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

DragQueryPoint.SHELL32(?,?), ref: 0060C627

Part of subcall function 0060AB37: ClientToScreen.USER32(?,?), ref: 0060AB60
Part of subcall function 0060AB37: GetWindowRect.USER32(?,?), ref: 0060ABD6
Part of subcall function 0060AB37: PtInRect.USER32(?,?,0060C014), ref: 0060ABE6

SendMessageW.USER32(?,000000B0,?,?), ref: 0060C690
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0060C69B
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0060C6BE
_wcscat.LIBCMT ref: 0060C6EE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 0060C705
SendMessageW.USER32(?,000000B0,?,?), ref: 0060C71E
SendMessageW.USER32(?,000000B1,?,?), ref: 0060C735
SendMessageW.USER32(?,000000B1,?,?), ref: 0060C757
DragFinish.SHELL32(?), ref: 0060C75E
DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0060C851

Strings

@GUI_DRAGFILE, xrefs: 0060C800
@GUI_DROPID, xrefs: 0060C77E
pbd, xrefs: 0060C79B
@GUI_DRAGID, xrefs: 0060C7C9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$pbd
API String ID: 169749273-3556046680
Opcode ID: 16a9def5494045d2d578f335416bd21588a7f582b99fafe8575682e8ef8a3c95
Instruction ID: 20a189ea2a8e5a16c0d195db2a500f88c99ff779ec0894e15a989a07848dca82
Opcode Fuzzy Hash: 16a9def5494045d2d578f335416bd21588a7f582b99fafe8575682e8ef8a3c95
Instruction Fuzzy Hash: 15616C71148301AFC715EF64CC89DABBFEAFF89310F400A2DF595921A1DB719909CB52

Function 005DABD4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005DAC33

Strings

[LAST, xrefs: 005DACE0
[HANDLE:, xrefs: 005DAC3F
ALL, xrefs: 005DACC7
[ALL, xrefs: 005DACD9
[REGEXPTITLE:, xrefs: 005DAC5B
[ACTIVE, xrefs: 005DAC20
HANDLE=, xrefs: 005DAC2C
[CLASS:, xrefs: 005DAC83
LAST, xrefs: 005DABF8
ACTIVE, xrefs: 005DAC0E
CLASSNAME=, xrefs: 005DAC70
REGEXP=, xrefs: 005DAC48

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __wcsnicmp
String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
API String ID: 1038674560-1810252412
Opcode ID: 7e81881029dc3f482d0c1b1d2eaeedc6a4b429416c99e6f793681f99ded9f05d
Instruction ID: 53c8c8ede42e6759d97a263fbc8ac1899ec00245e205410654c2ae3131ca417e
Opcode Fuzzy Hash: 7e81881029dc3f482d0c1b1d2eaeedc6a4b429416c99e6f793681f99ded9f05d
Instruction Fuzzy Hash: 0D318471A4820AA7DB24FA54DD07EAF7F65BF50721F600416F841711E2FF51AF04D692

Function 005F4FFD Relevance: 25.6, APIs: 17, Instructions: 110COMMON

Download Yara Rule

APIs

LoadCursorW.USER32(00000000,00007F8A), ref: 005F5013
LoadCursorW.USER32(00000000,00007F00), ref: 005F501E
LoadCursorW.USER32(00000000,00007F03), ref: 005F5029
LoadCursorW.USER32(00000000,00007F8B), ref: 005F5034
LoadCursorW.USER32(00000000,00007F01), ref: 005F503F
LoadCursorW.USER32(00000000,00007F81), ref: 005F504A
LoadCursorW.USER32(00000000,00007F88), ref: 005F5055
LoadCursorW.USER32(00000000,00007F80), ref: 005F5060
LoadCursorW.USER32(00000000,00007F86), ref: 005F506B
LoadCursorW.USER32(00000000,00007F83), ref: 005F5076
LoadCursorW.USER32(00000000,00007F85), ref: 005F5081
LoadCursorW.USER32(00000000,00007F82), ref: 005F508C
LoadCursorW.USER32(00000000,00007F84), ref: 005F5097
LoadCursorW.USER32(00000000,00007F04), ref: 005F50A2
LoadCursorW.USER32(00000000,00007F02), ref: 005F50AD
LoadCursorW.USER32(00000000,00007F89), ref: 005F50B8
GetCursorInfo.USER32(?), ref: 005F50C8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Cursor$Load$Info
String ID:
API String ID: 2577412497-0
Opcode ID: 8aa718e4dbd698c1503a42bf3d6f3d96d9c4fce1866732b9affac0f4ef1f5c0d
Instruction ID: c4b35bc9a00facaeca855be040a6a59b44a523838981a344c973833c29462897
Opcode Fuzzy Hash: 8aa718e4dbd698c1503a42bf3d6f3d96d9c4fce1866732b9affac0f4ef1f5c0d
Instruction Fuzzy Hash: A031E3B1D4831E6ADB109FB68C8996FBFECFB04750F50452AA64DE7280EA786500CF91

Function 0060A1B9 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060A259
DestroyWindow.USER32(?,?), ref: 0060A2D3

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0060A34D
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0060A36F
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0060A382
DestroyWindow.USER32(00000000), ref: 0060A3A4
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00580000,00000000), ref: 0060A3DB
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0060A3F4
GetDesktopWindow.USER32 ref: 0060A40D
GetWindowRect.USER32(00000000), ref: 0060A414
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0060A42C
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0060A444

Part of subcall function 005825DB: GetWindowLongW.USER32(?,000000EB), ref: 005825EC

Strings

tooltips_class32, xrefs: 0060A346, 0060A3D4
0, xrefs: 0060A26F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
String ID: 0$tooltips_class32
API String ID: 1297703922-3619404913
Opcode ID: 99736ad78df45b28ff19b143f4e633958d0d5b678b8a1ef2e54de6ac92ab77f6
Instruction ID: c4a8ec8b7e47e854f054f2d565f7d324cd3242d6c4daff60ed7e565724f5d80e
Opcode Fuzzy Hash: 99736ad78df45b28ff19b143f4e633958d0d5b678b8a1ef2e54de6ac92ab77f6
Instruction Fuzzy Hash: 1C717874180305AFD729DF68C849FAB7BE6FB89340F04452DF985972A1DBB1E902CB52

Function 00604392 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 00604424
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0060446F

Strings

COLLAPSE, xrefs: 006044B5
GETTOTALCOUNT, xrefs: 00604456
GETTEXT, xrefs: 006045C2
GETITEMCOUNT, xrefs: 00604551
EXPAND, xrefs: 00604521
ISCHECKED, xrefs: 006045F2
GETSELECTED, xrefs: 0060457F
CHECK, xrefs: 0060448F
UNCHECK, xrefs: 0060464B
EXISTS, xrefs: 006044D8
SELECT, xrefs: 00604620

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharMessageSendUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 3974292440-4258414348
Opcode ID: 143164d7a365301d617be55162527f1059e1708f95ff326dd939f5018d8e83df
Instruction ID: 2b60e9e3771f3c35a7a3c963dc9fd4c3d44c0d624f2f766d51b85d72d46e4b9f
Opcode Fuzzy Hash: 143164d7a365301d617be55162527f1059e1708f95ff326dd939f5018d8e83df
Instruction Fuzzy Hash: 09916E702143129FCB18EF10C455A6EBBE2BF95354F044859F8966B3E2DB31ED0ACB91

Function 0060B7FE Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0060B8B4
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,006091C2), ref: 0060B910
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0060B949
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0060B98C
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0060B9C3
FreeLibrary.KERNEL32(?), ref: 0060B9CF
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0060B9DF
DestroyIcon.USER32(?,?,?,?,?,006091C2), ref: 0060B9EE
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0060BA0B
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0060BA17

Part of subcall function 005A2EFD: __wcsicmp_l.LIBCMT ref: 005A2F86

Strings

.icl, xrefs: 0060B82A
.dll, xrefs: 0060B86D
.exe, xrefs: 0060B84A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
String ID: .dll$.exe$.icl
API String ID: 1212759294-1154884017
Opcode ID: 9405f27f9d874ff3e34583d91d63d3aae8b7b5d045e464d56f368fffe77fa914
Instruction ID: 8cb2ba743d52df322ff7ce6ed8351030182924ca573845ecc812fe6d23e23e23
Opcode Fuzzy Hash: 9405f27f9d874ff3e34583d91d63d3aae8b7b5d045e464d56f368fffe77fa914
Instruction Fuzzy Hash: 5161DC7198020ABAEB28DF64DC46FBF7BADFB09710F108515F915D62D0DB74A980DBA0

Function 005EDC1A Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005EDCDC
SystemTimeToFileTime.KERNEL32(?,?), ref: 005EDCEC
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 005EDCF8
__wsplitpath.LIBCMT ref: 005EDD56
_wcscat.LIBCMT ref: 005EDD6E
_wcscat.LIBCMT ref: 005EDD80
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005EDD95
SetCurrentDirectoryW.KERNEL32(?), ref: 005EDDA9
SetCurrentDirectoryW.KERNEL32(?), ref: 005EDDDB
SetCurrentDirectoryW.KERNEL32(?), ref: 005EDDFC
_wcscpy.LIBCMT ref: 005EDE08
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 005EDE47

Strings

*.*, xrefs: 005EDE02

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
String ID: *.*
API String ID: 3566783562-438819550
Opcode ID: f35ded63e2239d3283d53a530fe2f4c849fc2184a473b9101724da1e3fe1b34c
Instruction ID: 4914286685704ed2c3c120a0960e0684c91bb05f8b9cda43692e518d01b10b1e
Opcode Fuzzy Hash: f35ded63e2239d3283d53a530fe2f4c849fc2184a473b9101724da1e3fe1b34c
Instruction Fuzzy Hash: 23616B725042469FCB14EF61C8489AFBBF8FF89314F04491DF98997251DB31EA45CBA2

Function 005E9C38 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000016), ref: 005E9C7F

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 005E9CA0
__swprintf.LIBCMT ref: 005E9CF9
__swprintf.LIBCMT ref: 005E9D12
_wprintf.LIBCMT ref: 005E9DB9
_wprintf.LIBCMT ref: 005E9DD7

Strings

"%s" (%d) : ==> %s:, xrefs: 005E9DD2
^ ERROR , xrefs: 005E9D4E
Incorrect parameters to object property !, xrefs: 005E9D5B
Error: , xrefs: 005E9D81
Line %d (File "%s"):, xrefs: 005E9CF3, 005E9D0C
"%s" (%d) : ==> %s:%s%s, xrefs: 005E9DB4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LoadString__swprintf_wprintf$_memmove
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 311963372-3080491070
Opcode ID: 61fb76b5ba750745cb0df10512a534fb48471ceb9c0b55bc38a4081f34cf6a5d
Instruction ID: fd4b1e5c49c1fc5b40b990fdd724600acc95574ffc98fd641f6e121532982450
Opcode Fuzzy Hash: 61fb76b5ba750745cb0df10512a534fb48471ceb9c0b55bc38a4081f34cf6a5d
Instruction Fuzzy Hash: 46516F7190061AAACB14FBA0CD4ADEEBF79BF58300F600165F90572062EB316F58CB61

Function 005EA352 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

CharLowerBuffW.USER32(?,?), ref: 005EA3CB
GetDriveTypeW.KERNEL32 ref: 005EA418
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EA460
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EA497
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005EA4C5

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

Strings

set cd door , xrefs: 005EA466
type cdaudio alias cd wait, xrefs: 005EA443
open , xrefs: 005EA427
closed, xrefs: 005EA3DF, 005EA3E8
open, xrefs: 005EA3F2
close cd wait, xrefs: 005EA4B0
wait, xrefs: 005EA482
close, xrefs: 005EA3D1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
API String ID: 2698844021-4113822522
Opcode ID: 58d9030230843fb148be2f9c32892f7f6c9fcaf565396115a520df9543216193
Instruction ID: ef5a3fad03e0b43b9d9d68727fc8a3beb7f4251332d7ca278ad4b6b543015f0d
Opcode Fuzzy Hash: 58d9030230843fb148be2f9c32892f7f6c9fcaf565396115a520df9543216193
Instruction Fuzzy Hash: 9E5171711143069FC704EF21C88596EBBE5FF88718F14886DF896672A1DB31EE09CB82

Function 005DF8AA Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,00000000,?,005BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000), ref: 005DF8DF
LoadStringW.USER32(00000000,?,005BE029,00000001), ref: 005DF8E8

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,?,?,005BE029,00000001,0000138C,00000001,00000000,00000001,?,00000000,00000000,00000001), ref: 005DF90A
LoadStringW.USER32(00000000,?,005BE029,00000001), ref: 005DF90D
__swprintf.LIBCMT ref: 005DF95D
__swprintf.LIBCMT ref: 005DF96E
_wprintf.LIBCMT ref: 005DFA17
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005DFA2E

Strings

Line %d:, xrefs: 005DF968
%s (%d) : ==> %s: %s %s, xrefs: 005DFA12
Error: , xrefs: 005DF9E5
^ ERROR, xrefs: 005DF9C3
Line %d (File "%s"):, xrefs: 005DF957

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 984253442-2268648507
Opcode ID: 207d4d0bcb8e4fdb051ff5f846476afe2a4dc5128341bd6eaa2d96af54577e3f
Instruction ID: c3611547b92ce586ad46264e097e03c57b5c97379ce6800a895f65e1875f3c09
Opcode Fuzzy Hash: 207d4d0bcb8e4fdb051ff5f846476afe2a4dc5128341bd6eaa2d96af54577e3f
Instruction Fuzzy Hash: C441527290010EAACB14FBE4DD5ADEEBB79BF98300F200065F90576191EA319F49CB61

Function 0060BA33 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00609207,?,?), ref: 0060BA56
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BA6D
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BA78
CloseHandle.KERNEL32(00000000,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BA85
GlobalLock.KERNEL32(00000000), ref: 0060BA8E
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BA9D
GlobalUnlock.KERNEL32(00000000), ref: 0060BAA6
CloseHandle.KERNEL32(00000000,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BAAD
CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00609207,?,?,00000000,?), ref: 0060BABE
OleLoadPicture.OLEAUT32(?,00000000,00000000,00612CAC,?), ref: 0060BAD7
GlobalFree.KERNEL32(00000000), ref: 0060BAE7
GetObjectW.GDI32(00000000,00000018,?), ref: 0060BB0B
CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 0060BB36
DeleteObject.GDI32(00000000), ref: 0060BB5E
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0060BB74

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: 1904a201d8b80789c0d0c02e616945a63647e36a143dba78b932440ab466d993
Instruction ID: 60d8a034653fed082906d06fd8e8bc65f48545bd246989e0abbb27752fbc1e0c
Opcode Fuzzy Hash: 1904a201d8b80789c0d0c02e616945a63647e36a143dba78b932440ab466d993
Instruction Fuzzy Hash: 10411B75680204EFDB25DFA5DC48EAB7BBAFB89711F109068F905D72A0DB709E41CB60

Function 005ED899 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON

Download Yara Rule

APIs

__wsplitpath.LIBCMT ref: 005EDA10
_wcscat.LIBCMT ref: 005EDA28
_wcscat.LIBCMT ref: 005EDA3A
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 005EDA4F
SetCurrentDirectoryW.KERNEL32(?), ref: 005EDA63
GetFileAttributesW.KERNEL32(?), ref: 005EDA7B
SetFileAttributesW.KERNEL32(?,00000000), ref: 005EDA95
SetCurrentDirectoryW.KERNEL32(?), ref: 005EDAA7

Strings

*.*, xrefs: 005EDAE6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
String ID: *.*
API String ID: 34673085-438819550
Opcode ID: 589a0e8228c081aa25e8d449cc103c0aa45746a0a2f98ca7d08d27cf62d8cae2
Instruction ID: 18c84372df767d6e7125b1e85553ba4b06dccfc4998c563a358316b54c3bdc0a
Opcode Fuzzy Hash: 589a0e8228c081aa25e8d449cc103c0aa45746a0a2f98ca7d08d27cf62d8cae2
Instruction Fuzzy Hash: 2B8193715043859FCB68EF65C84496ABBF8BF89314F184C2EF8C9DB252E630D945CB62

Function 0060C1AC Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0060C1FC
GetFocus.USER32 ref: 0060C20C
GetDlgCtrlID.USER32(00000000), ref: 0060C217
_memset.LIBCMT ref: 0060C342
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0060C36D
GetMenuItemCount.USER32(?), ref: 0060C38D
GetMenuItemID.USER32(?,00000000), ref: 0060C3A0
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0060C3D4
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0060C41C
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0060C454
DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0060C489

Strings

0, xrefs: 0060C33A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
String ID: 0
API String ID: 1296962147-4108050209
Opcode ID: c579c84e2a798efb9b320968f050f1a573d88d1de124f7d71635692e8c3bdc59
Instruction ID: e32cd06589159b799f447323b4a360d92a961dd7f8d5f128246cb4816dee8935
Opcode Fuzzy Hash: c579c84e2a798efb9b320968f050f1a573d88d1de124f7d71635692e8c3bdc59
Instruction Fuzzy Hash: 8C8190702883119FD728DF54C894AABBBEAFB88724F004A2DF995973D1D770D905CB92

Function 005F731A Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005F738F
CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 005F739B
CreateCompatibleDC.GDI32(?), ref: 005F73A7
SelectObject.GDI32(00000000,?), ref: 005F73B4
StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 005F7408
GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 005F7444
GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 005F7468
SelectObject.GDI32(00000006,?), ref: 005F7470
DeleteObject.GDI32(?), ref: 005F7479
DeleteDC.GDI32(00000006), ref: 005F7480
ReleaseDC.USER32(00000000,?), ref: 005F748B

Strings

(, xrefs: 005F7410

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: bc89b6b688a9987c3fdea40d1d515574149aeb8e0cc4f1c870b571c55f478af0
Instruction ID: 41200a3dc3d6fc2a2d50e80e7a8fd7c6d1ecef8b82d37cbc78b90d3659c38c43
Opcode Fuzzy Hash: bc89b6b688a9987c3fdea40d1d515574149aeb8e0cc4f1c870b571c55f478af0
Instruction Fuzzy Hash: D8514B71944209EFDB24CFA8CC84EAFBBB9FF48310F14842DFA5A97251D775A9408B50

Function 00586A8C Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON

Download Yara Rule

APIs

Part of subcall function 005A0957: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00586B0C,?,00008000), ref: 005A0973

Part of subcall function 00584750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00584743,?,?,005837AE,?), ref: 00584770

SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00586BAD
SetCurrentDirectoryW.KERNEL32(?), ref: 00586CFA

Part of subcall function 0058586D: _wcscpy.LIBCMT ref: 005858A5

Part of subcall function 005A363D: _iswctype.LIBCMT ref: 005A3645

Strings

Bad directive syntax error, xrefs: 005BE79D
AU3!, xrefs: 00586B61
>>>AUTOIT SCRIPT<<<, xrefs: 005BE496
EA06, xrefs: 005BE452
#include depth exceeded. Make sure there are no recursive includes, xrefs: 005BE421
Unterminated string, xrefs: 005BE7E4
Error opening the file, xrefs: 005BE43D, 005BE4B8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
API String ID: 537147316-1018226102
Opcode ID: 23922ea5e1f63c9f56952482201e5cfbf633660822ca79ca2f20f73e709000f2
Instruction ID: c7b329af0807fc43b8174ad6874e296d58ec95a0813fca4cf77b1350272f695a
Opcode Fuzzy Hash: 23922ea5e1f63c9f56952482201e5cfbf633660822ca79ca2f20f73e709000f2
Instruction Fuzzy Hash: 450249711083429FC724EF24C8869AEBFE5BFD9314F14491DF886A72A1DB30E949CB52

Function 005E2D36 Relevance: 19.7, APIs: 13, Instructions: 214windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2D50
GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 005E2DDD
GetMenuItemCount.USER32(00645890), ref: 005E2E66
DeleteMenu.USER32(00645890,00000005,00000000,000000F5,?,?), ref: 005E2EF6
DeleteMenu.USER32(00645890,00000004,00000000), ref: 005E2EFE
DeleteMenu.USER32(00645890,00000006,00000000), ref: 005E2F06
DeleteMenu.USER32(00645890,00000003,00000000), ref: 005E2F0E
GetMenuItemCount.USER32(00645890), ref: 005E2F16
SetMenuItemInfoW.USER32(00645890,00000004,00000000,00000030), ref: 005E2F4C
GetCursorPos.USER32(?), ref: 005E2F56
SetForegroundWindow.USER32(00000000), ref: 005E2F5F
TrackPopupMenuEx.USER32(00645890,00000000,?,00000000,00000000,00000000), ref: 005E2F72
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 005E2F7E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
String ID:
API String ID: 3993528054-0
Opcode ID: 9464a13804015b785781a4e76e01f732de5382a4b3484758a685e5f64ee98ebd
Instruction ID: ed1f5c76c42392bc0cf9a20f5a0bc2b938b038637d6b8a4f509f32044f0f3a8a
Opcode Fuzzy Hash: 9464a13804015b785781a4e76e01f732de5382a4b3484758a685e5f64ee98ebd
Instruction Fuzzy Hash: 6D711470640296BFEB298F56DC89FAABF6DFF04324F100216F665AA1E5C7B15C10CB91

Function 005F88AB Relevance: 19.6, APIs: 10, Strings: 1, Instructions: 324fileCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005F88D7
CoInitialize.OLE32(00000000), ref: 005F8904
CoUninitialize.OLE32 ref: 005F890E
GetRunningObjectTable.OLE32(00000000,?), ref: 005F8A0E
SetErrorMode.KERNEL32(00000001,00000029), ref: 005F8B3B
CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00612C0C), ref: 005F8B6F
CoGetObject.OLE32(?,00000000,00612C0C,?), ref: 005F8B92
SetErrorMode.KERNEL32(00000000), ref: 005F8BA5
SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 005F8C25
VariantClear.OLEAUT32(?), ref: 005F8C35

Strings

,,a, xrefs: 005F88C1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
String ID: ,,a
API String ID: 2395222682-3448921334
Opcode ID: 68f5500d9814958d40dc156443703bba6a4b4a1a51148b73aca2ae5b56bf1478
Instruction ID: 0b8de62594a0e99e558e68c934deb301a3c43702bc0e62d92de5b1eab67411d6
Opcode Fuzzy Hash: 68f5500d9814958d40dc156443703bba6a4b4a1a51148b73aca2ae5b56bf1478
Instruction Fuzzy Hash: A0C103B160830A9FC700EF64C88496BBBE9FF89348F04495DFA899B251DB75ED05CB52

Function 005D77DC Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

_memset.LIBCMT ref: 005D786B
WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005D78A0
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005D78BC
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005D78D8
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005D7902
CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 005D792A
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005D7935
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005D793A

Strings

SOFTWARE\Classes\, xrefs: 005D780C
\IPC$, xrefs: 005D7882
\CLSID, xrefs: 005D7822

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 1411258926-22481851
Opcode ID: a4bb9c925557c0ed4ff99d11206a8e5dbc0bc3902cfe615f23a379b8a600d085
Instruction ID: 236d4bc794e3c101d37fd4219df9f850db0b7fdfe7240f64a58e918896879c07
Opcode Fuzzy Hash: a4bb9c925557c0ed4ff99d11206a8e5dbc0bc3902cfe615f23a379b8a600d085
Instruction Fuzzy Hash: BE410972C1462DAACB21EBA4DC59DEEBB79FF48710F44402AF905B3261EB309D05CB90

Function 00600E1A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,005FFDAD,?,?), ref: 00600E31

Strings

HKCR, xrefs: 00600ED9
HKEY_CLASSES_ROOT, xrefs: 00600EC4
HKCC, xrefs: 00600EFF
HKEY_LOCAL_MACHINE, xrefs: 00600E9A
HKCU, xrefs: 00600F21
HKU, xrefs: 00600F43
HKEY_USERS, xrefs: 00600F32
HKEY_CURRENT_USER, xrefs: 00600F10
HKEY_CURRENT_CONFIG, xrefs: 00600EEE
HKLM, xrefs: 00600EAF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 3964851224-909552448
Opcode ID: 032935ff3fbc5a855453cb5f2b9402397a7d862ddf659af2c48972045041d55f
Instruction ID: 3ecedc0636fc7db08bf3cf21a79dff844cb638a8ec17ef93a9be493305cdaa45
Opcode Fuzzy Hash: 032935ff3fbc5a855453cb5f2b9402397a7d862ddf659af2c48972045041d55f
Instruction Fuzzy Hash: 0E41793115025B8BEF14EF10D859AEF3BA2BF52354F184424FC552B2D2DBB0991ADBA0

Function 005DF7A1 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,005BE2A0,00000010,?,Bad directive syntax error,0060F910,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 005DF7C2
LoadStringW.USER32(00000000,?,005BE2A0,00000010), ref: 005DF7C9

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

_wprintf.LIBCMT ref: 005DF7FC
__swprintf.LIBCMT ref: 005DF81E
MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 005DF88D

Strings

., xrefs: 005DF873
Line %d:, xrefs: 005DF818
%s (%d) : ==> %s.: %s %s, xrefs: 005DF7F7
Error: , xrefs: 005DF85B
Line %d (File "%s"):, xrefs: 005DF833

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HandleLoadMessageModuleString__swprintf_memmove_wprintf
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 1506413516-4153970271
Opcode ID: b5030114d7eb75105ee8bfc2c9cf2ce9ae238bf38b383c53a7955625a77d8902
Instruction ID: 3579ada7fec901075ee2e8272888f8ba13523fee83852839a9e2307dc61b6eca
Opcode Fuzzy Hash: b5030114d7eb75105ee8bfc2c9cf2ce9ae238bf38b383c53a7955625a77d8902
Instruction Fuzzy Hash: 8521713295021EEFCF11EF90CC0AEEE7B39BF18304F040866F905761A1EA719A58DB51

Function 005E52C7 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON

Download Yara Rule

APIs

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

Part of subcall function 00587924: _memmove.LIBCMT ref: 005879AD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 005E5330
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 005E5346
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 005E5357
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 005E5369
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 005E537A

Strings

status PlayMe mode, xrefs: 005E532B
open , xrefs: 005E52DF
play PlayMe, xrefs: 005E5375
play PlayMe wait, xrefs: 005E5364
close PlayMe, xrefs: 005E5341, 005E536E
alias PlayMe, xrefs: 005E5309

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: SendString$_memmove
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2279737902-1007645807
Opcode ID: f77de0652aab87439a97585bdba852b90076d71b8b57ce753054e8e7c5a00460
Instruction ID: 5d533a19fbd6814a4a2690a65c58dcac5babc93ebada9fdab50d87af54337a32
Opcode Fuzzy Hash: f77de0652aab87439a97585bdba852b90076d71b8b57ce753054e8e7c5a00460
Instruction Fuzzy Hash: E1116361A5065E7DD724BA72CC4ADFFAE7DFBD9B44F100819B811A30D1EEA05D04C6A0

Function 005E46B7 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005E46D2
gethostname.WSOCK32(?,00000100), ref: 005E46EC
gethostbyname.WSOCK32(?), ref: 005E46F9
_wcscpy.LIBCMT ref: 005E4721
_memmove.LIBCMT ref: 005E4734
inet_ntoa.WSOCK32(?), ref: 005E473F
_strcat.LIBCMT ref: 005E474D
_wcscpy.LIBCMT ref: 005E4764
WSACleanup.WSOCK32 ref: 005E4772
_wcscpy.LIBCMT ref: 005E4780

Strings

0.0.0.0, xrefs: 005E471B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
String ID: 0.0.0.0
API String ID: 208665112-3771769585
Opcode ID: ba05978c15222682a462ad390d2b132bde76202bbec68c5c2f91bc879819fb9f
Instruction ID: 15ad578ab7303fb47cb7a92726b040fa115eddb2ce6279426b7c81a1f5dfc66d
Opcode Fuzzy Hash: ba05978c15222682a462ad390d2b132bde76202bbec68c5c2f91bc879819fb9f
Instruction Fuzzy Hash: 241105325001156FCB28AB359C4AEEF7BBCFB42311F0041B6F58592091FF718A828A91

Function 005E4F75 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 005E4F7A

Part of subcall function 005A049F: timeGetTime.WINMM(?,7694B400,00590E7B), ref: 005A04A3

Sleep.KERNEL32(0000000A), ref: 005E4FA6
EnumThreadWindows.USER32(?,Function_00064F28,00000000), ref: 005E4FCA
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 005E4FEC
SetActiveWindow.USER32 ref: 005E500B
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 005E5019
SendMessageW.USER32(00000010,00000000,00000000), ref: 005E5038
Sleep.KERNEL32(000000FA), ref: 005E5043
IsWindow.USER32 ref: 005E504F
EndDialog.USER32(00000000), ref: 005E5060

Strings

BUTTON, xrefs: 005E4FDE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 97b9f01f53e0684fcd85daa9b169e51e98a4d122729fad13595631ecd1ab4341
Instruction ID: 7eb82dc0ae99899198c7b5f4c337e32dee1aa6663fef5d12629406025c5f7a4f
Opcode Fuzzy Hash: 97b9f01f53e0684fcd85daa9b169e51e98a4d122729fad13595631ecd1ab4341
Instruction Fuzzy Hash: 8A21A178640745AFE7295F72EC8CA673F6BFB47749F043024F142826B1DBB18E508A62

Function 005ED58D Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON

Download Yara Rule

APIs

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

CoInitialize.OLE32(00000000), ref: 005ED5EA
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 005ED67D
SHGetDesktopFolder.SHELL32(?), ref: 005ED691
CoCreateInstance.OLE32(00612D7C,00000000,00000001,00638C1C,?), ref: 005ED6DD
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 005ED74C
CoTaskMemFree.OLE32(?,?), ref: 005ED7A4
_memset.LIBCMT ref: 005ED7E1
SHBrowseForFolderW.SHELL32(?), ref: 005ED81D
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 005ED840
CoTaskMemFree.OLE32(00000000), ref: 005ED847
CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 005ED87E
CoUninitialize.OLE32(00000001,00000000), ref: 005ED880

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
String ID:
API String ID: 1246142700-0
Opcode ID: 0c7fe6647c7361337d0b3c116a219a0b01f8474f84ffae95ad5eef811c5a48bf
Instruction ID: 92bac911dfe8ff66e6e8407f35d0ca58f5a63b19e3f63ccb7e4afd4bf0ac45cd
Opcode Fuzzy Hash: 0c7fe6647c7361337d0b3c116a219a0b01f8474f84ffae95ad5eef811c5a48bf
Instruction Fuzzy Hash: 48B1D975A00109AFDB14DFA5C888DAEBBF9FF89314B148469F909EB261DB30ED45CB50

Function 005DC267 Relevance: 18.2, APIs: 12, Instructions: 174COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000001), ref: 005DC283
GetWindowRect.USER32(00000000,?), ref: 005DC295
MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005DC2F3
GetDlgItem.USER32(?,00000002), ref: 005DC2FE
GetWindowRect.USER32(00000000,?), ref: 005DC310
MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005DC364
GetDlgItem.USER32(?,000003E9), ref: 005DC372
GetWindowRect.USER32(00000000,?), ref: 005DC383
MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005DC3C6
GetDlgItem.USER32(?,000003EA), ref: 005DC3D4
MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005DC3F1
InvalidateRect.USER32(?,00000000,00000001), ref: 005DC3FE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$ItemMoveRect$Invalidate
String ID:
API String ID: 3096461208-0
Opcode ID: 89c7dfe64761593304df03580c8e1dea679aea850a33e9f9b3d2c6d3161b888b
Instruction ID: df048d140d5f4f802166fd8fc2f827b8c212bc7a865ecafdb664757ccec76bcf
Opcode Fuzzy Hash: 89c7dfe64761593304df03580c8e1dea679aea850a33e9f9b3d2c6d3161b888b
Instruction Fuzzy Hash: 21513071B40205ABDB18CFADDD89AAEBBBAFB88711F14852EF515D7290DB719D00CB10

Function 0058201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00581B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00582036,?,00000000,?,?,?,?,005816CB,00000000,?), ref: 00581B9A

DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 005820D3
KillTimer.USER32(-00000001,?,?,?,?,005816CB,00000000,?,?,00581AE2,?,?), ref: 0058216E
DestroyAcceleratorTable.USER32(00000000), ref: 005BBCA6
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005816CB,00000000,?,?,00581AE2,?,?), ref: 005BBCD7
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005816CB,00000000,?,?,00581AE2,?,?), ref: 005BBCEE
ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005816CB,00000000,?,?,00581AE2,?,?), ref: 005BBD0A
DeleteObject.GDI32(00000000), ref: 005BBD1C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 641708696-0
Opcode ID: 98a7c2aa038a3d27ed243dc545311679db0ad8466c53b49d8fa6336ce200c3bd
Instruction ID: ce5b227d2a2c080bb19dcf9b46406699839e2407bb18147097b717a828b6d16a
Opcode Fuzzy Hash: 98a7c2aa038a3d27ed243dc545311679db0ad8466c53b49d8fa6336ce200c3bd
Instruction Fuzzy Hash: 46619C34101A11DFDB35AF14D94CB2ABFF2FB41312F209929E843AA971C7B5B881DB91

Function 005821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON

Download Yara Rule

APIs

Part of subcall function 005825DB: GetWindowLongW.USER32(?,000000EB), ref: 005825EC

GetSysColor.USER32(0000000F), ref: 005821D3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 5276795f9a45d024dce939c704d25aa351f4c1fbdd0580746245d377f3aa3433
Instruction ID: 1001767ec5585771e9d4cd4d7e848464cfcf8f670ce574d362f7cdcb85519e0d
Opcode Fuzzy Hash: 5276795f9a45d024dce939c704d25aa351f4c1fbdd0580746245d377f3aa3433
Instruction Fuzzy Hash: 18418035140540EFDB25AF28DC88BB93F66FB06331F1442A5FE669A1E2C7B18C42DB61

Function 005EA8A7 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,0060F910), ref: 005EA90B
GetDriveTypeW.KERNEL32(00000061,006389A0,00000061), ref: 005EA9D5
_wcscpy.LIBCMT ref: 005EA9FF

Strings

removable, xrefs: 005EA93D
fixed, xrefs: 005EA953
cdrom, xrefs: 005EA927
all, xrefs: 005EA911
ramdisk, xrefs: 005EA97F
network, xrefs: 005EA969
unknown, xrefs: 005EA996

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharDriveLowerType_wcscpy
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2820617543-1000479233
Opcode ID: 7f7388d0b04dcd824f5bc169959640954cea627c6164d0ad23003a07a8fc6472
Instruction ID: 613d3d9b6d738813475f7819e7e16164cf2ab0bfaddf7642f512a4dc08ad72fa
Opcode Fuzzy Hash: 7f7388d0b04dcd824f5bc169959640954cea627c6164d0ad23003a07a8fc6472
Instruction Fuzzy Hash: 27516E311183429FC314EF25C896AAFBFA5FFC5304F554829F89597292DB31A909CB93

Function 00589837 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON

Download Yara Rule

APIs

__itow.LIBCMT ref: 00589862
__swprintf.LIBCMT ref: 005898AC
__i64tow.LIBCMT ref: 005BF5E6

Strings

%.15g, xrefs: 005898A6
True, xrefs: 005BF5A7
0x%p, xrefs: 005BF5C8
False, xrefs: 005BF5AE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __i64tow__itow__swprintf
String ID: %.15g$0x%p$False$True
API String ID: 421087845-2263619337
Opcode ID: c8e4d525326093299a51eee003c546de9c05d1e79e493ab73738f7b813264483
Instruction ID: 6393e72ed69f6554fa4c31bb1a258331eba126c9baa9e08f756b3d8c020bb660
Opcode Fuzzy Hash: c8e4d525326093299a51eee003c546de9c05d1e79e493ab73738f7b813264483
Instruction Fuzzy Hash: 8E41CA71500206AFDB24EF74DC46EBA7FE9FF46304F24486EF949E7291EA31A9418B10

Function 00607152 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060716A
CreateMenu.USER32 ref: 00607185
SetMenu.USER32(?,00000000), ref: 00607194
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00607221
IsMenu.USER32(?), ref: 00607237
CreatePopupMenu.USER32 ref: 00607241
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 0060726E
DrawMenuBar.USER32 ref: 00607276

Strings

F, xrefs: 00607262
0, xrefs: 00607160

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
String ID: 0$F
API String ID: 176399719-3044882817
Opcode ID: 33586b981b1aa340aa80b45106f4c1146575cb1356778759816fff88475c9c50
Instruction ID: d7598201d8b703918a7ac6cfe3e140702f08189692197ef068cdbe911a6c3011
Opcode Fuzzy Hash: 33586b981b1aa340aa80b45106f4c1146575cb1356778759816fff88475c9c50
Instruction Fuzzy Hash: 6C415978A41209EFDB24DF64D884EDA7BB6FF49310F144029F945A73A1D771AA10CF90

Function 006074BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON

Download Yara Rule

APIs

MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0060755E
CreateCompatibleDC.GDI32(00000000), ref: 00607565
SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00607578
SelectObject.GDI32(00000000,00000000), ref: 00607580
GetPixel.GDI32(00000000,00000000,00000000), ref: 0060758B
DeleteDC.GDI32(00000000), ref: 00607594
GetWindowLongW.USER32(?,000000EC), ref: 0060759E
SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 006075B2
DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 006075BE

Strings

static, xrefs: 006074F6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
String ID: static
API String ID: 2559357485-2160076837
Opcode ID: 5a057a6a0dd823f67f2f0b629141a0103200ae3bf7a17925d5087ea35916d11e
Instruction ID: 6671b9caa81851325e956d196860811d5ce06ea5c0bedb1cdb2baa498a81f6e4
Opcode Fuzzy Hash: 5a057a6a0dd823f67f2f0b629141a0103200ae3bf7a17925d5087ea35916d11e
Instruction Fuzzy Hash: FE319C32584215BBDF269F64DC08FDB3B6AFF09321F115224FA15A21E0CB71E821DBA4

Function 005A6E03 Relevance: 16.8, APIs: 11, Instructions: 258COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005A6E3E

Part of subcall function 005A8B28: __getptd_noexit.LIBCMT ref: 005A8B28

__gmtime64_s.LIBCMT ref: 005A6ED7
__gmtime64_s.LIBCMT ref: 005A6F0D
__gmtime64_s.LIBCMT ref: 005A6F2A
__allrem.LIBCMT ref: 005A6F80
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A6F9C
__allrem.LIBCMT ref: 005A6FB3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A6FD1
__allrem.LIBCMT ref: 005A6FE8
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005A7006
__invoke_watson.LIBCMT ref: 005A7077

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
String ID:
API String ID: 384356119-0
Opcode ID: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction ID: 32bd48cc605b89445f46b9f39f90e2ce07cf3d387e15aebee43b3192caeb5fa9
Opcode Fuzzy Hash: 1572197e9c4cf49d3ac3c19b6e82465e4eefa01e3d88f7bbd38cf7a66862b9c5
Instruction Fuzzy Hash: 4971E876A00717ABD7149F78DC45BAFBFA8BF46720F144629F514E6281E770E9008BD0

Function 005E2527 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2542
GetMenuItemInfoW.USER32(00645890,000000FF,00000000,00000030), ref: 005E25A3
SetMenuItemInfoW.USER32(00645890,00000004,00000000,00000030), ref: 005E25D9
Sleep.KERNEL32(000001F4), ref: 005E25EB
GetMenuItemCount.USER32(?), ref: 005E262F
GetMenuItemID.USER32(?,00000000), ref: 005E264B
GetMenuItemID.USER32(?,-00000001), ref: 005E2675
GetMenuItemID.USER32(?,?), ref: 005E26BA
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 005E2700
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E2714
SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E2735

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountRadioSleep_memset
String ID:
API String ID: 4176008265-0
Opcode ID: 03348da42fcd9d605bdd697e17d837dc01463f20fa187177f7cfed573034d83a
Instruction ID: 97c99f2b957a959fc5dbdd69a0d70bb5c43ac901dfcdbac8c3b094cdb70d0f80
Opcode Fuzzy Hash: 03348da42fcd9d605bdd697e17d837dc01463f20fa187177f7cfed573034d83a
Instruction Fuzzy Hash: D6617D70900289AFDB29CF65CD889AF7FBDFB41304F140569E882A7255DB71AD05DB21

Function 00606F23 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00606FA5
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00606FA8
GetWindowLongW.USER32(?,000000F0), ref: 00606FCC
_memset.LIBCMT ref: 00606FDD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00606FEF
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00607067

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$LongWindow_memset
String ID:
API String ID: 830647256-0
Opcode ID: d0dfd3dd81102c91dbe5a9bcd94217e1ab1a150735c88280caec87f628d8d26b
Instruction ID: 60eb53b9b0cab9bbc809c8b3f376d6d1c6330f163617a834add43944bd8a8268
Opcode Fuzzy Hash: d0dfd3dd81102c91dbe5a9bcd94217e1ab1a150735c88280caec87f628d8d26b
Instruction Fuzzy Hash: 6A618A75940208AFDB11DFA4CC81EEE77BAEB09700F140199FA15AB3E2C771AD51DBA0

Function 005D6B98 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 005D6BBF
SafeArrayAllocData.OLEAUT32(?), ref: 005D6C18
VariantInit.OLEAUT32(?), ref: 005D6C2A
SafeArrayAccessData.OLEAUT32(?,?), ref: 005D6C4A
VariantCopy.OLEAUT32(?,?), ref: 005D6C9D
SafeArrayUnaccessData.OLEAUT32(?), ref: 005D6CB1
VariantClear.OLEAUT32(?), ref: 005D6CC6
SafeArrayDestroyData.OLEAUT32(?), ref: 005D6CD3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005D6CDC
VariantClear.OLEAUT32(?), ref: 005D6CEE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005D6CF9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: a945e0c1e871f64cb6fe36a499c4c19bf5dc5dc32dd1a2f76c81615dfea31cd0
Instruction ID: 01478d38306f6c1d9331e1f9103fdd43a5d7eb9d4a573e5219a90658ca2b8e44
Opcode Fuzzy Hash: a945e0c1e871f64cb6fe36a499c4c19bf5dc5dc32dd1a2f76c81615dfea31cd0
Instruction Fuzzy Hash: 58411175A0021A9FDB10DF68D8489AEBFB9FF48354F008066E955E7361DB31AD46CF90

Function 005F83BB Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON

Download Yara Rule

APIs

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

CoInitialize.OLE32 ref: 005F8403
CoUninitialize.OLE32 ref: 005F840E
CoCreateInstance.OLE32(?,00000000,00000017,00612BEC,?), ref: 005F846E
IIDFromString.OLE32(?,?), ref: 005F84E1
VariantInit.OLEAUT32(?), ref: 005F857B
VariantClear.OLEAUT32(?), ref: 005F85DC

Strings

Failed to create object, xrefs: 005F8479, 005F852F
Invalid parameter, xrefs: 005F84FA
NULL Pointer assignment, xrefs: 005F84B3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 834269672-1287834457
Opcode ID: 94f066fe586d072e37da6ce7851dd1ed28172a07c1a0b57e0962193a38be16ad
Instruction ID: 0b2921d8ee0073d414f4476ad1d13643b2dae327336ad997c1d7eef0a5b2054d
Opcode Fuzzy Hash: 94f066fe586d072e37da6ce7851dd1ed28172a07c1a0b57e0962193a38be16ad
Instruction Fuzzy Hash: 04619E70608716AFC710DF54C848B7EBBE9BF89754F044819FA819B291DB74ED44CB92

Function 005F5732 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WSOCK32(00000101,?), ref: 005F5793
inet_addr.WSOCK32(?), ref: 005F57D8
gethostbyname.WSOCK32(?), ref: 005F57E4
IcmpCreateFile.IPHLPAPI ref: 005F57F2
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 005F5862
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 005F5878
IcmpCloseHandle.IPHLPAPI(00000000), ref: 005F58ED
WSACleanup.WSOCK32 ref: 005F58F3

Strings

Ping, xrefs: 005F5816

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 36221b8c5c6e9c05f62271a8d855096b7d4cdc996c6ba2273e567bbd7f7ea6af
Instruction ID: bc0831bf2d725e13efb320d81e5bf1cf4d45790227f9128ac54a99b735de2361
Opcode Fuzzy Hash: 36221b8c5c6e9c05f62271a8d855096b7d4cdc996c6ba2273e567bbd7f7ea6af
Instruction Fuzzy Hash: 51517D316047019FD720AF24DC49B6A7BE4FF49750F144969FA56EB2A1EB74E800DB42

Function 005EB4C3 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EB4D0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 005EB546
GetLastError.KERNEL32 ref: 005EB550
SetErrorMode.KERNEL32(00000000,READY), ref: 005EB5BD

Strings

READY, xrefs: 005EB596
UNKNOWN, xrefs: 005EB575
READONLY, xrefs: 005EB588
INVALID, xrefs: 005EB58F
NOTREADY, xrefs: 005EB57C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: e42818801d85ee360221e339152cba671f8bc7c0f78725e2ad90979fdd99b95c
Instruction ID: 15e2917eb6debc81f5b8d129611e13aa898a46cd8e74448007903222d61693c6
Opcode Fuzzy Hash: e42818801d85ee360221e339152cba671f8bc7c0f78725e2ad90979fdd99b95c
Instruction Fuzzy Hash: 7E31A335A0024ADFDB14EB69C889ABFBFB4FF49311F144066F941A7291EB709A41CB80

Function 005D8F8F Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005D9014
GetDlgCtrlID.USER32 ref: 005D901F
GetParent.USER32 ref: 005D903B
SendMessageW.USER32(00000000,?,00000111,?), ref: 005D903E
GetDlgCtrlID.USER32(?), ref: 005D9047
GetParent.USER32(?), ref: 005D9063
SendMessageW.USER32(00000000,?,?,00000111), ref: 005D9066

Strings

ListBox, xrefs: 005D8FD1
ComboBox, xrefs: 005D8F9C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 303f7e310124f7a60c168d8cbd9d1541dc1a836d6ea6067e3f42d374ddc121dd
Instruction ID: 549777adbb5ba5f8ef361394a31f9b243a10f8c2b0fba459dc8e8d24c5b2f8b8
Opcode Fuzzy Hash: 303f7e310124f7a60c168d8cbd9d1541dc1a836d6ea6067e3f42d374ddc121dd
Instruction Fuzzy Hash: 3D21C474A00109BBDF24ABA4CC89EFEBB75FF89310F104216F961972A1DB759815DB20

Function 005D907A Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005D90FD
GetDlgCtrlID.USER32 ref: 005D9108
GetParent.USER32 ref: 005D9124
SendMessageW.USER32(00000000,?,00000111,?), ref: 005D9127
GetDlgCtrlID.USER32(?), ref: 005D9130
GetParent.USER32(?), ref: 005D914C
SendMessageW.USER32(00000000,?,?,00000111), ref: 005D914F

Strings

ListBox, xrefs: 005D90BC
ComboBox, xrefs: 005D9087

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$CtrlParent$ClassName_memmove
String ID: ComboBox$ListBox
API String ID: 1536045017-1403004172
Opcode ID: 1f7ae6e2577243a8940b5d99237a952d320c6c4a7b7ad2652653ef8e12fdc844
Instruction ID: a261ef130212c68d952a552d746c2b93df44929de2548cf45e0224c4d3ca65f5
Opcode Fuzzy Hash: 1f7ae6e2577243a8940b5d99237a952d320c6c4a7b7ad2652653ef8e12fdc844
Instruction Fuzzy Hash: D921C174A40109BBDF20ABA4CC89EFEBB75FF49300F100117B951A72A1DB758819DB20

Function 005D9163 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 005D916F
GetClassNameW.USER32(00000000,?,00000100), ref: 005D9184
_wcscmp.LIBCMT ref: 005D9196
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005D9211

Strings

smallicons, xrefs: 005D91D9
list, xrefs: 005D91F3
largeicons, xrefs: 005D91A5
SHELLDLL_DefView, xrefs: 005D9190
details, xrefs: 005D91BF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassMessageNameParentSend_wcscmp
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1704125052-3381328864
Opcode ID: d3060e5f753e4b5d5f5779bcadf3af20b40043d015238835785f7e585e9ee8f0
Instruction ID: 70a708e8d31498355339a04469d397ddd06ca8c89de690b92025f14a81bb7b53
Opcode Fuzzy Hash: d3060e5f753e4b5d5f5779bcadf3af20b40043d015238835785f7e585e9ee8f0
Instruction Fuzzy Hash: A2110D7A28C30775FA31262CDC0BEBB3F9DBB16720F200517F904E55D1EE5198519594

Function 005E7990 Relevance: 15.3, APIs: 10, Instructions: 292COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000000,?), ref: 005E7A6C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ArraySafeVartype
String ID:
API String ID: 1725837607-0
Opcode ID: c433e41b03c6aa14ddb11da110502e8a5f58975d0abe288039ced132ee5d6c0e
Instruction ID: ea210cf469e7d1b352d98b20e83b5a3a0236f4911c4ebee4af221faa4b80240f
Opcode Fuzzy Hash: c433e41b03c6aa14ddb11da110502e8a5f58975d0abe288039ced132ee5d6c0e
Instruction Fuzzy Hash: 2FB19D7190424A9FDB14DFA5C885BBEBBB9FF4D320F240469EA85E7281D734AD41CB90

Function 0058FA5D Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0058FAA6
OleUninitialize.OLE32(?,00000000), ref: 0058FB45
UnregisterHotKey.USER32(?), ref: 0058FC9C
DestroyWindow.USER32(?), ref: 005C45D6
FreeLibrary.KERNEL32(?), ref: 005C463B
VirtualFree.KERNEL32(?,00000000,00008000), ref: 005C4668

Strings

close all, xrefs: 0058FAA1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: close all
API String ID: 469580280-3243417748
Opcode ID: bb063b05da25a92a8778e6f55b45c945eafba75e048a12d5d132c2e360fab409
Instruction ID: 3d257e330288402e30dc90943d9647f372a100a324feca64396b13dbe5f1001f
Opcode Fuzzy Hash: bb063b05da25a92a8778e6f55b45c945eafba75e048a12d5d132c2e360fab409
Instruction Fuzzy Hash: 5EA16C34701212CFCB29EF54C5A9F69FB64BF45710F5442ADE80AAB261DB30AD56CF90

Function 005F9113 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 263COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F9167
VariantInit.OLEAUT32(?), ref: 005F9238
VariantInit.OLEAUT32(?), ref: 005F9339
VariantClear.OLEAUT32(?), ref: 005F9343
VariantClear.OLEAUT32(?), ref: 005F93A0

Strings

Incorrect Object type in FOR..IN loop, xrefs: 005F931C
,,a, xrefs: 005F91E5
Null Object assignment in FOR..IN loop, xrefs: 005F91C8, 005F92F6, 005F93AE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$ClearInit$_memset
String ID: ,,a$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2862541840-2453478946
Opcode ID: 0fe9a3d7d2859263bfa0e7aff942fcdafdfc4492a525f37cbf6fe1d21253a9f6
Instruction ID: c540e554b89c05bd8eba9a1a501593e5d65163ce4b46b2360d4020331d33e6bc
Opcode Fuzzy Hash: 0fe9a3d7d2859263bfa0e7aff942fcdafdfc4492a525f37cbf6fe1d21253a9f6
Instruction Fuzzy Hash: 03919F71E00619ABDF24DFA5C848FAEBBB9FF85710F108959F605AB280D7749941CBA0

Function 005DA068 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON

Download Yara Rule

APIs

EnumChildWindows.USER32(?,005DA439), ref: 005DA377

Strings

NAME, xrefs: 005DA1A9
TEXT, xrefs: 005DA2AE
CLASS, xrefs: 005DA0F6
INSTANCE, xrefs: 005DA285
REGEXPCLASS, xrefs: 005DA13C
CLASSNN, xrefs: 005DA119

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ChildEnumWindows
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
API String ID: 3555792229-1603158881
Opcode ID: e8f97b6f668058159ec306274ddf9f9a58540039723030c248b7cd87fbb30d10
Instruction ID: b24f93fa5f700fb0ecd4fafd5d7c09746e6fc3b9f4bcbcbe1c3e993c75cb6480
Opcode Fuzzy Hash: e8f97b6f668058159ec306274ddf9f9a58540039723030c248b7cd87fbb30d10
Instruction Fuzzy Hash: 6F91C530900606AACB28EFA8C445BEEFF75BF45300F54851BE859A7381DB31A999DBD1

Function 00582E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00582EAE

Part of subcall function 00581DB3: GetClientRect.USER32(?,?), ref: 00581DDC
Part of subcall function 00581DB3: GetWindowRect.USER32(?,?), ref: 00581E1D
Part of subcall function 00581DB3: ScreenToClient.USER32(?,?), ref: 00581E45

GetDC.USER32 ref: 005BCD32
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 005BCD45
SelectObject.GDI32(00000000,00000000), ref: 005BCD53
SelectObject.GDI32(00000000,00000000), ref: 005BCD68
ReleaseDC.USER32(?,00000000), ref: 005BCD70
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 005BCDFB

Strings

U, xrefs: 005BCCD0

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: efc72738fd1e89b4f3b199508058785b8cc0896047811d880c2b5a3f15e69d16
Instruction ID: 0929465c7aeda9a59aa3dc6817a65e08613f09798c88808741df0584270b39bd
Opcode Fuzzy Hash: efc72738fd1e89b4f3b199508058785b8cc0896047811d880c2b5a3f15e69d16
Instruction Fuzzy Hash: BB71D135500205DFCF219F64C884AFA7FBAFF49320F14467AED566A2A6C731AC81DB64

Function 005F1A15 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005F1A50
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 005F1A7C
InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 005F1ABE
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 005F1AD3
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F1AE0
HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 005F1B10
InternetCloseHandle.WININET(00000000), ref: 005F1B57

Part of subcall function 005F2483: GetLastError.KERNEL32(?,?,005F1817,00000000,00000000,00000001), ref: 005F2498
Part of subcall function 005F2483: SetEvent.KERNEL32(?,?,005F1817,00000000,00000000,00000001), ref: 005F24AD

Strings

, xrefs: 005F1B01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
String ID:
API String ID: 2603140658-3916222277
Opcode ID: 503a24b5273430c2721a9184d8bcff977381d68e9e2c1535e4b6b1c45888478c
Instruction ID: b80adb34b9ad0fe719482331a0867041fa525886e5c7e4b0090921ee17271066
Opcode Fuzzy Hash: 503a24b5273430c2721a9184d8bcff977381d68e9e2c1535e4b6b1c45888478c
Instruction Fuzzy Hash: 23417CB1541619FFEB118F50CC89FBB7BADFF08354F00412AFA059A141EBB99E448BA5

Function 005F8C46 Relevance: 13.9, APIs: 9, Instructions: 438COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,?,0060F910), ref: 005F8D28
FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0060F910), ref: 005F8D5C
QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 005F8ED6
SysFreeString.OLEAUT32(?), ref: 005F8F00

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Free$FileLibraryModuleNamePathQueryStringType
String ID:
API String ID: 560350794-0
Opcode ID: 420d08b61335dad147efeed6ea95005a29d58500b022f1ec565fddfed3a30859
Instruction ID: 210d46d1f100de09c4f4fba789fa712ebd9573d33f9287ad919418ca1e9ef745
Opcode Fuzzy Hash: 420d08b61335dad147efeed6ea95005a29d58500b022f1ec565fddfed3a30859
Instruction Fuzzy Hash: 25F11971A00109AFDF14DF94C888EBEBBB9FF85314F148498FA15AB251DB35AE45CB50

Function 005FF694 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005FF6B5
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005FF848
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 005FF86C
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005FF8AC
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 005FF8CE
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005FFA4A
GetLastError.KERNEL32(00000000,00000001,00000000), ref: 005FFA7C
CloseHandle.KERNEL32(?), ref: 005FFAAB
CloseHandle.KERNEL32(?), ref: 005FFB22

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
String ID:
API String ID: 4090791747-0
Opcode ID: dda902eefebb15bcfba754d8dc3c66591f16da1efdc648d5ba85460e26bf59d6
Instruction ID: e92e481a1621a2cb0e96203f309b5b5bc5d8bd34e2bef7a38ebf6f04bbb1838a
Opcode Fuzzy Hash: dda902eefebb15bcfba754d8dc3c66591f16da1efdc648d5ba85460e26bf59d6
Instruction Fuzzy Hash: A4E19F316042069FCB14EF24C885A6EBFE1BF85354F18896DF9959B6A1CB34EC41CB52

Function 005E4CC1 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005E3697,?), ref: 005E468B

Part of subcall function 005E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005E3697,?), ref: 005E46A4

Part of subcall function 005E4A31: GetFileAttributesW.KERNEL32(?,005E370B), ref: 005E4A32

lstrcmpiW.KERNEL32(?,?), ref: 005E4D40
_wcscmp.LIBCMT ref: 005E4D5A
MoveFileW.KERNEL32(?,?), ref: 005E4D75

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
String ID:
API String ID: 793581249-0
Opcode ID: 28633e555d21baad58b006e8c1b6b475e239708c35c194d217c16728d9863c42
Instruction ID: 270183136ab303bdd3ee3ad9c9eb457d03b9f8ea5087d4735575c7c1dfc30531
Opcode Fuzzy Hash: 28633e555d21baad58b006e8c1b6b475e239708c35c194d217c16728d9863c42
Instruction Fuzzy Hash: 885141B24083859BC724EB65D8859DF7BECBF85350F50092EB6C5D3151EE30A688CB66

Function 00608645 Relevance: 13.7, APIs: 9, Instructions: 168COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 006086FF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: a437222eda9726115bee409eface6e3a27e116350b7b1f02f625798bcc33c812
Instruction ID: 715eb7f5fff1effa76184127ef42d3a7c19ac96554d481da29a3248512920930
Opcode Fuzzy Hash: a437222eda9726115bee409eface6e3a27e116350b7b1f02f625798bcc33c812
Instruction Fuzzy Hash: 9C51A134590214BFDB28DB248C89FAF7BA7BB05724F604125F991E72E1CF72A990CB41

Function 00582B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 005BC2F7
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 005BC319
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 005BC331
ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 005BC34F
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 005BC370
DestroyIcon.USER32(00000000), ref: 005BC37F
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 005BC39C
DestroyIcon.USER32(?), ref: 005BC3AB

Part of subcall function 0060A4AF: DeleteObject.GDI32(00000000), ref: 0060A4E8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
String ID:
API String ID: 2819616528-0
Opcode ID: 323eb1db9b7aaf2f7e96d3b182c5c2a7e45d0f5f37aeb537a43e64410e36528a
Instruction ID: e84389b250252599dd1fae8ee18093432823b811dd678e4872804a43e9309a70
Opcode Fuzzy Hash: 323eb1db9b7aaf2f7e96d3b182c5c2a7e45d0f5f37aeb537a43e64410e36528a
Instruction Fuzzy Hash: 9E515874A00209AFDB24EF65CC45BAA7FE6FB58311F104928F952E72A0DB70AD90DB50

Function 005D966E Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 005DA82C: GetWindowThreadProcessId.USER32(?,00000000), ref: 005DA84C
Part of subcall function 005DA82C: GetCurrentThreadId.KERNEL32 ref: 005DA853
Part of subcall function 005DA82C: AttachThreadInput.USER32(00000000,?,005D9683,?,00000001), ref: 005DA85A

MapVirtualKeyW.USER32(00000025,00000000), ref: 005D968E
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 005D96AB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 005D96AE
MapVirtualKeyW.USER32(00000025,00000000), ref: 005D96B7
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 005D96D5
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005D96D8
MapVirtualKeyW.USER32(00000025,00000000), ref: 005D96E1
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 005D96F8
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 005D96FB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: 9b89be4331de77b6a12dd6853d8865118afa59f09559858398eaeec7c8e69c4e
Instruction ID: c5c6acb14d0a9eb9405a57233c9a381a9351f0b79524582a275b5a9de1dc2304
Opcode Fuzzy Hash: 9b89be4331de77b6a12dd6853d8865118afa59f09559858398eaeec7c8e69c4e
Instruction Fuzzy Hash: 6A11CEB1990218BEF7206B64DC89F6B3E2EEB4C750F101426F644AB1A0C9F35C10DAE4

Function 005D8921 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,005D853C,00000B00,?,?), ref: 005D892A
HeapAlloc.KERNEL32(00000000,?,005D853C,00000B00,?,?), ref: 005D8931
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005D853C,00000B00,?,?), ref: 005D8946
GetCurrentProcess.KERNEL32(?,00000000,?,005D853C,00000B00,?,?), ref: 005D894E
DuplicateHandle.KERNEL32(00000000,?,005D853C,00000B00,?,?), ref: 005D8951
GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,005D853C,00000B00,?,?), ref: 005D8961
GetCurrentProcess.KERNEL32(005D853C,00000000,?,005D853C,00000B00,?,?), ref: 005D8969
DuplicateHandle.KERNEL32(00000000,?,005D853C,00000B00,?,?), ref: 005D896C
CreateThread.KERNEL32(00000000,00000000,005D8992,00000000,00000000,00000000), ref: 005D8986

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
String ID:
API String ID: 1957940570-0
Opcode ID: ee3d36abdeac26a24d3403ad022b50af02e06f7dbca736586aeb0a6603564f64
Instruction ID: f4b6cc0f78fda60e939b5785014ff448cbad288f3db4aca72335dec1b66c43a2
Opcode Fuzzy Hash: ee3d36abdeac26a24d3403ad022b50af02e06f7dbca736586aeb0a6603564f64
Instruction Fuzzy Hash: 7601BF75280304FFE720EBA5DC4DF673B6DEB89711F405461FA05DB591CA709800CB20

Function 005F9B23 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

NULL Pointer assignment, xrefs: 005F9BA4, 005F9EC8
Not an Object type, xrefs: 005F9B7B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 59946fffea58030e9b0785a3ea9ba0d3fa06075f246cd3f25b63af6d033c6980
Instruction ID: ce9a6a6318ce44135bbd583599ba50c7b9a046bfc4af6e2daf8c755da02063f9
Opcode Fuzzy Hash: 59946fffea58030e9b0785a3ea9ba0d3fa06075f246cd3f25b63af6d033c6980
Instruction Fuzzy Hash: 99C19371A0060E9BDF10DF98C884BBEBBF9BB48314F148469EA05A7281E7749D45CB90

Function 005F975D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 005D710A: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?,?,005D7455), ref: 005D7127
Part of subcall function 005D710A: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?), ref: 005D7142
Part of subcall function 005D710A: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?), ref: 005D7150
Part of subcall function 005D710A: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?), ref: 005D7160

CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 005F9806
_memset.LIBCMT ref: 005F9813
_memset.LIBCMT ref: 005F9956
CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 005F9982
CoTaskMemFree.OLE32(?), ref: 005F998D

Strings

NULL Pointer assignment, xrefs: 005F99DB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
String ID: NULL Pointer assignment
API String ID: 1300414916-2785691316
Opcode ID: 10d200e9a3de38819f85c277805f3e4c8efc384e1e91ce16fadd57cd6846d9d6
Instruction ID: 0037a1a799cb816bcf5dc88f1c2077a0cce2b6d10f0df3a391b8d23e55a674d9
Opcode Fuzzy Hash: 10d200e9a3de38819f85c277805f3e4c8efc384e1e91ce16fadd57cd6846d9d6
Instruction Fuzzy Hash: C7911771D0021DEBDB10EFA5DC45AEEBBB9BF48310F20415AF519A7291EB719A44CFA0

Function 00606D80 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00606E24
SendMessageW.USER32(?,00001036,00000000,?), ref: 00606E38
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00606E52
_wcscat.LIBCMT ref: 00606EAD
SendMessageW.USER32(?,00001057,00000000,?), ref: 00606EC4
SendMessageW.USER32(?,00001061,?,0000000F), ref: 00606EF2

Strings

SysListView32, xrefs: 00606DF6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Window_wcscat
String ID: SysListView32
API String ID: 307300125-78025650
Opcode ID: a6e11948ad52d2dd974c46ffb35e13e0ec1feeae677ecb67c965deb56a47ebac
Instruction ID: 4771ef26d4887d01c83b5445fecb6fd816eef7113bd2d3cbb8ba912428e42fd7
Opcode Fuzzy Hash: a6e11948ad52d2dd974c46ffb35e13e0ec1feeae677ecb67c965deb56a47ebac
Instruction Fuzzy Hash: 9341B270A80349ABEB25DF64CC85BEF77EAEF08350F10042AF585E72D1D6729D958B60

Function 005FE933 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 005E3C55: CreateToolhelp32Snapshot.KERNEL32 ref: 005E3C7A
Part of subcall function 005E3C55: Process32FirstW.KERNEL32(00000000,?), ref: 005E3C88
Part of subcall function 005E3C55: CloseHandle.KERNEL32(00000000), ref: 005E3D52

OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FE9A4
GetLastError.KERNEL32 ref: 005FE9B7
OpenProcess.KERNEL32(00000001,00000000,?), ref: 005FE9E6
TerminateProcess.KERNEL32(00000000,00000000), ref: 005FEA63
GetLastError.KERNEL32(00000000), ref: 005FEA6E
CloseHandle.KERNEL32(00000000), ref: 005FEAA3

Strings

SeDebugPrivilege, xrefs: 005FE9C2

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 381aa8ccdc6f196b655ebb2852d795587d7144afe70210f75eb51d318beb8911
Instruction ID: fcff41c3fcf9217dab1f43defe1c34a00f53ce713938254279d8632f6cb6f74b
Opcode Fuzzy Hash: 381aa8ccdc6f196b655ebb2852d795587d7144afe70210f75eb51d318beb8911
Instruction Fuzzy Hash: 1D41AD712002069FDB24EF14CC9AF7EBBA5BF84314F188459FA429B3D2CB75A845CB91

Function 005E2F94 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 005E3033

Strings

info, xrefs: 005E2FD4
stop, xrefs: 005E3004
question, xrefs: 005E2FEC
warning, xrefs: 005E301C
blank, xrefs: 005E2FB5

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: b27ce1353c5671bdfd8137baad18185f94ba16eb17ae48914683cfa879f959bc
Instruction ID: 6735b9e6bc682c7d340e67aa7eb0132cd84b7af74cedbf7c3642f7b50c0d5774
Opcode Fuzzy Hash: b27ce1353c5671bdfd8137baad18185f94ba16eb17ae48914683cfa879f959bc
Instruction Fuzzy Hash: 0111C6312483C6BED7299A59DC4EDBF6F9CBF15370F10042AF940A7181DA619F4055A5

Function 005E42F8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 005E4312
LoadStringW.USER32(00000000), ref: 005E4319
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 005E432F
LoadStringW.USER32(00000000), ref: 005E4336
_wprintf.LIBCMT ref: 005E435C
MessageBoxW.USER32(00000000,?,?,00011010), ref: 005E437A

Strings

%s (%d) : ==> %s: %s %s, xrefs: 005E4357

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wprintf
String ID: %s (%d) : ==> %s: %s %s
API String ID: 3648134473-3128320259
Opcode ID: 4f818e44fa14b46c8f9c3bfbc3fb83aee5dc7529dabf576e80ee02153a547acb
Instruction ID: f51f1bb75a40127573b876c3dbf74a1445dd3b333c45bd07ce0c531e3789d3fb
Opcode Fuzzy Hash: 4f818e44fa14b46c8f9c3bfbc3fb83aee5dc7529dabf576e80ee02153a547acb
Instruction Fuzzy Hash: E40162F2940208BFE721DBA0DD89EEB776DEB08300F0009A1B745E2051EA755E854B70

Function 0060D43E Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

GetSystemMetrics.USER32(0000000F), ref: 0060D47C
GetSystemMetrics.USER32(0000000F), ref: 0060D49C
MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0060D6D7
SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0060D6F5
SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0060D716
ShowWindow.USER32(00000003,00000000), ref: 0060D735
InvalidateRect.USER32(?,00000000,00000001), ref: 0060D75A
DefDlgProcW.USER32(?,00000005,?,?), ref: 0060D77D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
String ID:
API String ID: 1211466189-0
Opcode ID: cf8ec3f4b304f7ddd5069792384882d5542bc9189693c7544cfef0b7380495c4
Instruction ID: bce696d6b78092d371f2d3b13080b0be8801dc5ca42cc1e41d279b7f64d29928
Opcode Fuzzy Hash: cf8ec3f4b304f7ddd5069792384882d5542bc9189693c7544cfef0b7380495c4
Instruction Fuzzy Hash: D0B19B75640225EFDF18CFA8C9857EE7BB2FF04701F088269EC489B295D775A950CB90

Function 00582A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005BC1C7,00000004,00000000,00000000,00000000), ref: 00582ACF
ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,005BC1C7,00000004,00000000,00000000,00000000,000000FF), ref: 00582B17
ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,005BC1C7,00000004,00000000,00000000,00000000), ref: 005BC21A
ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,005BC1C7,00000004,00000000,00000000,00000000), ref: 005BC286

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 23ac18e68d1f008be5629d2aff11cfe99e01c401a2e1c5bb11336784d9044a58
Instruction ID: 71fb14e49661b1c16d9affb8428935b9cb1b1d810def8d91798da8e4a45e7908
Opcode Fuzzy Hash: 23ac18e68d1f008be5629d2aff11cfe99e01c401a2e1c5bb11336784d9044a58
Instruction Fuzzy Hash: A441E934608680ABD73DAB28DC8CB6B7F92BF85310F18881DE8D7A6561C6B1A841D711

Function 005E70C6 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 005E70DD

Part of subcall function 005A0DB6: std::exception::exception.LIBCMT ref: 005A0DEC
Part of subcall function 005A0DB6: __CxxThrowException@8.LIBCMT ref: 005A0E01

ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 005E7114
EnterCriticalSection.KERNEL32(?), ref: 005E7130
_memmove.LIBCMT ref: 005E717E
_memmove.LIBCMT ref: 005E719B
LeaveCriticalSection.KERNEL32(?), ref: 005E71AA
ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 005E71BF
InterlockedExchange.KERNEL32(?,000001F6), ref: 005E71DE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
String ID:
API String ID: 256516436-0
Opcode ID: 507075fff4296ff2a647655c641d9281fb081b63afaeee9d7056c06b75189704
Instruction ID: 8a0c78798cdfd35c5728a4898fc6a5643e2807a4159ebf9e5b85fbf796e2d538
Opcode Fuzzy Hash: 507075fff4296ff2a647655c641d9281fb081b63afaeee9d7056c06b75189704
Instruction Fuzzy Hash: B9317231900205EBCF14EFA5DC899AF7B79FF89310F1441A5F9049B246D7709E10DBA0

Function 006061D3 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 006061EB
GetDC.USER32(00000000), ref: 006061F3
GetDeviceCaps.GDI32(00000000,0000005A), ref: 006061FE
ReleaseDC.USER32(00000000,00000000), ref: 0060620A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00606246
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00606257
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0060902A,?,?,000000FF,00000000,?,000000FF,?), ref: 00606291
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 006062B1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 41de9133b886694a7e75fc57333c8058bbba1de540ca1bf183d97c17c0a93165
Instruction ID: eacb54aa866d985b7e0d25bc0bd3eca8e3c17711de40031b6b7edc5700cc67b4
Opcode Fuzzy Hash: 41de9133b886694a7e75fc57333c8058bbba1de540ca1bf183d97c17c0a93165
Instruction Fuzzy Hash: CE318072181210BFEF258F50CC8AFEB3BAAEF49765F044065FE089A291C6B59C51CB74

Function 005DBBAF Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBCMT ref: 005DBBC4
_memcmp.LIBCMT ref: 005DBBE6
_memcmp.LIBCMT ref: 005DBBFE
_memcmp.LIBCMT ref: 005DBC11
_memcmp.LIBCMT ref: 005DBC2B
_memcmp.LIBCMT ref: 005DBC3E
_memcmp.LIBCMT ref: 005DBC56
_memcmp.LIBCMT ref: 005DBC71

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: c9a79d1083390feb5866b41873ad8e9c2f772f39e210a7aba11cf25c5e2d17ce
Instruction ID: 77d3015af09db747787ebb7e6c4f29e35e4d3c855861374235c6b7acbf07eb61
Opcode Fuzzy Hash: c9a79d1083390feb5866b41873ad8e9c2f772f39e210a7aba11cf25c5e2d17ce
Instruction Fuzzy Hash: CC21BD61601607ABBA2466299D52FFF7F5FBF55348F0A4023FD0596343EF24DE2082A5

Function 005EEB23 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON

Download Yara Rule

APIs

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

Part of subcall function 0059FC86: _wcscpy.LIBCMT ref: 0059FCA9

_wcstok.LIBCMT ref: 005EEC94
_wcscpy.LIBCMT ref: 005EED23
_memset.LIBCMT ref: 005EED56

Strings

X, xrefs: 005EED93

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscpy$__itow__swprintf_memset_wcstok
String ID: X
API String ID: 774024439-3081909835
Opcode ID: 7596c9aa78aeb45fbeece06ff17611fb1f163883c125551a354aec59a9321ab8
Instruction ID: 03a5f01ebd3ab299e445d9ec4fa5e120580436bd189138f066ebe6a82f8c5c98
Opcode Fuzzy Hash: 7596c9aa78aeb45fbeece06ff17611fb1f163883c125551a354aec59a9321ab8
Instruction Fuzzy Hash: FDC161715187429FC714EF24D84AA6ABBE4FF85314F14492DF899972A2DB30EC45CB82

Function 005F6B03 Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON

Download Yara Rule

APIs

__WSAFDIsSet.WSOCK32(00000000,?), ref: 005F6C00
#17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 005F6C21
WSAGetLastError.WSOCK32(00000000), ref: 005F6C34
htons.WSOCK32(?), ref: 005F6CEA
inet_ntoa.WSOCK32(?), ref: 005F6CA7

Part of subcall function 005DA7E9: _strlen.LIBCMT ref: 005DA7F3
Part of subcall function 005DA7E9: _memmove.LIBCMT ref: 005DA815

_strlen.LIBCMT ref: 005F6D44
_memmove.LIBCMT ref: 005F6DAD

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
String ID:
API String ID: 3619996494-0
Opcode ID: 2d894287352564534877eb09c6b0168722bfd9f28e99288a52f588dd9337701e
Instruction ID: 4ffcaae79fe5f07a2b2b4466680f48dad440415a6e3c35fd8ebad6bf0746fae0
Opcode Fuzzy Hash: 2d894287352564534877eb09c6b0168722bfd9f28e99288a52f588dd9337701e
Instruction Fuzzy Hash: 8481D071204205ABC710FF24CC8AE7BBBA9FFC4714F544919FA55AB292DA74ED01CB92

Function 00581424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 175f3ac6cbc985cd58fd8d352bf880759870e7bb4c235b7f567d053b9fc209ba
Instruction ID: 068f380aef4a6b0f5530692f043a6b3c67d895a1409819cf2bd3359697f2c561
Opcode Fuzzy Hash: 175f3ac6cbc985cd58fd8d352bf880759870e7bb4c235b7f567d053b9fc209ba
Instruction Fuzzy Hash: 2D716B30900509EFDF14DF98CC49ABEBF79FF85310F148159F915AA251C770AA52CBA4

Function 0060B351 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON

Download Yara Rule

APIs

IsWindow.USER32(00F24DC0), ref: 0060B3EB
IsWindowEnabled.USER32(00F24DC0), ref: 0060B3F7
SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0060B4DB
SendMessageW.USER32(00F24DC0,000000B0,?,?), ref: 0060B512
IsDlgButtonChecked.USER32(?,?), ref: 0060B54F
GetWindowLongW.USER32(00F24DC0,000000EC), ref: 0060B571
SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0060B589

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSendWindow$ButtonCheckedEnabledLong
String ID:
API String ID: 4072528602-0
Opcode ID: 5f0f1880890ee4d6f0aab11ae803b9d247c188b97c62257a7428f2b58a56f2d7
Instruction ID: 84b2a4f457d44351feac3de40f3f2ac52331c036d0296b8fb5887cc0ea93f8c7
Opcode Fuzzy Hash: 5f0f1880890ee4d6f0aab11ae803b9d247c188b97c62257a7428f2b58a56f2d7
Instruction Fuzzy Hash: 26718F34680204AFDB299F54C894FEB7BE7EF09300F14A459FA56973E6C731AA41CB50

Function 005FF41E Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005FF448
_memset.LIBCMT ref: 005FF511
ShellExecuteExW.SHELL32(?), ref: 005FF556

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

Part of subcall function 0059FC86: _wcscpy.LIBCMT ref: 0059FCA9

GetProcessId.KERNEL32(00000000), ref: 005FF5CD
CloseHandle.KERNEL32(00000000), ref: 005FF5FC

Strings

@, xrefs: 005FF525

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
String ID: @
API String ID: 3522835683-2766056989
Opcode ID: 20f5e6280a57f19c9bdb7b832af62948729ae442045b5ef26c3e863a79a5162b
Instruction ID: 619bd960469ecc90ad891e00e7e639a85613c403f2e4fb99874be7b3a11ae1a0
Opcode Fuzzy Hash: 20f5e6280a57f19c9bdb7b832af62948729ae442045b5ef26c3e863a79a5162b
Instruction Fuzzy Hash: 9D618A75A0061A9FCF14EF64C8899AEBFB5FF89314F148069E816AB751CB34AD41CF90

Function 005E0F4D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 005E0F8C
GetKeyboardState.USER32(?), ref: 005E0FA1
SetKeyboardState.USER32(?), ref: 005E1002
PostMessageW.USER32(?,00000101,00000010,?), ref: 005E1030
PostMessageW.USER32(?,00000101,00000011,?), ref: 005E104F
PostMessageW.USER32(?,00000101,00000012,?), ref: 005E1095
PostMessageW.USER32(?,00000101,0000005B,?), ref: 005E10B8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2eefbef56fa3239a0abf2a4269d173d8fad84473d500297679537322781fde3e
Instruction ID: 4e72d72d3263eb60e69b392399aa129e3caa746b4cd06301a2802189b8a7072b
Opcode Fuzzy Hash: 2eefbef56fa3239a0abf2a4269d173d8fad84473d500297679537322781fde3e
Instruction Fuzzy Hash: 155126B0654BD63EFB3A43368C19BBABEA97B06300F088589E1D5458C3C2E9DCD8D755

Function 005E0D66 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 005E0DA5
GetKeyboardState.USER32(?), ref: 005E0DBA
SetKeyboardState.USER32(?), ref: 005E0E1B
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 005E0E47
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 005E0E64
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 005E0EA8
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 005E0EC9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 2e9d22b90b8fcab616cb4e37cc7c867e350ad446a4007eb9424572dace12af8a
Instruction ID: a38e9d87e285c69c17ffb436d57ddc25c3d7a0b9fa708e0dd3db64973a1f67a9
Opcode Fuzzy Hash: 2e9d22b90b8fcab616cb4e37cc7c867e350ad446a4007eb9424572dace12af8a
Instruction Fuzzy Hash: 0B5124A05487D63DFB3A83768C45B7ABFA97B06300F089899E1D4568C2C3E5ECD8D760

Function 005E55FD Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 005E560A
_wcsncpy.LIBCMT ref: 005E563F
_wcsncpy.LIBCMT ref: 005E5671
_wcsncpy.LIBCMT ref: 005E56A4
_wcsncpy.LIBCMT ref: 005E56E6
_wcsncpy.LIBCMT ref: 005E5720
_wcsncpy.LIBCMT ref: 005E574F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcsncpy$LocalTime
String ID:
API String ID: 2945705084-0
Opcode ID: 5394d135aa832561bc5ad1c93cfbff1bc2629dcee81423c256e504d5c70113af
Instruction ID: 3564738f45d6a4cc2d20ac378b2ea800d7678e85a027392966e6741b96c97017
Opcode Fuzzy Hash: 5394d135aa832561bc5ad1c93cfbff1bc2629dcee81423c256e504d5c70113af
Instruction Fuzzy Hash: CE41B676C1021976CB11EBF88C4A9CFBBB8BF45310F504856F544E3121FA34E255C7A6

Function 005DD56C Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 121comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005DD5D4
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 005DD60A
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 005DD61B
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 005DD69D

Strings

DllGetClassObject, xrefs: 005DD610
,,a, xrefs: 005DD578

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: ,,a$DllGetClassObject
API String ID: 753597075-1266341603
Opcode ID: 6b7d7c20e77ec03e93ffaa9841add01724e0082682c6cd8c9e0328136fa39870
Instruction ID: 502139e18c34db0817e798ef946674eaaca0a1792c4346106def9b1a514b122c
Opcode Fuzzy Hash: 6b7d7c20e77ec03e93ffaa9841add01724e0082682c6cd8c9e0328136fa39870
Instruction Fuzzy Hash: 4F4159B1600205EFDB25CF68C884A9ABFBAFF44310F1581ABA9099F305D7B1D944DBE0

Function 005E3671 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 005E466E: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,005E3697,?), ref: 005E468B

Part of subcall function 005E466E: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,005E3697,?), ref: 005E46A4

lstrcmpiW.KERNEL32(?,?), ref: 005E36B7
_wcscmp.LIBCMT ref: 005E36D3
MoveFileW.KERNEL32(?,?), ref: 005E36EB
_wcscat.LIBCMT ref: 005E3733
SHFileOperationW.SHELL32(?), ref: 005E379F

Strings

\*.*, xrefs: 005E372D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
String ID: \*.*
API String ID: 1377345388-1173974218
Opcode ID: c1e84ea231f73048ff1c9685da0b536c4a350b1c76a2279c9f8bfe2a5b4aa4c4
Instruction ID: 824bec710df15b2555e84ef33377ae21b47c18147ebd599e1ee70e990c766d00
Opcode Fuzzy Hash: c1e84ea231f73048ff1c9685da0b536c4a350b1c76a2279c9f8bfe2a5b4aa4c4
Instruction Fuzzy Hash: FF418F71508385AEC755EF65C44A9DF7BE8FF89380F00182EB4C9C3251EA34D689CB52

Function 00607291 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 006072AA
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00607351
IsMenu.USER32(?), ref: 00607369
InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 006073B1
DrawMenuBar.USER32 ref: 006073C4

Strings

0, xrefs: 0060729E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$Item$DrawInfoInsert_memset
String ID: 0
API String ID: 3866635326-4108050209
Opcode ID: 0eb968c17e6352cacf48f864ba6abbd17a3955d4377e82d4a5b3ca5859ec5784
Instruction ID: 742b33e2ee88a54fee8ef29eece45526f4fd80d42fe03cc14c2b228ba2c3676a
Opcode Fuzzy Hash: 0eb968c17e6352cacf48f864ba6abbd17a3955d4377e82d4a5b3ca5859ec5784
Instruction Fuzzy Hash: B1412575A44209EFEB28DF50D884ADABBBAFB09311F149429FD15A7390D730AD50DB60

Function 00600FA5 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00600FD4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00600FFE
FreeLibrary.KERNEL32(00000000), ref: 006010B5

Part of subcall function 00600FA5: RegCloseKey.ADVAPI32(?), ref: 0060101B
Part of subcall function 00600FA5: FreeLibrary.KERNEL32(?), ref: 0060106D
Part of subcall function 00600FA5: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00601090

RegDeleteKeyW.ADVAPI32(?,?), ref: 00601058

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: EnumFreeLibrary$CloseDeleteOpen
String ID:
API String ID: 395352322-0
Opcode ID: 293e4be8253bf7657249dab8e09e1024e920dc6668432b49b0f84c5afe27b17f
Instruction ID: 4e7ddab3f74a173fdc58225c5c08f7563d99116becd07511e51c757eb741d5c8
Opcode Fuzzy Hash: 293e4be8253bf7657249dab8e09e1024e920dc6668432b49b0f84c5afe27b17f
Instruction Fuzzy Hash: D2310F71941109BFEB299F90DC89EFFB7BDEF09300F000169E542A6291EA745E859AA0

Function 006062CD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 006062EC
GetWindowLongW.USER32(00F24DC0,000000F0), ref: 0060631F
GetWindowLongW.USER32(00F24DC0,000000F0), ref: 00606354
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00606386
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006063B0
GetWindowLongW.USER32(00000000,000000F0), ref: 006063C1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006063DB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: 00d553aae0c29bddc5928bd2a39e50dd0c1c662bcbff8fc8b5d43de4a9b0d3fe
Instruction ID: 415430d90a637864a96a9f82c7238d095a9068f3b66f645463d3290f3374b314
Opcode Fuzzy Hash: 00d553aae0c29bddc5928bd2a39e50dd0c1c662bcbff8fc8b5d43de4a9b0d3fe
Instruction Fuzzy Hash: B231F4346842609FDB29CF18DC84F9637E2FB4A714F1961A8F5019F2F2CB72AC509B91

Function 005DDAEB Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DDB2E
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DDB54
SysAllocString.OLEAUT32(00000000), ref: 005DDB57
SysAllocString.OLEAUT32(?), ref: 005DDB75
SysFreeString.OLEAUT32(?), ref: 005DDB7E
StringFromGUID2.OLE32(?,?,00000028), ref: 005DDBA3
SysAllocString.OLEAUT32(?), ref: 005DDBB1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: c8eaa9dd5193cae17ef254f153057d5b3b015c59ecbcf91bd731932c25388ddb
Instruction ID: 17a933be0cf763ae04dd686e7dfa332ebcf29b1ec466d1d3794c09bf5455b83c
Opcode Fuzzy Hash: c8eaa9dd5193cae17ef254f153057d5b3b015c59ecbcf91bd731932c25388ddb
Instruction Fuzzy Hash: 05217136600219AFEF20DFA8DC88CBB77ADFB09364B018567F914DB291D6709C418B60

Function 005F6173 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON

Download Yara Rule

APIs

Part of subcall function 005F7D8B: inet_addr.WSOCK32(00000000), ref: 005F7DB6

socket.WSOCK32(00000002,00000001,00000006), ref: 005F61C6
WSAGetLastError.WSOCK32(00000000), ref: 005F61D5
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005F620E
connect.WSOCK32(00000000,?,00000010), ref: 005F6217
WSAGetLastError.WSOCK32 ref: 005F6221
closesocket.WSOCK32(00000000), ref: 005F624A
ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 005F6263

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
String ID:
API String ID: 910771015-0
Opcode ID: 2768b772abe10e7134fb0d7f0fe40a7b1b46fe4f485b046011bf9278194bcd88
Instruction ID: 6e21383ba34fb77d753005a2ca247ffd0d840e29f421c7aebb6c5728bcd81ef3
Opcode Fuzzy Hash: 2768b772abe10e7134fb0d7f0fe40a7b1b46fe4f485b046011bf9278194bcd88
Instruction Fuzzy Hash: 1D319035600109ABDF20AF24CC89FBE7BA9FB45714F048429FE05A7291CB74AC04DBA1

Function 005DF65E Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON

Download Yara Rule

APIs

__wcsnicmp.LIBCMT ref: 005DF671
__wcsnicmp.LIBCMT ref: 005DF692
__wcsnicmp.LIBCMT ref: 005DF6AC

Strings

#OnAutoItStartRegister, xrefs: 005DF6A6
#notrayicon, xrefs: 005DF669
#requireadmin, xrefs: 005DF68C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __wcsnicmp
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 1038674560-2734436370
Opcode ID: abd26865a904e7d487df9687cf9b0c03a0766ba8001bbbdd0e477e2f4dd7b729
Instruction ID: a9e621b27cacfb92e9badf0ba9907973483371d7d756a8b6e39cc6b0700f685a
Opcode Fuzzy Hash: abd26865a904e7d487df9687cf9b0c03a0766ba8001bbbdd0e477e2f4dd7b729
Instruction Fuzzy Hash: 2721497220411267D731AA38AC07EEF7B99FF96344F14443BF94786291EB50DE81D3A5

Function 005DDBC4 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DDC09
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 005DDC2F
SysAllocString.OLEAUT32(00000000), ref: 005DDC32
SysAllocString.OLEAUT32 ref: 005DDC53
SysFreeString.OLEAUT32 ref: 005DDC5C
StringFromGUID2.OLE32(?,?,00000028), ref: 005DDC76
SysAllocString.OLEAUT32(?), ref: 005DDC84

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 9e07bd65f724874c2153315cdc0f609aacb870ca47fa0e8f809fda44d3466a78
Instruction ID: d5e03182c340d399933f29cefd3cc6ba011a4dc2268bf82d1d68cf22d177012b
Opcode Fuzzy Hash: 9e07bd65f724874c2153315cdc0f609aacb870ca47fa0e8f809fda44d3466a78
Instruction Fuzzy Hash: D2213175614205AFDB20ABACDC88DAB7BEDFB09360B108127F915CB2A1D6B09C41CB64

Function 006075CD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00581D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00581D73
Part of subcall function 00581D35: GetStockObject.GDI32(00000011), ref: 00581D87
Part of subcall function 00581D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00581D91

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00607632
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0060763F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0060764A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00607659
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00607665

Strings

Msctls_Progress32, xrefs: 00607603

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 2925f9888c36141d2d80850c4c67d52c0703f7b3c88f61c4929bbed3d39778de
Instruction ID: 3082122c4c9c4baa861b26d084a41d06e977fed8072d1345299287e06cd2f6f7
Opcode Fuzzy Hash: 2925f9888c36141d2d80850c4c67d52c0703f7b3c88f61c4929bbed3d39778de
Instruction Fuzzy Hash: DB11B6B1550119BFEF159F64CC85EE77F5EEF08798F014114BA05A2090C672AC21DBA4

Function 005A9AE6 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON

Download Yara Rule

APIs

__init_pointers.LIBCMT ref: 005A9AE6

Part of subcall function 005A3187: EncodePointer.KERNEL32(00000000), ref: 005A318A
Part of subcall function 005A3187: __initp_misc_winsig.LIBCMT ref: 005A31A5
Part of subcall function 005A3187: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005A9EA0
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005A9EB4
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005A9EC7
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005A9EDA
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005A9EED
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005A9F00
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 005A9F13
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005A9F26
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 005A9F39
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005A9F4C
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005A9F5F
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005A9F72
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005A9F85
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005A9F98
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005A9FAB
Part of subcall function 005A3187: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005A9FBE

__mtinitlocks.LIBCMT ref: 005A9AEB
__mtterm.LIBCMT ref: 005A9AF4

Part of subcall function 005A9B5C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,005A9AF9,005A7CD0,0063A0B8,00000014), ref: 005A9C56
Part of subcall function 005A9B5C: _free.LIBCMT ref: 005A9C5D
Part of subcall function 005A9B5C: DeleteCriticalSection.KERNEL32(02d,?,?,005A9AF9,005A7CD0,0063A0B8,00000014), ref: 005A9C7F

__calloc_crt.LIBCMT ref: 005A9B19
__initptd.LIBCMT ref: 005A9B3B
GetCurrentThreadId.KERNEL32 ref: 005A9B42

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
String ID:
API String ID: 3567560977-0
Opcode ID: 5f82c0f2a9cc483fa8a34c1cddecfbbeb58275e8dd0825e1e101fa06b83963d5
Instruction ID: 55c42a3f8d77f6fa6e8328f84bb4e773b981c3d1ea1b80cbee2b1c479aa1de5b
Opcode Fuzzy Hash: 5f82c0f2a9cc483fa8a34c1cddecfbbeb58275e8dd0825e1e101fa06b83963d5
Instruction Fuzzy Hash: D4F06D326097335AE7347774BC0B68E3E91BB83734B204A1AF461860D2EF61844146B0

Function 0060B635 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 40processCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 0060B644
_memset.LIBCMT ref: 0060B653
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00646F20,00646F64), ref: 0060B682
CloseHandle.KERNEL32 ref: 0060B694

Strings

od, xrefs: 0060B63E
dod, xrefs: 0060B64D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memset$CloseCreateHandleProcess
String ID: od$dod
API String ID: 3277943733-267715420
Opcode ID: faeb35afcf9d59cadfca45cb0bd092f123fb8ca63bb7a75f4c569f0bd7e11e35
Instruction ID: 97abc8c25b2fc64fbf372465888225649e8ff8f73ac3cb13445db6f8971b49b9
Opcode Fuzzy Hash: faeb35afcf9d59cadfca45cb0bd092f123fb8ca63bb7a75f4c569f0bd7e11e35
Instruction Fuzzy Hash: 4FF05EB65803007AE3502B65FC0AFBB3E9FEB0B795F006020BA48E5592D7724C0587AA

Function 005A406B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005A3F85), ref: 005A4085
GetProcAddress.KERNEL32(00000000), ref: 005A408C
EncodePointer.KERNEL32(00000000), ref: 005A4097
DecodePointer.KERNEL32(005A3F85), ref: 005A40B2

Strings

RoUninitialize, xrefs: 005A4074
combase.dll, xrefs: 005A4080

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
String ID: RoUninitialize$combase.dll
API String ID: 3489934621-2819208100
Opcode ID: 33a30d028fb322f88325ad173b12124e04ebb2e73919e7c1cd0cfe6ad52519f0
Instruction ID: 3b085370372d84def5e028d2709fa1c5ccdc4257d5819ae0f861642f55e9b1f2
Opcode Fuzzy Hash: 33a30d028fb322f88325ad173b12124e04ebb2e73919e7c1cd0cfe6ad52519f0
Instruction Fuzzy Hash: 00E0EC749C1311EFEB20AFA1FC0EB463AA7BB06742F156024F101E6AA0CBB74644DF14

Function 005E64B8 Relevance: 9.2, APIs: 6, Instructions: 205COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005E660B
_memmove.LIBCMT ref: 005E6546

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

_memmove.LIBCMT ref: 005E65B9
_memmove.LIBCMT ref: 005E66A0
_memmove.LIBCMT ref: 005E66B9
_memmove.LIBCMT ref: 005E66D5

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove$__itow__swprintf
String ID:
API String ID: 3253778849-0
Opcode ID: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction ID: ac41cd57762a36fc1b7ac9fd19169f2900c73a8982fcd37aaa202c5ddc2aa7fd
Opcode Fuzzy Hash: 9863102e03c29a5e0e466ba8f1401a9340df7fcea8e799d8c2f609bfb2f3a253
Instruction Fuzzy Hash: 77619A3051029B9BCF05FF61CC89ABE3FA8BF95348F084819FD956A192DA359801DB50

Function 006001E4 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 00600E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005FFDAD,?,?), ref: 00600E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006002BD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006002FD
RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00600320
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00600349
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0060038C
RegCloseKey.ADVAPI32(00000000), ref: 00600399

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
String ID:
API String ID: 4046560759-0
Opcode ID: 824e2d6dc88b029fa9db95221ba7ff8a31f34290e2a0282218b30a2b85892a44
Instruction ID: 4d72c88cb9384f65613641999e2be6ec07c648651cfe99e63269858b5d8ceddd
Opcode Fuzzy Hash: 824e2d6dc88b029fa9db95221ba7ff8a31f34290e2a0282218b30a2b85892a44
Instruction Fuzzy Hash: 1A515C311082069FD719EF64C889EAFBBE9FF89314F04491DF855972A1DB31E905CB52

Function 00605799 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 006057FB
GetMenuItemCount.USER32(00000000), ref: 00605832
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0060585A
GetMenuItemID.USER32(?,?), ref: 006058C9
GetSubMenu.USER32(?,?), ref: 006058D7
PostMessageW.USER32(?,00000111,?,00000000), ref: 00605928

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$Item$CountMessagePostString
String ID:
API String ID: 650687236-0
Opcode ID: 930d632ee9cd3a27a28b9a9a160944e93e3a35f56720dd37eac98d9a6834c37d
Instruction ID: 449560be01590de708433225df97b198e2d847a415f7b9abd3597701b22ea76a
Opcode Fuzzy Hash: 930d632ee9cd3a27a28b9a9a160944e93e3a35f56720dd37eac98d9a6834c37d
Instruction Fuzzy Hash: 50513B35A40626AFCF15AF64C8499AFBBB6FF48310F144065EC56BB391CB70AE419F90

Function 005DEEEC Relevance: 9.2, APIs: 6, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005DEF06
VariantClear.OLEAUT32(00000013), ref: 005DEF78
VariantClear.OLEAUT32(00000000), ref: 005DEFD3
_memmove.LIBCMT ref: 005DEFFD
VariantClear.OLEAUT32(?), ref: 005DF04A
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 005DF078

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType_memmove
String ID:
API String ID: 1101466143-0
Opcode ID: 0687d2232427d3b6dc78f9128d5a0248621dd260b07a2995fee586fa3a6f7f58
Instruction ID: ab6ff0890c4f00dc8b42e1e57fdf9a90459ef8627e22d0fef3574b88b47ae9b4
Opcode Fuzzy Hash: 0687d2232427d3b6dc78f9128d5a0248621dd260b07a2995fee586fa3a6f7f58
Instruction Fuzzy Hash: 5E516D75A00209DFCB24DF58C884AAABBF9FF4C314B15856AED5ADB301E335E911CB90

Function 005E220A Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2258
GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 005E22A3
IsMenu.USER32(00000000), ref: 005E22C3
CreatePopupMenu.USER32 ref: 005E22F7
GetMenuItemCount.USER32(000000FF), ref: 005E2355
InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 005E2386

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$Item$CountCreateInfoInsertPopup_memset
String ID:
API String ID: 3311875123-0
Opcode ID: d7d069479a1fbfdd5dd8b3d7eaec64cfcf1fb04b708af23ca89596a67717cd02
Instruction ID: 5414e6ec1bba3f407055fc631d1415dc3d88eec382be77da0d4cb788f107bdb8
Opcode Fuzzy Hash: d7d069479a1fbfdd5dd8b3d7eaec64cfcf1fb04b708af23ca89596a67717cd02
Instruction Fuzzy Hash: 1851C37050028ADFDF29CF69C888B9EBFF9BF49314F144929E89597298D3748944CF51

Function 00581765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

BeginPaint.USER32(?,?,?,?,?,?), ref: 0058179A
GetWindowRect.USER32(?,?), ref: 005817FE
ScreenToClient.USER32(?,?), ref: 0058181B
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0058182C
EndPaint.USER32(?,?), ref: 00581876

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: PaintWindow$BeginClientLongRectScreenViewport
String ID:
API String ID: 1827037458-0
Opcode ID: 93b38f61f186ed9a30a9a9805d25295d5ae238ed31e88229630b08bddf5f7ad1
Instruction ID: bacdbd00eb1d91327b20e0164611c798f7ba4df43eca797dd539d39c545db521
Opcode Fuzzy Hash: 93b38f61f186ed9a30a9a9805d25295d5ae238ed31e88229630b08bddf5f7ad1
Instruction Fuzzy Hash: 6F41B030100B019FD710EF24CC89FAA7FEDFB46324F040628F9A5961A2CB719846DB61

Function 0060B69E Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(006457B0,00000000,00F24DC0,?,?,006457B0,?,0060B5A8,?,?), ref: 0060B712
EnableWindow.USER32(00000000,00000000), ref: 0060B736
ShowWindow.USER32(006457B0,00000000,00F24DC0,?,?,006457B0,?,0060B5A8,?,?), ref: 0060B796
ShowWindow.USER32(00000000,00000004,?,0060B5A8,?,?), ref: 0060B7A8
EnableWindow.USER32(00000000,00000001), ref: 0060B7CC
SendMessageW.USER32(?,0000130C,?,00000000), ref: 0060B7EF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 09f8acd62ddf8727bec00afa9ff7896ed2e8e50e7c9755c575f9eed5b297d26c
Instruction ID: ebec1994487731056f3ec127771bb4162db14a9b15cb431f05068eb879436e6f
Opcode Fuzzy Hash: 09f8acd62ddf8727bec00afa9ff7896ed2e8e50e7c9755c575f9eed5b297d26c
Instruction Fuzzy Hash: 62419034680240AFDB2ACF24D499BD67BE2FB45710F1891B9E9488F6A3C731A846CB51

Function 005F709E Relevance: 9.1, APIs: 6, Instructions: 97COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,?,?,?,?,005F4E41,?,?,00000000,00000001), ref: 005F70AC

Part of subcall function 005F39A0: GetWindowRect.USER32(?,?), ref: 005F39B3

GetDesktopWindow.USER32 ref: 005F70D6
GetWindowRect.USER32(00000000), ref: 005F70DD
mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 005F710F

Part of subcall function 005E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E52BC

GetCursorPos.USER32(?), ref: 005F713B
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 005F7199

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
String ID:
API String ID: 4137160315-0
Opcode ID: 70917dfa95e132d6d47705422e59f65f5e75419daa17a559408d6e3531785a7f
Instruction ID: 651740d90c9445361999975f7850f424ac9f303949324dd48e68cb652782a746
Opcode Fuzzy Hash: 70917dfa95e132d6d47705422e59f65f5e75419daa17a559408d6e3531785a7f
Instruction Fuzzy Hash: DD31D27250930AABD720DF14CC49FABBBAAFF88314F000919F58597191DA74EA09CB92

Function 005D8879 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D80A9: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005D80C0
Part of subcall function 005D80A9: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005D80CA
Part of subcall function 005D80A9: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005D80D9
Part of subcall function 005D80A9: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005D80E0
Part of subcall function 005D80A9: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005D80F6

GetLengthSid.ADVAPI32(?,00000000,005D842F), ref: 005D88CA
GetProcessHeap.KERNEL32(00000008,00000000), ref: 005D88D6
HeapAlloc.KERNEL32(00000000), ref: 005D88DD
CopySid.ADVAPI32(00000000,00000000,?), ref: 005D88F6
GetProcessHeap.KERNEL32(00000000,00000000,005D842F), ref: 005D890A
HeapFree.KERNEL32(00000000), ref: 005D8911

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 3008561057-0
Opcode ID: 89315885e6c76253f1a562b04e75cf70dd6963e06c357d6a9202a44859665c9e
Instruction ID: 18137d04922f7ca22b6a53c1dddcb66670becffb31191a8fd796b6cd9c4bad9e
Opcode Fuzzy Hash: 89315885e6c76253f1a562b04e75cf70dd6963e06c357d6a9202a44859665c9e
Instruction Fuzzy Hash: B811AF71541209FFDB209FA8DC19BBF7B79FB44312F10446AF88597210CB32A940DB60

Function 005D85B1 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005D85E2
OpenProcessToken.ADVAPI32(00000000), ref: 005D85E9
CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005D85F8
CloseHandle.KERNEL32(00000004), ref: 005D8603
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005D8632
DestroyEnvironmentBlock.USERENV(00000000), ref: 005D8646

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
String ID:
API String ID: 1413079979-0
Opcode ID: 8abb04bd50a524b7baafb64639123e4522882a5f04482007d7f3b6cc5a2c7bf3
Instruction ID: 9f824fe7b2f2fd0d136c3e595de3f88645df1bc5233cfbba9122a6071c6bcc18
Opcode Fuzzy Hash: 8abb04bd50a524b7baafb64639123e4522882a5f04482007d7f3b6cc5a2c7bf3
Instruction Fuzzy Hash: 94114A72541209ABDF218FA8ED49BEB7BA9FB08714F044066FE05A2260C6729D60DB61

Function 005DB790 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 005DB7B5
GetDeviceCaps.GDI32(00000000,00000058), ref: 005DB7C6
GetDeviceCaps.GDI32(00000000,0000005A), ref: 005DB7CD
ReleaseDC.USER32(00000000,00000000), ref: 005DB7D5
MulDiv.KERNEL32(000009EC,?,00000000), ref: 005DB7EC
MulDiv.KERNEL32(000009EC,?,?), ref: 005DB7FE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: d98a0680097f0a79539e63f15689f951dab8741c9a656bfca523abdedc4cb8e1
Instruction ID: 0a42d272131931d5c948fecf68da922df5130fe78454df51edaf5ab0ea69ddaa
Opcode Fuzzy Hash: d98a0680097f0a79539e63f15689f951dab8741c9a656bfca523abdedc4cb8e1
Instruction Fuzzy Hash: 310184B5E40209BBEB209BA69C49A5FBFB9EB48311F004076FA08A7391D6719C00CF90

Function 005A0162 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 005A0193
MapVirtualKeyW.USER32(00000010,00000000), ref: 005A019B
MapVirtualKeyW.USER32(000000A0,00000000), ref: 005A01A6
MapVirtualKeyW.USER32(000000A1,00000000), ref: 005A01B1
MapVirtualKeyW.USER32(00000011,00000000), ref: 005A01B9
MapVirtualKeyW.USER32(00000012,00000000), ref: 005A01C1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 84f22b6baa3e4a6953c0cac03187b886ba5b9908c87a59efb33e1b1baefc88cc
Instruction ID: d141833be317f592fd7bdee8aa1b84498956a777a9de239f5dea944bf32c290c
Opcode Fuzzy Hash: 84f22b6baa3e4a6953c0cac03187b886ba5b9908c87a59efb33e1b1baefc88cc
Instruction Fuzzy Hash: 39016CB09417597DE3008F5A8C85B53FFA8FF19354F00411BA15C47941C7F5A864CBE5

Function 005E53E9 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 005E53F9
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 005E540F
GetWindowThreadProcessId.USER32(?,?), ref: 005E541E
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E542D
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E5437
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 005E543E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 740bc6f1dd77921803b177d7000f7bc9f81b38153e4594748e0eabaa6af96998
Instruction ID: 3accb38d13b23cbfec968e8e48ef7a7bace6e150c9a02b5ca7213a1ff3112cf6
Opcode Fuzzy Hash: 740bc6f1dd77921803b177d7000f7bc9f81b38153e4594748e0eabaa6af96998
Instruction Fuzzy Hash: 92F01D32281558BBE7315BA29C0DEAB7B7DEBC6B11F001169FA04D1491AAA11A0186B5

Function 005E7230 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,?), ref: 005E7243
EnterCriticalSection.KERNEL32(?,?,00590EE4,?,?), ref: 005E7254
TerminateThread.KERNEL32(00000000,000001F6,?,00590EE4,?,?), ref: 005E7261
WaitForSingleObject.KERNEL32(00000000,000003E8,?,00590EE4,?,?), ref: 005E726E

Part of subcall function 005E6C35: CloseHandle.KERNEL32(00000000,?,005E727B,?,00590EE4,?,?), ref: 005E6C3F

InterlockedExchange.KERNEL32(?,000001F6), ref: 005E7281
LeaveCriticalSection.KERNEL32(?,?,00590EE4,?,?), ref: 005E7288

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: df9e7ef92a3cc0ea3fc984a6a1d4a558f5aac8fa20bd872577a6f038d74409db
Instruction ID: 0cb572bb860e884b79e0e14345e89c32ff4c8ca60a67953cc4b639ce55c95c11
Opcode Fuzzy Hash: df9e7ef92a3cc0ea3fc984a6a1d4a558f5aac8fa20bd872577a6f038d74409db
Instruction Fuzzy Hash: 70F0823A580712EBE7252BA4ED4C9DB7B3BFF49702B101571F643914A0CB765901CB50

Function 005D8992 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 005D899D
UnloadUserProfile.USERENV(?,?), ref: 005D89A9
CloseHandle.KERNEL32(?), ref: 005D89B2
CloseHandle.KERNEL32(?), ref: 005D89BA
GetProcessHeap.KERNEL32(00000000,?), ref: 005D89C3
HeapFree.KERNEL32(00000000), ref: 005D89CA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
String ID:
API String ID: 146765662-0
Opcode ID: 9e9c86d5dd891873d1f9822b98f92f2e87f4d1d7c2f2a68d7daa4302bc2ce802
Instruction ID: 24979cabf86b51a97edf8768af32de50137d37294257876b5b2cd6e7addbdf83
Opcode Fuzzy Hash: 9e9c86d5dd891873d1f9822b98f92f2e87f4d1d7c2f2a68d7daa4302bc2ce802
Instruction Fuzzy Hash: B1E0C236084201FBDB115FE1EC0C90ABB7AFB89722B10A230F21981870CB329460DB90

Function 005D7530 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 231COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00612C7C,?), ref: 005D76EA
CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00612C7C,?), ref: 005D7702
CLSIDFromProgID.OLE32(?,?,00000000,0060FB80,000000FF,?,00000000,00000800,00000000,?,00612C7C,?), ref: 005D7727
_memcmp.LIBCMT ref: 005D7748

Strings

,,a, xrefs: 005D753D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID: ,,a
API String ID: 314563124-3448921334
Opcode ID: 89e86322cf6e6f9cb5b534aa4f7b2651d29a5326d6d30efa3b1e272bf6e6173f
Instruction ID: c79d39e4eed2f671a67a93968b890cd5fe2ca11ae33ec6840e9b5394153702b2
Opcode Fuzzy Hash: 89e86322cf6e6f9cb5b534aa4f7b2651d29a5326d6d30efa3b1e272bf6e6173f
Instruction Fuzzy Hash: 81814F75A00109EFCB14DFA8C984DEEBBB9FF89315F204559F505AB250EB71AE06CB60

Function 005F85ED Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005F8613
CharUpperBuffW.USER32(?,?), ref: 005F8722
VariantClear.OLEAUT32(?), ref: 005F889A

Part of subcall function 005E7562: VariantInit.OLEAUT32(00000000), ref: 005E75A2
Part of subcall function 005E7562: VariantCopy.OLEAUT32(00000000,?), ref: 005E75AB
Part of subcall function 005E7562: VariantClear.OLEAUT32(00000000), ref: 005E75B7

Strings

AUTOIT.ERROR, xrefs: 005F8728
Incorrect Parameter format, xrefs: 005F864B, 005F880D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4237274167-1221869570
Opcode ID: fbb069cae081362a956b8b3a5ba81dc07bfc3ec9b5fb15a717da7b1228159601
Instruction ID: 19f2703f81a131f50b3a2511f71abe1ae79c268ed4ae7ba109719dc3ee6ce8b6
Opcode Fuzzy Hash: fbb069cae081362a956b8b3a5ba81dc07bfc3ec9b5fb15a717da7b1228159601
Instruction Fuzzy Hash: 839189706043069FC710EF24C48496ABBE4FFC9754F14892EF98A9B362DB31E905CB92

Function 005E2A96 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0059FC86: _wcscpy.LIBCMT ref: 0059FCA9

_memset.LIBCMT ref: 005E2B87
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E2BB6
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 005E2C69
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 005E2C97

Strings

0, xrefs: 005E2B73

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ItemMenu$Info$Default_memset_wcscpy
String ID: 0
API String ID: 4152858687-4108050209
Opcode ID: fac26dc1e2a3f15f1ed31fb908feabcee7b865701792284f0ad81854e171950e
Instruction ID: dd0cdc7ee0edb76009d50e613c8331394270ca3e555f35aaa9f165d2d503aa25
Opcode Fuzzy Hash: fac26dc1e2a3f15f1ed31fb908feabcee7b865701792284f0ad81854e171950e
Instruction Fuzzy Hash: 0D51BF71518341ABD7289F2AC845A6FBFECBB99310F240A2DF8DAD2195DB70CC44D752

Function 00593137 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 00593277
_memmove.LIBCMT ref: 00593310
_free.LIBCMT ref: 00593336
_memmove.LIBCMT ref: 005933E9

Strings

3cY, xrefs: 00593225
_Y, xrefs: 00593322

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove$_free
String ID: 3cY$_Y
API String ID: 2620147621-2284220399
Opcode ID: bb0bdbe0f24e50dc8f7eccc763683d1f576a3ad2dea8883debc726c46e5cd6a0
Instruction ID: 64db542df215bb37b0b7f0f8685bf8551aaca239b68bc5dd6f55efdb7fd334ce
Opcode Fuzzy Hash: bb0bdbe0f24e50dc8f7eccc763683d1f576a3ad2dea8883debc726c46e5cd6a0
Instruction Fuzzy Hash: 175148716043428FDB25CF28C885B6FBBE5BFC5314F45482DE98987261EB31E901CB82

Function 00596192 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 141COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 00596248
_memmove.LIBCMT ref: 005962E4
_memset.LIBCMT ref: 00596308

Strings

3cY, xrefs: 005962AF
ERCP, xrefs: 005961B3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memset$_memmove
String ID: 3cY$ERCP
API String ID: 2532777613-3090354839
Opcode ID: 765372824e1ca15e101e55247bed34c85aec2d0e51d4a076de4495c013fc5185
Instruction ID: 5d4387bd13a61a30516527a44840d900f158d3895080c9cfd8d850f5f3640eb6
Opcode Fuzzy Hash: 765372824e1ca15e101e55247bed34c85aec2d0e51d4a076de4495c013fc5185
Instruction Fuzzy Hash: CD519D71900706DBDF24DF69C945BAABBE5FF44304F20496FE44AC7281E770AA44CB91

Function 005E2753 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E27C0
GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 005E27DC
DeleteMenu.USER32(?,00000007,00000000), ref: 005E2822
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00645890,00000000), ref: 005E286B

Strings

0, xrefs: 005E27B5

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Menu$Delete$InfoItem_memset
String ID: 0
API String ID: 1173514356-4108050209
Opcode ID: bc35d3229208e2465611a41a0f713d1dddc648ff5c6c5cedd780094fb7350653
Instruction ID: 37c239f52ca177195af9f3ff12f328246a0f749a9af83ec13f966d9ecaab8226
Opcode Fuzzy Hash: bc35d3229208e2465611a41a0f713d1dddc648ff5c6c5cedd780094fb7350653
Instruction Fuzzy Hash: EA417C702083829FD728DF26C844B1ABFE9FF89314F144A6DF9E597296D730A905CB52

Function 005FD7A5 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 005FD7C5

Part of subcall function 0058784B: _memmove.LIBCMT ref: 00587899

Strings

winapi, xrefs: 005FD836
none, xrefs: 005FD8A0
cdecl, xrefs: 005FD81C
stdcall, xrefs: 005FD847

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharLower_memmove
String ID: cdecl$none$stdcall$winapi
API String ID: 3425801089-567219261
Opcode ID: 9131fbccd48be8302869bb5004263618ccb9da37a35d6595b1b92c67caf6c3ab
Instruction ID: ac0cd15cebb2b5450d956656a71d6d78c0ad18940b021d5eb39b97ce22d3f514
Opcode Fuzzy Hash: 9131fbccd48be8302869bb5004263618ccb9da37a35d6595b1b92c67caf6c3ab
Instruction Fuzzy Hash: 6A31CF7190421EABCF00EF54C8559FEBBB6FF45320F108629E825A76D1DB71AD05CB90

Function 005D8E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005D8F14
SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005D8F27
SendMessageW.USER32(?,00000189,?,00000000), ref: 005D8F57

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

Strings

ListBox, xrefs: 005D8ED3
ComboBox, xrefs: 005D8E9E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$_memmove$ClassName
String ID: ComboBox$ListBox
API String ID: 365058703-1403004172
Opcode ID: 6daa7dfeac0f9953dad31c6f7b03ae70e18aa62b08db408401e73dab80d8b2aa
Instruction ID: a749c9edd768d10a34dcbd9db59ba1683173364bd87414a503c84a1fba057d8e
Opcode Fuzzy Hash: 6daa7dfeac0f9953dad31c6f7b03ae70e18aa62b08db408401e73dab80d8b2aa
Instruction Fuzzy Hash: 8B21D57194410ABADB24ABA48C49DFF7F7AEF85320B14462BF811672E1DA354849D650

Function 005F182D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005F184C
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F1872
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 005F18A2
InternetCloseHandle.WININET(00000000), ref: 005F18E9

Part of subcall function 005F2483: GetLastError.KERNEL32(?,?,005F1817,00000000,00000000,00000001), ref: 005F2498
Part of subcall function 005F2483: SetEvent.KERNEL32(?,?,005F1817,00000000,00000000,00000001), ref: 005F24AD

Strings

, xrefs: 005F1893

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: e6b9a9591c4bc037ef58b0d5840ad8e6054ac8106d05907b076e646382f7502f
Instruction ID: 184f0108a0d740847e1a36af72f0cb75abefb505b8b3dc2d9d9fb816ba88dc85
Opcode Fuzzy Hash: e6b9a9591c4bc037ef58b0d5840ad8e6054ac8106d05907b076e646382f7502f
Instruction Fuzzy Hash: C621C2B150070CBFEB119F64DD89EBF7BEDFB88784F10412AF60596240EB688D0557A5

Function 006063E7 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00581D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00581D73
Part of subcall function 00581D35: GetStockObject.GDI32(00000011), ref: 00581D87
Part of subcall function 00581D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00581D91

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00606461
LoadLibraryW.KERNEL32(?), ref: 00606468
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 0060647D
DestroyWindow.USER32(?), ref: 00606485

Strings

SysAnimate32, xrefs: 0060643C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
String ID: SysAnimate32
API String ID: 4146253029-1011021900
Opcode ID: 53c0c37ff0b46a2e2431e6f1cf5584f89d1ab407038fe2ef0042d69df38b06c5
Instruction ID: d5a7064f95afd71c1bf1da0b8607f598d32284e33e7e3db8047d84404f195642
Opcode Fuzzy Hash: 53c0c37ff0b46a2e2431e6f1cf5584f89d1ab407038fe2ef0042d69df38b06c5
Instruction Fuzzy Hash: B4218E71180205AFEF144F64DC40EBB77EEEF59328F109629F910922E0D7719C6297A0

Function 005E6D9C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 005E6DBC
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005E6DEF
GetStdHandle.KERNEL32(0000000C), ref: 005E6E01
CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 005E6E3B

Strings

nul, xrefs: 005E6E36

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: 66e1d4427f781427b529dedf655836bcd4bbeecc1c90c9af9ed4d602e908ba04
Instruction ID: 425a19c1458da3730b85888bd487854f1c038ee067bc4883c4565b01195e764a
Opcode Fuzzy Hash: 66e1d4427f781427b529dedf655836bcd4bbeecc1c90c9af9ed4d602e908ba04
Instruction Fuzzy Hash: A92174B46002499BDB249F66DD05A9A7BA9FF647A0F204A19F8E0D72D0D77099508B50

Function 005E6E6A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 005E6E89
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 005E6EBB
GetStdHandle.KERNEL32(000000F6), ref: 005E6ECC
CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 005E6F06

Strings

nul, xrefs: 005E6F01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateHandle$FilePipe
String ID: nul
API String ID: 4209266947-2873401336
Opcode ID: dd6428b359626db8652725fd90cc9ab3afada8c3d92aff1eecd007ccbc398681
Instruction ID: 1d310da81d463d37ee08eab85a0fc78b602905cb273e0e395559f2cefe933992
Opcode Fuzzy Hash: dd6428b359626db8652725fd90cc9ab3afada8c3d92aff1eecd007ccbc398681
Instruction Fuzzy Hash: A52190795003469BDB249F6ADC04AAB7BA8BF657E0F200A59F8E0D72D0D770A9508B50

Function 005EAC40 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 005EAC54
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 005EACA8
__swprintf.LIBCMT ref: 005EACC1
SetErrorMode.KERNEL32(00000000,00000001,00000000,0060F910), ref: 005EACFF

Strings

%lu, xrefs: 005EACBB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorMode$InformationVolume__swprintf
String ID: %lu
API String ID: 3164766367-685833217
Opcode ID: 59cb3931e1383ceabfe8bc484b089d13bb4c96ea7f406f6e4e29fbe49ecb60c1
Instruction ID: f6cff4d9a12224b6d61a43ca9a237a9fde531e7848f29c4bacd0325341f5f468
Opcode Fuzzy Hash: 59cb3931e1383ceabfe8bc484b089d13bb4c96ea7f406f6e4e29fbe49ecb60c1
Instruction Fuzzy Hash: 2021A130A0010AAFCB10EF65C949DEF7BB8FF89314B0044A9F809AB251DA31EA45CB61

Function 005E1142 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005DFCED,?,005E0D40,?,00008000), ref: 005E115F
Sleep.KERNEL32(00000000,?,?,?,?,?,?,005DFCED,?,005E0D40,?,00008000), ref: 005E1184
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,005DFCED,?,005E0D40,?,00008000), ref: 005E118E
Sleep.KERNEL32(?,?,?,?,?,?,?,005DFCED,?,005E0D40,?,00008000), ref: 005E11C1

Strings

@^, xrefs: 005E119D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID: @^
API String ID: 2875609808-3064354412
Opcode ID: ab9d7526a0088da3e276a637d490d90f77a281ddb85d5cf14b4e43c27a7e43a5
Instruction ID: 2d673af9bb563e50b086425fe19a89e456dd2b6d3f993069b5391929c0070f79
Opcode Fuzzy Hash: ab9d7526a0088da3e276a637d490d90f77a281ddb85d5cf14b4e43c27a7e43a5
Instruction Fuzzy Hash: BB112A31D00A5DD7CF189FA6D848AEEBF78FF09751F004495EA81B2240CB709550CBE9

Function 005E1AE8 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 005E1B19

Strings

APPEND, xrefs: 005E1B52
KEYS, xrefs: 005E1B30
REMOVE, xrefs: 005E1B1F
EXISTS, xrefs: 005E1B41

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 3964851224-769500911
Opcode ID: 6efd6bfb36dcb26b1d7d5b6abefc81171d2faa27eec6396b2f385b9cd03058d5
Instruction ID: 87164906e711f066f578a936a0d363b3ac07b43f3566d7b6136bca18af5c54f3
Opcode Fuzzy Hash: 6efd6bfb36dcb26b1d7d5b6abefc81171d2faa27eec6396b2f385b9cd03058d5
Instruction Fuzzy Hash: D611C0319102598FCF04EFA4D8558FEBFB9FF66304F1484A8E895A7292EB325D06CB44

Function 005FEB55 Relevance: 7.7, APIs: 5, Instructions: 247COMMON

Download Yara Rule

APIs

OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 005FEC07
GetProcessIoCounters.KERNEL32(00000000,?), ref: 005FEC37
GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 005FED6A
CloseHandle.KERNEL32(?), ref: 005FEDEB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$CloseCountersHandleInfoMemoryOpen
String ID:
API String ID: 2364364464-0
Opcode ID: 024669e238434f90eb0ecc08b88da4addea8c1d98212455cf99a9fe6ad2d4695
Instruction ID: 322927571d760c42059b4d72bde8d56cf67cd1cd31bd63fdbcbaae192e45ec03
Opcode Fuzzy Hash: 024669e238434f90eb0ecc08b88da4addea8c1d98212455cf99a9fe6ad2d4695
Instruction Fuzzy Hash: AC8141716043019FD760EF28C84AB3ABBE5BF84714F54881DF99AEB292D674AC418B91

Function 00600037 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 00600E1A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,005FFDAD,?,?), ref: 00600E31

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006000FD
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0060013C
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00600183
RegCloseKey.ADVAPI32(?,?), ref: 006001AF
RegCloseKey.ADVAPI32(00000000), ref: 006001BC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
String ID:
API String ID: 3440857362-0
Opcode ID: 59972f099a964c084fdf0b77e7bc55d416b6aad42e79ea86a78135a2804b297c
Instruction ID: 74d7eed1f74ffb4402dc405605d09a2d57a2bbeba56a524dd12bc7c64992b0a8
Opcode Fuzzy Hash: 59972f099a964c084fdf0b77e7bc55d416b6aad42e79ea86a78135a2804b297c
Instruction Fuzzy Hash: 0B518C71208205AFD714EF58C885FABBBE9FF84314F44482DF89697291DB31E905CB52

Function 005FD8C8 Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 005FD927
GetProcAddress.KERNEL32(00000000,?), ref: 005FD9AA
GetProcAddress.KERNEL32(00000000,00000000), ref: 005FD9C6
GetProcAddress.KERNEL32(00000000,?), ref: 005FDA07
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 005FDA21

Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005E7896,?,?,00000000), ref: 00585A2C
Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005E7896,?,?,00000000,?,?), ref: 00585A50

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
String ID:
API String ID: 327935632-0
Opcode ID: fceb5e0749d68835c818bc24ba3fdf51bae9ac758407f3635e83e725422d57a7
Instruction ID: 52b7f51e37452329b22c225ef9d2de784dc7c2afa60a5b1905e80cdb7681fb33
Opcode Fuzzy Hash: fceb5e0749d68835c818bc24ba3fdf51bae9ac758407f3635e83e725422d57a7
Instruction Fuzzy Hash: 49512835A0420ADFCB00EFA8C4889AEBBF5FF49310B148065ED55AB312DB35AD45CF91

Function 005EE571 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 005EE61F
GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 005EE648
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 005EE687

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 005EE6AC
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 005EE6B4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
String ID:
API String ID: 1389676194-0
Opcode ID: 0f328bcd02200e3a6639799e7e0fb5fd7c90b802b1059dda559568c205c2b62b
Instruction ID: 4836b6213990bd7f0e0e7989b4a56c02d9fb73ac5161774c1c98d2f7e15dc9aa
Opcode Fuzzy Hash: 0f328bcd02200e3a6639799e7e0fb5fd7c90b802b1059dda559568c205c2b62b
Instruction Fuzzy Hash: E8511A35A00106DFCB05EF65C9859AEBBF5FF49314B1480A9E849AB361DB31ED11DF50

Function 0060A056 Relevance: 7.6, APIs: 5, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c98f79a9eca633019fa5c69c6643d8a05d3f2a968286c87be8bedd0de822aa30
Instruction ID: 4f75fce718ed6bbdcd51bff9f587ae7663796d024d68d55d73100d3b1155466e
Opcode Fuzzy Hash: c98f79a9eca633019fa5c69c6643d8a05d3f2a968286c87be8bedd0de822aa30
Instruction Fuzzy Hash: 1A41D735984314AFD728DFA8CC48FEBBBA6EB09390F1402A5F816A73E1C7709D41DA51

Function 00582344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00582357
ScreenToClient.USER32(006457B0,?), ref: 00582374
GetAsyncKeyState.USER32(00000001), ref: 00582399
GetAsyncKeyState.USER32(00000002), ref: 005823A7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 0ac8ffb691973b6f908af46895b45012823ec51d168a76179e8de36b8283dc30
Instruction ID: 427e48b77dc693cdfc20c55ab8a088ee5921bdd98534e908d861d17711001240
Opcode Fuzzy Hash: 0ac8ffb691973b6f908af46895b45012823ec51d168a76179e8de36b8283dc30
Instruction Fuzzy Hash: CD418475604109FBDF29AF68CC48AEEBF75FB05360F204759F829A2190CB34A950DF91

Function 005D63AA Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON

Download Yara Rule

APIs

PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005D63E7
TranslateAcceleratorW.USER32(?,?,?), ref: 005D6433
TranslateMessage.USER32(?), ref: 005D645C
DispatchMessageW.USER32(?), ref: 005D6466
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005D6475

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Message$PeekTranslate$AcceleratorDispatch
String ID:
API String ID: 2108273632-0
Opcode ID: 0c022281a37b39ea585b2b912ef46a4dccc3c4b6194a4f2584ce8b9331ef1739
Instruction ID: 04ac5d47b9ed3744c73e8f6d6a6bf2a765e48b3b1e8f25cd7e638713be679d7f
Opcode Fuzzy Hash: 0c022281a37b39ea585b2b912ef46a4dccc3c4b6194a4f2584ce8b9331ef1739
Instruction Fuzzy Hash: 1131C431940646AFDF74CFB8CC84BB67FA9BB01310F141577E422C32A2E765984ADB61

Function 005D8A1F Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 005D8A30
PostMessageW.USER32(?,00000201,00000001), ref: 005D8ADA
Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005D8AE2
PostMessageW.USER32(?,00000202,00000000), ref: 005D8AF0
Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005D8AF8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: 5fd18ceea31ccfe96f9ff4b1bd03f6f2e8521df73f5d7641e00820d24e9c8bb9
Instruction ID: b4ec78ff090a0a75b333b75748753e26da93f612e59a415fa189995654bdcefe
Opcode Fuzzy Hash: 5fd18ceea31ccfe96f9ff4b1bd03f6f2e8521df73f5d7641e00820d24e9c8bb9
Instruction Fuzzy Hash: 0A31B171500219EBDB24CF6CD94CAAE3BB5FB04325F10426BF925E62D0CBB09914DB90

Function 005DB1EC Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 005DB204
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005DB221
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005DB259
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005DB27F
_wcsstr.LIBCMT ref: 005DB289

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
String ID:
API String ID: 3902887630-0
Opcode ID: 90578f411c60bb4e0a6f5066e4ecf2592cb914acaa2af6ae29621d9bcf4bc605
Instruction ID: 8a16db3788d94b7420bd797cdbdbffe7a79f56ba0628ee558d1ab276487ff0ab
Opcode Fuzzy Hash: 90578f411c60bb4e0a6f5066e4ecf2592cb914acaa2af6ae29621d9bcf4bc605
Instruction Fuzzy Hash: 5D212836204201BBFB359B799C09E7F7F9EEF8A710F01412BF804CA291EB61CC409260

Function 0060B14B Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

GetWindowLongW.USER32(?,000000F0), ref: 0060B192
SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0060B1B7
SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0060B1CF
GetSystemMetrics.USER32(00000004), ref: 0060B1F8
SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,005F0E90,00000000), ref: 0060B216

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Long$MetricsSystem
String ID:
API String ID: 2294984445-0
Opcode ID: f23144d6aabd0d9fa9d8f02a1f7e21a31b1dff6c475e9536927ccdf2b7374cb5
Instruction ID: 1bba479e0ffb680068cc7235ded294094d19dadd8611832cdc0a80566927575a
Opcode Fuzzy Hash: f23144d6aabd0d9fa9d8f02a1f7e21a31b1dff6c475e9536927ccdf2b7374cb5
Instruction Fuzzy Hash: 9B219471590261AFCB249F38DC14AAB3BA6FB15721F149734FD32D72E1E73099118B90

Function 005D9307 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005D9320

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005D9352
__itow.LIBCMT ref: 005D936A
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005D9392
__itow.LIBCMT ref: 005D93A3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$__itow$_memmove
String ID:
API String ID: 2983881199-0
Opcode ID: aa66f2dc0fbe2dcb38491a26bd6a8512824d3269b4a316d15b2c3cfafdf4b1b0
Instruction ID: 800f1b81cb6a8fa0003d92fe798ccc79cf78ffcd8555470f5a0e9d2272863aa0
Opcode Fuzzy Hash: aa66f2dc0fbe2dcb38491a26bd6a8512824d3269b4a316d15b2c3cfafdf4b1b0
Instruction Fuzzy Hash: E521B031700209ABDB20AB688C89EAE7FA9FBC9710F144427FD05EB3D1D6B0CD419791

Function 005F5A4D Relevance: 7.6, APIs: 5, Instructions: 70COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 005F5A6E
GetForegroundWindow.USER32 ref: 005F5A85
GetDC.USER32(00000000), ref: 005F5AC1
GetPixel.GDI32(00000000,?,00000003), ref: 005F5ACD
ReleaseDC.USER32(00000000,00000003), ref: 005F5B08

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 42eb8fb454eacbe77ae6f8e85dbb192c30885dd0b09ccbb7e4534fb5f6ad34c9
Instruction ID: fadc5842626f5c266872e1cf3f321a67dfef8b30074216b59d99de362299da03
Opcode Fuzzy Hash: 42eb8fb454eacbe77ae6f8e85dbb192c30885dd0b09ccbb7e4534fb5f6ad34c9
Instruction Fuzzy Hash: 6021A135A00104AFDB14EF65DC88AAABBE5FF88311F148479F94997762DA75AC00CB90

Function 005812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0058134D
SelectObject.GDI32(?,00000000), ref: 0058135C
BeginPath.GDI32(?), ref: 00581373
SelectObject.GDI32(?,00000000), ref: 0058139C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: c86d95fca0533c1b323f6c56b104928c131b70d3604b4009be99797f9bf40880
Instruction ID: 6dc3050cd1eafc3d6a38b4295b20f553d394905157192a41b8eb78f2bc4a9a2f
Opcode Fuzzy Hash: c86d95fca0533c1b323f6c56b104928c131b70d3604b4009be99797f9bf40880
Instruction Fuzzy Hash: 5121B034900B18EFDB10AF25DC047AA3FEAFB01321F145626F816A65B1DF709892CF94

Function 005E4A93 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 005E4ABA
__beginthreadex.LIBCMT ref: 005E4AD8
MessageBoxW.USER32(?,?,?,?), ref: 005E4AED
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 005E4B03
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 005E4B0A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
String ID:
API String ID: 3824534824-0
Opcode ID: f58fc114814b9c1d04618d08deebff86a7f7032f9ef0ddedfec44d9256584c68
Instruction ID: 1262007c603b46906f51644839d9d67108af69d00a7c92931e23ca3773a4a82d
Opcode Fuzzy Hash: f58fc114814b9c1d04618d08deebff86a7f7032f9ef0ddedfec44d9256584c68
Instruction Fuzzy Hash: D0110876904244BBCB149FA99C08A9B7FAEFB45320F144266F815D3351D6B1C9048BA0

Function 005D8202 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 005D821E
GetLastError.KERNEL32(?,005D7CE2,?,?,?), ref: 005D8228
GetProcessHeap.KERNEL32(00000008,?,?,005D7CE2,?,?,?), ref: 005D8237
HeapAlloc.KERNEL32(00000000,?,005D7CE2,?,?,?), ref: 005D823E
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 005D8255

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocErrorLastProcess
String ID:
API String ID: 842720411-0
Opcode ID: dcbfaf72048d6c0cc7cf52f3473d74cd3cf6a945ae28f4e45ad8f082e51e1f3c
Instruction ID: 913545cbafb97f352fcfe227dd0dc5d9a0bccf6dd6477c18555cb4583f73158b
Opcode Fuzzy Hash: dcbfaf72048d6c0cc7cf52f3473d74cd3cf6a945ae28f4e45ad8f082e51e1f3c
Instruction Fuzzy Hash: 85016D75240204BFDB308FA9DC49D6B7FBEFF8A754B50046AF809C2220DA329C00CA60

Function 005D710A Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?,?,005D7455), ref: 005D7127
ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?), ref: 005D7142
lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?), ref: 005D7150
CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?), ref: 005D7160
CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,005D7044,80070057,?,?), ref: 005D716C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: 014308c56bcb45ff049c3493330ac7392ade776d75828e767212c1cf574f154c
Instruction ID: 8574cec7e16b71ab384d2e68d9b37b602b224fea733a4286b5516fdd2496dfa1
Opcode Fuzzy Hash: 014308c56bcb45ff049c3493330ac7392ade776d75828e767212c1cf574f154c
Instruction Fuzzy Hash: 21017172601218ABDB214FA8DC44AAA7FBDFB48751F144166FD04D2310E731DD40D7A0

Function 005E5244 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E5260
QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005E526E
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E5276
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 005E5280
Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E52BC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 84c567e998d85f819dfab9736eb34afeb88366a32f93f3d49b0e535482c1e23c
Instruction ID: a540123b5013149aa51a084304ff5d55bc2d9a146dd83f62be71bc01ad4bbde0
Opcode Fuzzy Hash: 84c567e998d85f819dfab9736eb34afeb88366a32f93f3d49b0e535482c1e23c
Instruction Fuzzy Hash: A5016935D01A1DDBCF14EFE5E848AEEBF79FB08315F400496EA81B2240DB3095508BA1

Function 005D810A Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005D8121
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005D812B
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D813A
HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8141
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8157

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: HeapInformationToken$AllocErrorLastProcess
String ID:
API String ID: 44706859-0
Opcode ID: e21e6dae4a4c3bf6d4e41c948f354dfe0bc818e76619629c434c4e3c3764fcb0
Instruction ID: 8d9abce819d124daaa969325f13de880f380e00565a8813354bfecd8f26cd70e
Opcode Fuzzy Hash: e21e6dae4a4c3bf6d4e41c948f354dfe0bc818e76619629c434c4e3c3764fcb0
Instruction Fuzzy Hash: 22F06271240314AFEB310FA9EC89F773FADFF49754B000026F945C6250CB619D45DA60

Function 005DC1E3 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003E9), ref: 005DC1F7
GetWindowTextW.USER32(00000000,?,00000100), ref: 005DC20E
MessageBeep.USER32(00000000), ref: 005DC226
KillTimer.USER32(?,0000040A), ref: 005DC242
EndDialog.USER32(?,00000001), ref: 005DC25C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BeepDialogItemKillMessageTextTimerWindow
String ID:
API String ID: 3741023627-0
Opcode ID: 5c9c295eeee8729cc9d6fdd3c4f59c83c7a74bba15f9e79b42e56e4d50b315c5
Instruction ID: aa77f7ab1f464f59585014162403375a738b2e43fe7096aaa16e798d139d8f49
Opcode Fuzzy Hash: 5c9c295eeee8729cc9d6fdd3c4f59c83c7a74bba15f9e79b42e56e4d50b315c5
Instruction Fuzzy Hash: 0201A234494305ABEB315B64ED4EB977FB9BB00B06F04066BF582A19E0DBE1A944CB90

Function 005813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 005813BF
StrokeAndFillPath.GDI32(?,?,005BB888,00000000,?), ref: 005813DB
SelectObject.GDI32(?,00000000), ref: 005813EE
DeleteObject.GDI32 ref: 00581401
StrokePath.GDI32(?), ref: 0058141C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: ccc50cb3e813d242aeb5e4c542d16aba79bcf329f1fce7b265b86a7b6ca4fb07
Instruction ID: ddabb253d1a7bc9ec837564b4fa5878893003ebe022d89b962e4c42b4bab4197
Opcode Fuzzy Hash: ccc50cb3e813d242aeb5e4c542d16aba79bcf329f1fce7b265b86a7b6ca4fb07
Instruction Fuzzy Hash: 81F0E134054B18DFDB216F16EC4C7593FAAB702326F08E224E86B594F2CB314596DF54

Function 00592CFB Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON

Download Yara Rule

APIs

Part of subcall function 005A0DB6: std::exception::exception.LIBCMT ref: 005A0DEC
Part of subcall function 005A0DB6: __CxxThrowException@8.LIBCMT ref: 005A0E01

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 00587A51: _memmove.LIBCMT ref: 00587AAB

__swprintf.LIBCMT ref: 00592ECD

Strings

\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00592D66

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
API String ID: 1943609520-557222456
Opcode ID: e9e1f08e43748bd4c1e2b7c2758e391362b48e17d3d758b8176dd5009e25609f
Instruction ID: 476969fca80c9fdca4f23bdada58dffd1dba7df5d1f9e1a580821aded151e30f
Opcode Fuzzy Hash: e9e1f08e43748bd4c1e2b7c2758e391362b48e17d3d758b8176dd5009e25609f
Instruction Fuzzy Hash: 0D913D71118206AFCB14FF64C889D7EBFA8FF85714F14491DF855AB2A1EA20EE44CB52

Function 005EB93B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON

Download Yara Rule

APIs

Part of subcall function 00584750: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00584743,?,?,005837AE,?), ref: 00584770

CoInitialize.OLE32(00000000), ref: 005EB9BB
CoCreateInstance.OLE32(00612D6C,00000000,00000001,00612BDC,?), ref: 005EB9D4
CoUninitialize.OLE32 ref: 005EB9F1

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

Strings

.lnk, xrefs: 005EB99D, 005EB9AB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
String ID: .lnk
API String ID: 2126378814-24824748
Opcode ID: 35f2928598f3aaf0fbd142ae87d31eca44a772628bd3ab3eb28147587bd9cdf4
Instruction ID: 63ca0405b2e81122bb9e8a243465c71335936f39947c0a3ace6cf22293da6cb0
Opcode Fuzzy Hash: 35f2928598f3aaf0fbd142ae87d31eca44a772628bd3ab3eb28147587bd9cdf4
Instruction Fuzzy Hash: 34A179756043429FCB04EF15C884D6ABBE5FF89314F148998F89A9B361CB31EC45CB91

Function 005DB2F3 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 241comCOMMON

Download Yara Rule

APIs

OleSetContainedObject.OLE32(?,00000001), ref: 005DB4BE

Strings

AutoIt3GUI, xrefs: 005DB436
%a, xrefs: 005DB561
Container, xrefs: 005DB43B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ContainedObject
String ID: AutoIt3GUI$Container$%a
API String ID: 3565006973-3369376152
Opcode ID: 4e343f454ffdb2e369c5d083a49ff73b2b6b90c87a3d7813654da7076d30d47f
Instruction ID: 349f7afa77fd54ab5c675d89df1b2550bb863c5ad35308545d0808b6075a7c58
Opcode Fuzzy Hash: 4e343f454ffdb2e369c5d083a49ff73b2b6b90c87a3d7813654da7076d30d47f
Instruction Fuzzy Hash: 5C913A70600601EFEB24DF68C884A6ABBF6FF49710F15856EE946CB391EB71E841CB50

Function 005A501D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 005A50AD

Part of subcall function 005B00F0: __87except.LIBCMT ref: 005B012B

Strings

pow, xrefs: 005A5085, 005A50A2

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 6f2707356288af193c79da8b13b41d09ad66afe85e1fff845716d674db5beef4
Instruction ID: 95a95805760a0aedc052858ec68ef1aad1e647e5ac4cd97cff4c03d554c27177
Opcode Fuzzy Hash: 6f2707356288af193c79da8b13b41d09ad66afe85e1fff845716d674db5beef4
Instruction Fuzzy Hash: 1751792590860286DB15B728CC09BFF6F95BB42700F249D59E4D6862E9FF349DC8DAC2

Function 005C8584 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 148COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 005C862B
_memmove.LIBCMT ref: 005C8685

Strings

3cY, xrefs: 005C860C
_Y, xrefs: 005C86FF, 005CDFDC, 005CDFF8

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _memmove
String ID: 3cY$_Y
API String ID: 4104443479-2284220399
Opcode ID: f80e7eec4bd7bab892e5149f52509267c4693e75425eb20f5ea22b083cf96a37
Instruction ID: b2787756bec5b03593ac792b1d6cf37d4c182fff8b0b18f1b9d2fcbaed944e2f
Opcode Fuzzy Hash: f80e7eec4bd7bab892e5149f52509267c4693e75425eb20f5ea22b083cf96a37
Instruction Fuzzy Hash: 4E510970A006199FCF64CFA8C884ABEBBB1FF45314F14852DE85AD7250EB31A996CF51

Function 005D97F5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON

Download Yara Rule

APIs

Part of subcall function 005E14BC: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005D9296,?,?,00000034,00000800,?,00000034), ref: 005E14E6

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005D983F

Part of subcall function 005E1487: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005D92C5,?,?,00000800,?,00001073,00000000,?,?), ref: 005E14B1

Part of subcall function 005E13DE: GetWindowThreadProcessId.USER32(?,?), ref: 005E1409
Part of subcall function 005E13DE: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005D925A,00000034,?,?,00001004,00000000,00000000), ref: 005E1419
Part of subcall function 005E13DE: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005D925A,00000034,?,?,00001004,00000000,00000000), ref: 005E142F

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005D98AC
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005D98F9

Strings

@, xrefs: 005D9911

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: fe7635c9cc35e22e14cde3e13e036bafddf34135da34bd091742327e73af1f4a
Instruction ID: 5a0f61958d02161de636134a1504f9d62ae853fe28ce51245b19f3e384871dcf
Opcode Fuzzy Hash: fe7635c9cc35e22e14cde3e13e036bafddf34135da34bd091742327e73af1f4a
Instruction Fuzzy Hash: E1415076900119AFCF24DFA4CD45EDEBBB8FB49700F00419AF945B7291DA716E45CBA0

Function 00607946 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0060F910,00000000,?,?,?,?), ref: 006079DF
GetWindowLongW.USER32 ref: 006079FC
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00607A0C

Strings

SysTreeView32, xrefs: 006079B1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: 2efd3d6caee5ab560426a0d5b356b833549fcd820cb060c0f702233c5c4fa181
Instruction ID: 925e08e89cb1eb82d907b92bac9377060f398691af5bb0293226b25b41221554
Opcode Fuzzy Hash: 2efd3d6caee5ab560426a0d5b356b833549fcd820cb060c0f702233c5c4fa181
Instruction Fuzzy Hash: 9131DE31684606AFDB259F38CC45BEB7BAAFB45324F208725F875A22E0D731E9518B50

Function 006073D9 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00607461
SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00607475
SendMessageW.USER32(?,00001002,00000000,?), ref: 00607499

Strings

SysMonthCal32, xrefs: 0060742C

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$Window
String ID: SysMonthCal32
API String ID: 2326795674-1439706946
Opcode ID: fe037679b600609882a2fe0a3d2e37cbe0cdbab1b14d0c6a51e705778f1a38cb
Instruction ID: a650f53900bf9d1a529579233edcd136d415ec7cc9a3826a1aa0fa7d964d20f0
Opcode Fuzzy Hash: fe037679b600609882a2fe0a3d2e37cbe0cdbab1b14d0c6a51e705778f1a38cb
Instruction Fuzzy Hash: 58219F32540219ABDF258F64CC46FEB3BAAFB48724F110214FE556B1D0DAB5BC51DBA0

Function 00607B93 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00607C4A
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00607C58
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00607C5F

Strings

msctls_updown32, xrefs: 00607BC4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: c16b2bf619f42db1145d003c0c43b4ab91a5243c6ec0f99e4c94f9affb3c1e7d
Instruction ID: df9b2ee6fd05cd6ec5779019dc4725c70c62b68638a048a6063f01f864086fcd
Opcode Fuzzy Hash: c16b2bf619f42db1145d003c0c43b4ab91a5243c6ec0f99e4c94f9affb3c1e7d
Instruction Fuzzy Hash: 3A217CB5644209AFEB14DF28DCC1DA73BEEEB4A354B140059FA019B3A1CB71EC518BA0

Function 00606CB0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00606D3B
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00606D4B
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00606D70

Strings

Listbox, xrefs: 00606D08

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: db6161df473384e95d3766fc190431301969109d4d4df6abca48487cfa76f95a
Instruction ID: a53355020c56bca753d5b4eb3752caf1cb4a216b51083111d1d133d1cc555e3d
Opcode Fuzzy Hash: db6161df473384e95d3766fc190431301969109d4d4df6abca48487cfa76f95a
Instruction Fuzzy Hash: 96218032690118BFEF158F54DC45FEB3BABEF89760F018128F9459B2E0C6719C619BA0

Function 005F39E9 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 84COMMON

Download Yara Rule

APIs

__snwprintf.LIBCMT ref: 005F3A66

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Strings

%a, xrefs: 005F39F4
AUTOITCALLVARIABLE%d, xrefs: 005F3A58
, $, xrefs: 005F3AA6

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __snwprintf_memmove
String ID: , $$AUTOITCALLVARIABLE%d$%a
API String ID: 3506404897-3928141158
Opcode ID: b200a334952ec126bdc13b849d04d9db0fcbf720f3ca9cad775c7a865a0ea846
Instruction ID: 596222bd7b0c3cbbfa99703a6107cd4b49c19b71422109f0cc15c9eab1c4a259
Opcode Fuzzy Hash: b200a334952ec126bdc13b849d04d9db0fcbf720f3ca9cad775c7a865a0ea846
Instruction Fuzzy Hash: 5321307160021EAECF10EF65CC85AAE7FA5BF88700F544455F945B7182DB34EA45CBA1

Function 0060770E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00607772
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00607787
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00607794

Strings

msctls_trackbar32, xrefs: 00607749

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: bdf9d82b82dd1342b8146d542926284c6addc5bd0bbf8d858e73d0789b057fab
Instruction ID: f553dbea060ea5f35c3384665021da910d6c6d4bb6ec6e7216c14a687aadf3ff
Opcode Fuzzy Hash: bdf9d82b82dd1342b8146d542926284c6addc5bd0bbf8d858e73d0789b057fab
Instruction Fuzzy Hash: BF11E772684209BBEF245F65CC05FD7776AEF89B54F114128FA41A61D0D672E811CB20

Function 005A6B71 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 005A6B93
__calloc_crt.LIBCMT ref: 005A6BAC

Strings

@Bd, xrefs: 005A6BC3
c, xrefs: 005A6BD1

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __calloc_crt
String ID: c$@Bd
API String ID: 3494438863-1202302672
Opcode ID: 7d2d10171700224a3cde6f9eee6477aae0b1ee466a11bb241df3a896c0046191
Instruction ID: d572f263c6c4b64996a4e38d6b66d37e2b5ed9bb33be87ce7583cc04eb1a7f14
Opcode Fuzzy Hash: 7d2d10171700224a3cde6f9eee6477aae0b1ee466a11bb241df3a896c0046191
Instruction Fuzzy Hash: 42F06875204A168BF7648F54BC51B6B2F96F747734F540417E101CE192EBB0894147E4

Function 005A9B79 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 005A9B94

Part of subcall function 005A9C0B: __mtinitlocknum.LIBCMT ref: 005A9C1D
Part of subcall function 005A9C0B: EnterCriticalSection.KERNEL32(00000000,?,005A9A7C,0000000D), ref: 005A9C36

__updatetlocinfoEx_nolock.LIBCMT ref: 005A9BA4

Part of subcall function 005A9100: ___addlocaleref.LIBCMT ref: 005A911C
Part of subcall function 005A9100: ___removelocaleref.LIBCMT ref: 005A9127
Part of subcall function 005A9100: ___freetlocinfo.LIBCMT ref: 005A913B

Strings

8c, xrefs: 005A9B85
8c, xrefs: 005A9B8A, 005A9B9F, 005A9BAB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CriticalEnterEx_nolockSection___addlocaleref___freetlocinfo___removelocaleref__lock__mtinitlocknum__updatetlocinfo
String ID: 8c$8c
API String ID: 547918592-2534763320
Opcode ID: fe479de118b5a7850d2c62875687f8fe61c405c1cd1064731ca87f1ded3b0826
Instruction ID: c0317997a297ea0e13082e8b96cf839522fd54f6c24ef77010c6e5376d0a321f
Opcode Fuzzy Hash: fe479de118b5a7850d2c62875687f8fe61c405c1cd1064731ca87f1ded3b0826
Instruction Fuzzy Hash: DFE08C31947326ABEB11BBA46E0BB5DBE61BB82B31F20115AF047550C2CDB1480086B7

Function 00584C03 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00584BD0,?,00584DEF,?,006452F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00584C11
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00584C23

Strings

kernel32.dll, xrefs: 00584C0C
Wow64DisableWow64FsRedirection, xrefs: 00584C1D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 2574300362-3689287502
Opcode ID: 2a1bc0bade6b3dd9db3a36bcfdda8a0fd8c123f4d4d1a7511d9709c6df07c5c2
Instruction ID: f49e02da10ecc217e037c2effa2593101bc37952662c5234b670dd8d41981c39
Opcode Fuzzy Hash: 2a1bc0bade6b3dd9db3a36bcfdda8a0fd8c123f4d4d1a7511d9709c6df07c5c2
Instruction Fuzzy Hash: 38D01231551723CFD730AF71D908607BADAFF09351B118C799886D7550E7B0D880CB50

Function 00584C36 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,00584B83,?), ref: 00584C44
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00584C56

Strings

Wow64RevertWow64FsRedirection, xrefs: 00584C50
kernel32.dll, xrefs: 00584C3F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 2574300362-1355242751
Opcode ID: ceb314310e25acce58deacce5c3fa1a7438fce4f8dbb8a8184e3c1d69159be1c
Instruction ID: 40e3a61251dfa715804f217adf05a7641cafe4f61bf960b160bff170bfa85c67
Opcode Fuzzy Hash: ceb314310e25acce58deacce5c3fa1a7438fce4f8dbb8a8184e3c1d69159be1c
Instruction Fuzzy Hash: 1CD01771550713CFD734AF31D90860B7AEABF05351B12887A9896E69A0EB70D880CB90

Function 00600DE7 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll,?,00601039), ref: 00600DF5
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00600E07

Strings

advapi32.dll, xrefs: 00600DF0
RegDeleteKeyExW, xrefs: 00600E01

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2574300362-4033151799
Opcode ID: 805ffc4c629abd502d3ac12c47bf92e367e8888134472780a4307d32bf5cd40a
Instruction ID: 8727f98948f0a821c35b0dc3770ecb9d1757e25e8408b2275494a8faa831960a
Opcode Fuzzy Hash: 805ffc4c629abd502d3ac12c47bf92e367e8888134472780a4307d32bf5cd40a
Instruction Fuzzy Hash: C4D01770590722CFE7219F75C8087C776E7AF04362F129C7E9486E2690EAB0D8D0CAA0

Function 005F90E0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,00000001,005F8CF4,?,0060F910), ref: 005F90EE
GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 005F9100

Strings

kernel32.dll, xrefs: 005F90E9
GetModuleHandleExW, xrefs: 005F90FA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: GetModuleHandleExW$kernel32.dll
API String ID: 2574300362-199464113
Opcode ID: 185c215a737570c7ecbb2b766828ff693f8651def84dd5f4bd4afedde2ee0607
Instruction ID: 0d2609cae980e61322e2c4c81c65cd78336424f439daf956d41d721b7f38e2ad
Opcode Fuzzy Hash: 185c215a737570c7ecbb2b766828ff693f8651def84dd5f4bd4afedde2ee0607
Instruction Fuzzy Hash: E6D01734590B13CFDB309F31D818A577AE6BF05391B12887EA686D79A0EB74C880CA90

Function 005C1714 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 005C1718
__swprintf.LIBCMT ref: 005C1749

Strings

WIN_XPe, xrefs: 005C1788
%.3d, xrefs: 005C1723

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LocalTime__swprintf
String ID: %.3d$WIN_XPe
API String ID: 2070861257-2409531811
Opcode ID: 1fe10878c5bd0db9fa0ef5a334889de91ade550f43a6e8fe0e7b43a19787d1f7
Instruction ID: 868aeb0ce9feaf6694dc4b84a0c3550ce90bd9255ed827467382056bb5a991a2
Opcode Fuzzy Hash: 1fe10878c5bd0db9fa0ef5a334889de91ade550f43a6e8fe0e7b43a19787d1f7
Instruction Fuzzy Hash: B1D01271844509EECB1197D09888DB97FBCF70A301F140866B402A2041E231D754EA65

Function 005D717D Relevance: 6.3, APIs: 4, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 005d552fa7868e675983c44b53b337e0581d970ae8c0660fad21ca9d409d2e3d
Instruction ID: 8dbc374746079d658ddfafd6a985f6f78c8152de4eebcab9768456ab43654802
Opcode Fuzzy Hash: 005d552fa7868e675983c44b53b337e0581d970ae8c0660fad21ca9d409d2e3d
Instruction Fuzzy Hash: F6C15175A0421AEFCB24CF98C884EAEBBB5FF48714B15499AE805DB351E730DD41DB90

Function 005FE02A Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?), ref: 005FE0BE
CharLowerBuffW.USER32(?,?), ref: 005FE101

Part of subcall function 005FD7A5: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 005FD7C5

VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 005FE301
_memmove.LIBCMT ref: 005FE314

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: BuffCharLower$AllocVirtual_memmove
String ID:
API String ID: 3659485706-0
Opcode ID: 3b902dad57b2634200e30bdb75333222b46336479afe5ff2621328742de1e709
Instruction ID: 292791cb3b51a535835c7f01da16aca3a3d9c03977fc7c1e10c9d96f248eabe6
Opcode Fuzzy Hash: 3b902dad57b2634200e30bdb75333222b46336479afe5ff2621328742de1e709
Instruction Fuzzy Hash: 2AC187716083068FC704DF28C485A2ABBE4FF89714F04896EF9999B361D735E946CF82

Function 005F8093 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 005F80C3
CoUninitialize.OLE32 ref: 005F80CE

Part of subcall function 005DD56C: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 005DD5D4

VariantInit.OLEAUT32(?), ref: 005F80D9
VariantClear.OLEAUT32(?), ref: 005F83AA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
String ID:
API String ID: 780911581-0
Opcode ID: 37d1fcfd6f763cbfaca211b8d81770bb4088e25d60d64d38f6cc0d289e37f07b
Instruction ID: c126246d4cc55079b54d53d183c9dc0163e98fbf3cf17a989952d103b467bbf7
Opcode Fuzzy Hash: 37d1fcfd6f763cbfaca211b8d81770bb4088e25d60d64d38f6cc0d289e37f07b
Instruction Fuzzy Hash: 11A14A756047069FCB10EF54C885B3ABBE4BF89714F184859FA96AB3A1CB34ED05CB81

Function 005D687D Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005D688E
SysAllocString.OLEAUT32(00000000), ref: 005D6937
VariantCopy.OLEAUT32 ref: 005D6966
VariantClear.OLEAUT32(?), ref: 005D698D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$AllocClearCopyInitString
String ID:
API String ID: 2808897238-0
Opcode ID: 8feaa01989f0206e0d22127e3f917f87f23097bd2a027cb4559d47e95df8b7c6
Instruction ID: 616f1ae6774c1ed767001437911d843a38f164e5591ebd8eec52bcb10da30001
Opcode Fuzzy Hash: 8feaa01989f0206e0d22127e3f917f87f23097bd2a027cb4559d47e95df8b7c6
Instruction Fuzzy Hash: 11519374604302DADB34EF69D89563ABBE5BF85310F24981FE5D6EB392DA70D8828701

Function 006097F4 Relevance: 6.1, APIs: 4, Instructions: 140COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00F2E600,?), ref: 00609863
ScreenToClient.USER32(00000002,00000002), ref: 00609896
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00609903

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 13d97d1544cadf179d1c7877a6e2cae6078a6a71b15e287d2a1db389644dc732
Instruction ID: bcdade8ef0485d9f85aac2c2c05419cbe9b4b0cc176ae0fc7e8cd4cdca5f433e
Opcode Fuzzy Hash: 13d97d1544cadf179d1c7877a6e2cae6078a6a71b15e287d2a1db389644dc732
Instruction Fuzzy Hash: DB512C34A40209AFCB18DF54C884AEE7BB7FB46360F148559F8659B3A1D731AD41CBA0

Function 005D9A80 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005D9AD2
__itow.LIBCMT ref: 005D9B03

Part of subcall function 005D9D53: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005D9DBE

SendMessageW.USER32(?,0000110A,00000001,?), ref: 005D9B6C
__itow.LIBCMT ref: 005D9BC3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend$__itow
String ID:
API String ID: 3379773720-0
Opcode ID: d9ab782fc998e503404130da62fd2624de76a32ccae9447d9c375935970e1ad2
Instruction ID: 5c0e940f2d5bb15a86ab07db0a02c6362cb3fb67be602c2a95ea9f11662fd087
Opcode Fuzzy Hash: d9ab782fc998e503404130da62fd2624de76a32ccae9447d9c375935970e1ad2
Instruction Fuzzy Hash: 1B412E74A04209ABDF21EF54D849BEE7FA9FF89714F10005BF905A7391DB709944CB91

Function 005F69AA Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON

Download Yara Rule

APIs

socket.WSOCK32(00000002,00000002,00000011), ref: 005F69D1
WSAGetLastError.WSOCK32(00000000), ref: 005F69E1

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

#21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 005F6A45
WSAGetLastError.WSOCK32(00000000), ref: 005F6A51

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ErrorLast$__itow__swprintfsocket
String ID:
API String ID: 2214342067-0
Opcode ID: 80f34e720d6faa61655a4c9e643921e02a320e45e74fdf2dc481985c77d99488
Instruction ID: acd683d4ca943c44dd64875df9acdb23be0f4aff9a5e72cb55a3f2916f60c888
Opcode Fuzzy Hash: 80f34e720d6faa61655a4c9e643921e02a320e45e74fdf2dc481985c77d99488
Instruction Fuzzy Hash: 28419475640201AFEB60BF24DC8AF3A7BA4EB44714F448418FE59AF3C2DA749D008B91

Function 005F641A Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

#16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0060F910), ref: 005F64A7
_strlen.LIBCMT ref: 005F64D9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _strlen
String ID:
API String ID: 4218353326-0
Opcode ID: 77d99afb8d897f1ab5b401e2561d2549cd6669dcb49731ba48244ef0b7f78d00
Instruction ID: b04f3e19d8e63131629d9a6e94d899c14899cca30ace24427d16e79dba68f588
Opcode Fuzzy Hash: 77d99afb8d897f1ab5b401e2561d2549cd6669dcb49731ba48244ef0b7f78d00
Instruction Fuzzy Hash: C041A831500109ABCB14FB68DC89EBEBFB9BF84314F548155F915A7292EB34AD04C750

Function 005EB7F4 Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 005EB89E
GetLastError.KERNEL32(?,00000000), ref: 005EB8C4
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 005EB8E9
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 005EB915

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: f72c119726a7dcc82953e24fad6df2d25c3f467fd3168ad964a39d5678dd136a
Instruction ID: e7aa1233720d786b820b1eead8ad3787bd592699e7f74402080bb6e8e740d90b
Opcode Fuzzy Hash: f72c119726a7dcc82953e24fad6df2d25c3f467fd3168ad964a39d5678dd136a
Instruction Fuzzy Hash: EE411A35600652DFCB14EF15C488A6ABBE1BF89314F098098ED4AAB762CB30FD01DF91

Function 00608851 Relevance: 6.1, APIs: 4, Instructions: 109COMMON

Download Yara Rule

APIs

InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 006088DE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InvalidateRect
String ID:
API String ID: 634782764-0
Opcode ID: 26206dcd671cb44cfbf1608d1d60827b3d7ddab5cf18a407a5890d3be1d0d9ca
Instruction ID: c394bd92858d703d2413a0efb84ea1cc5bea7cc968c25daea04f0eaf5d0da556
Opcode Fuzzy Hash: 26206dcd671cb44cfbf1608d1d60827b3d7ddab5cf18a407a5890d3be1d0d9ca
Instruction Fuzzy Hash: 62319234680118AFEB28EB58CC45BFA7BA7EB06310F544112F995E73E1CE71D9409B96

Function 0060AB37 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0060AB60
GetWindowRect.USER32(?,?), ref: 0060ABD6
PtInRect.USER32(?,?,0060C014), ref: 0060ABE6
MessageBeep.USER32(00000000), ref: 0060AC57

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: ee730604aa5f8761ac424876fc2ef6c905810834f2d232562a168183230f9bcc
Instruction ID: 1017ccf98e8bc927b80262da8c39ac82cbeb712aa07c69c81ca62dfb0492aea9
Opcode Fuzzy Hash: ee730604aa5f8761ac424876fc2ef6c905810834f2d232562a168183230f9bcc
Instruction Fuzzy Hash: 3341A234640218DFDB15DF98C884BAA7BF7FB49380F1990A9E4159B3A1D730E841CB52

Function 005E0AD6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000000,?,00000001), ref: 005E0B27
SetKeyboardState.USER32(00000080,?,00000001), ref: 005E0B43
PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 005E0BA9
SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 005E0BFB

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 2cd75c3e09d8ed549c819197ce72eedab650246193539204831f4ddac47fcf1d
Instruction ID: 5fe205a82f913a9b6a5987b8d1b14c5d3c2e72b4d78704610de2f0710f7c4c90
Opcode Fuzzy Hash: 2cd75c3e09d8ed549c819197ce72eedab650246193539204831f4ddac47fcf1d
Instruction Fuzzy Hash: 043128309402986AEF398B268C09BFEBFAEBB55314F48525AE4C5511D1C3F589C49751

Function 005E0C11 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 005E0C66
SetKeyboardState.USER32(00000080,?,00008000), ref: 005E0C82
PostMessageW.USER32(00000000,00000101,00000000), ref: 005E0CE1
SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 005E0D33

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: c1ca5d3278cb2b54efaf289ae019511eb5e519fe29362a2f436e351bd3dd61d3
Instruction ID: 65226ed3b1e3e95bb52ba573df142120509e821c16bf4b7c1ef4dc4a8217056e
Opcode Fuzzy Hash: c1ca5d3278cb2b54efaf289ae019511eb5e519fe29362a2f436e351bd3dd61d3
Instruction Fuzzy Hash: B53157309402886EFF388B6A8C097BEFF66BB45310F14671BE4C9521D1C3B99DC58752

Function 005B61C5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005B61FB
__isleadbyte_l.LIBCMT ref: 005B6229
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005B6257
MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 005B628D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 33ca2fd720907a8830cb571ea9889d4f5a6c56587006330660fa7c2d4c9b3806
Instruction ID: 5c54897b07851aefa3f94f824a4c4518bcfa5ce5288d4fe1617e1bae6d137ad9
Opcode Fuzzy Hash: 33ca2fd720907a8830cb571ea9889d4f5a6c56587006330660fa7c2d4c9b3806
Instruction Fuzzy Hash: B831D035600246AFEF218F68CC48BFABFA9FF42310F154428E824971A1E734E950DB90

Function 00604EEE Relevance: 6.1, APIs: 4, Instructions: 95COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 00604F02

Part of subcall function 005E3641: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 005E365B
Part of subcall function 005E3641: GetCurrentThreadId.KERNEL32 ref: 005E3662
Part of subcall function 005E3641: AttachThreadInput.USER32(00000000,?,005E5005), ref: 005E3669

GetCaretPos.USER32(?), ref: 00604F13
ClientToScreen.USER32(00000000,?), ref: 00604F4E
GetForegroundWindow.USER32 ref: 00604F54

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 183d167531602738a5f4b2601fa017a74cad2c51f414fac23016fe1878a73663
Instruction ID: 62829fa3bf1f8844b49742e6e3f6ce1e2b1f7edc1f7ebb728f846537019d73d8
Opcode Fuzzy Hash: 183d167531602738a5f4b2601fa017a74cad2c51f414fac23016fe1878a73663
Instruction Fuzzy Hash: DD312C71D00109AFDB14EFA5C8899EFBBF9FF98304B10406AE855E7241DA719E058BA0

Function 005E3C55 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 005E3C7A
Process32FirstW.KERNEL32(00000000,?), ref: 005E3C88
Process32NextW.KERNEL32(00000000,?), ref: 005E3CA8
CloseHandle.KERNEL32(00000000), ref: 005E3D52

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 39c140fe2c7b25ff3c483556fb925a7318093fab0501172544624971b6a4e446
Instruction ID: 337b5f46023961aec19766e164fd6ce9fb9b0d4fc80a1af8016deaf7cdae6a24
Opcode Fuzzy Hash: 39c140fe2c7b25ff3c483556fb925a7318093fab0501172544624971b6a4e446
Instruction Fuzzy Hash: EF319E711083469BC314EF11C889AAFBFE8BFD9350F50082CF881961A1EB719A49CB92

Function 0060C498 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

GetCursorPos.USER32(?), ref: 0060C4D2
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,005BB9AB,?,?,?,?,?), ref: 0060C4E7
GetCursorPos.USER32(?), ref: 0060C534
DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,005BB9AB,?,?,?), ref: 0060C56E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Cursor$LongMenuPopupProcTrackWindow
String ID:
API String ID: 2864067406-0
Opcode ID: 147871e37e2992ab1c0e5bb3f367410163dffec37b10040bf451445c68babced
Instruction ID: 2e1cd569aab969a3a4437463387c9481beac0cb7f7d92fcef88934d58b8256dc
Opcode Fuzzy Hash: 147871e37e2992ab1c0e5bb3f367410163dffec37b10040bf451445c68babced
Instruction Fuzzy Hash: A6318139540018AFCB2ADF58CC58EEB7BB6EB49320F444165F9059B3A1CB31A961DBA4

Function 005D8656 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 005D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005D8121
Part of subcall function 005D810A: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005D812B
Part of subcall function 005D810A: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D813A
Part of subcall function 005D810A: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8141
Part of subcall function 005D810A: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005D8157

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 005D86A3
_memcmp.LIBCMT ref: 005D86C6
GetProcessHeap.KERNEL32(00000000,00000000), ref: 005D86FC
HeapFree.KERNEL32(00000000), ref: 005D8703

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 1592001646-0
Opcode ID: 755e3d1a7068131130c0bc4a01d19f90ac518a1afc9f78c5e649ed741bdff372
Instruction ID: a3ece7f80dcfabb1ccea7a9eee601512fea8506f90db91878d5e17bceef6c440
Opcode Fuzzy Hash: 755e3d1a7068131130c0bc4a01d19f90ac518a1afc9f78c5e649ed741bdff372
Instruction Fuzzy Hash: C4216B71E40209EBDB20DFA8C949BFEBBB9FF54355F15405AE444AB241EB31AE05CB50

Function 005A098C Relevance: 6.1, APIs: 4, Instructions: 79COMMON

Download Yara Rule

APIs

__setmode.LIBCMT ref: 005A09AE

Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005E7896,?,?,00000000), ref: 00585A2C
Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005E7896,?,?,00000000,?,?), ref: 00585A50

_fprintf.LIBCMT ref: 005A09E5
OutputDebugStringW.KERNEL32(?), ref: 005D5DBB

Part of subcall function 005A4AAA: _flsall.LIBCMT ref: 005A4AC3

__setmode.LIBCMT ref: 005A0A1A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
String ID:
API String ID: 521402451-0
Opcode ID: 74f31fe97b620b2dfa3d830f31aa4e185cb984a54fc23d84e9887b2034cd132b
Instruction ID: 55077757369c342f68d342139a39327dec567f9ba90fac99ea5e32d75886200b
Opcode Fuzzy Hash: 74f31fe97b620b2dfa3d830f31aa4e185cb984a54fc23d84e9887b2034cd132b
Instruction Fuzzy Hash: 401102319042066FDB04B7F8AC8F9BE7FA9BFC7320F240116F50567182EEA159469BA1

Function 005F1767 Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 005F17A3

Part of subcall function 005F182D: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 005F184C
Part of subcall function 005F182D: InternetCloseHandle.WININET(00000000), ref: 005F18E9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Internet$CloseConnectHandleOpen
String ID:
API String ID: 1463438336-0
Opcode ID: c0a85e8c8f5dfc16cba39b44912f5ff4b408cc3edbbe459d0920f5bcc5b8e70c
Instruction ID: 12e521785a79c575b32206af796bdbd8d61d9038985f18fad172d0be3968e6b3
Opcode Fuzzy Hash: c0a85e8c8f5dfc16cba39b44912f5ff4b408cc3edbbe459d0920f5bcc5b8e70c
Instruction Fuzzy Hash: E821B071240A09FBEB129F609C04BBBBFAAFF88750F14442AFA0596550DB79981197A4

Function 005E3A2A Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0060FAC0), ref: 005E3A64
GetLastError.KERNEL32 ref: 005E3A73
CreateDirectoryW.KERNEL32(?,00000000), ref: 005E3A82
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0060FAC0), ref: 005E3ADF

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: 0246ba0ccc9aacf82232513c31e7d7205e89e4a4b73f493154c49ae17ce1f702
Instruction ID: 31a1e6e187ed6d0d7d5c0ee1d10e85f04de79f07501d0e2c0b41a1f6029f5019
Opcode Fuzzy Hash: 0246ba0ccc9aacf82232513c31e7d7205e89e4a4b73f493154c49ae17ce1f702
Instruction Fuzzy Hash: 752194345482459FC314EF29C88986B7FE8BE59364F104A29F4D9D72A1D731DE85CB82

Function 005B50E2 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 005B5101

Part of subcall function 005A571C: __FF_MSGBANNER.LIBCMT ref: 005A5733
Part of subcall function 005A571C: __NMSG_WRITE.LIBCMT ref: 005A573A
Part of subcall function 005A571C: RtlAllocateHeap.NTDLL(00F10000,00000000,00000001,00000000,?,?,?,005A0DD3,?), ref: 005A575F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: AllocateHeap_free
String ID:
API String ID: 614378929-0
Opcode ID: e406256638b1281b2ccc2f9763a2b9565dc2645879bd3b148311d60efbf3fd55
Instruction ID: 18c14aa7e0d64a4ff75901a533ebfa6dd580990c7320431ba845ddc059605b78
Opcode Fuzzy Hash: e406256638b1281b2ccc2f9763a2b9565dc2645879bd3b148311d60efbf3fd55
Instruction Fuzzy Hash: C9110A71904A16AECF392F78BC097AE3F98BF46361F204929FA8496151FE31A940C790

Function 005844A0 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005844CF

Part of subcall function 0058407C: _memset.LIBCMT ref: 005840FC
Part of subcall function 0058407C: _wcscpy.LIBCMT ref: 00584150
Part of subcall function 0058407C: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00584160

KillTimer.USER32(?,00000001,?,?), ref: 00584524
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00584533
Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 005BD4B9

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
String ID:
API String ID: 1378193009-0
Opcode ID: a7d2c88cfc4a14d561d70a63d030d0ac9664fa08b98a657271ed8fb62dcd45e0
Instruction ID: dab7180bbfb0ea1ea49f536e895a370694f813103af493c78f6ae504f96a08eb
Opcode Fuzzy Hash: a7d2c88cfc4a14d561d70a63d030d0ac9664fa08b98a657271ed8fb62dcd45e0
Instruction Fuzzy Hash: 8321DA745047949FEB329B249859BEBBFFCBF05314F04049DEA9E56142D3B42A84CB52

Function 005F6369 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON

Download Yara Rule

APIs

Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,005E7896,?,?,00000000), ref: 00585A2C
Part of subcall function 00585A15: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,005E7896,?,?,00000000,?,?), ref: 00585A50

gethostbyname.WSOCK32(?), ref: 005F6399
WSAGetLastError.WSOCK32(00000000), ref: 005F63A4
_memmove.LIBCMT ref: 005F63D1
inet_ntoa.WSOCK32(?), ref: 005F63DC

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
String ID:
API String ID: 1504782959-0
Opcode ID: c3acb38068edcfd96136cbe95ce58f2e40510c2b863b9d3a034e930cc82d6f46
Instruction ID: e917e509f78e3c84ee6a17a2d2d8783381f30c1d46f6ff5895636c2ef86c857b
Opcode Fuzzy Hash: c3acb38068edcfd96136cbe95ce58f2e40510c2b863b9d3a034e930cc82d6f46
Instruction Fuzzy Hash: 6D11333550010AAFCB04FBA4DD8ACFE7BB9BF48311B544465F905B7161EB319E14DB61

Function 005D8B41 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 005D8B61
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D8B73
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D8B89
SendMessageW.USER32(?,000000C9,?,00000000), ref: 005D8BA4

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 19bd619142dfb5d9606a9104789d5cd673ef1522520e0e8070cc00a7369ab75a
Instruction ID: 09f49111e341d28f20f83c26c8abf5d8fb87fec971458fdb332cf0ee1cb55bd2
Opcode Fuzzy Hash: 19bd619142dfb5d9606a9104789d5cd673ef1522520e0e8070cc00a7369ab75a
Instruction Fuzzy Hash: 05115E79900218FFEB10DFA9CC84FADBB74FB48710F204096E900B7250DA716E11DB94

Function 00581290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

Part of subcall function 00582612: GetWindowLongW.USER32(?,000000EB), ref: 00582623

DefDlgProcW.USER32(?,00000020,?), ref: 005812D8
GetClientRect.USER32(?,?), ref: 005BB5FB
GetCursorPos.USER32(?), ref: 005BB605
ScreenToClient.USER32(?,?), ref: 005BB610

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Client$CursorLongProcRectScreenWindow
String ID:
API String ID: 4127811313-0
Opcode ID: 2792942be2a567a5eadd878434066e8672de8082334f6e9ed212e7c41eec35e0
Instruction ID: 43ec90c068c93edbdea9f64fd10e6dfc825fd697973aaaa01bf4eb96ae72d4a0
Opcode Fuzzy Hash: 2792942be2a567a5eadd878434066e8672de8082334f6e9ed212e7c41eec35e0
Instruction Fuzzy Hash: 0F113A3950051AEFCB10EF99D8899FE7BB9FB45310F400456FA42E7141D730BA528BA9

Function 005DD831 Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 005DD84D
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 005DD864
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 005DD879
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 005DD897

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 2dc4bba537fc99efc664e2604efac37cc226e335f6e09b9a87c08394bca3bc87
Instruction ID: f54beb75f90486b3ad4c0c810277c0782e98b42483df241943942ac827bd7e38
Opcode Fuzzy Hash: 2dc4bba537fc99efc664e2604efac37cc226e335f6e09b9a87c08394bca3bc87
Instruction Fuzzy Hash: 06115E75645304DBE3318F58EC48F93BBBCFB00B00F10896BA916D6651D7B0E549ABB1

Function 005B6FB7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005B6FDB

Part of subcall function 005B76C2: __fltout2.LIBCMT ref: 005B76EB

__cftog_l.LIBCMT ref: 005B7001
__cftoe_l.LIBCMT ref: 005B7033

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction ID: 9044b5d2ecdf3ec29ac86b969e07ab9340f977deaf987bbd4ca77bd166a814e9
Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
Instruction Fuzzy Hash: 46014E7244814EBBCF166E84CC09CED3F62BB9C350F598416FA1858031D236E9B1AF81

Function 0060B2C5 Relevance: 6.0, APIs: 4, Instructions: 47COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 0060B2E4
ScreenToClient.USER32(?,?), ref: 0060B2FC
ScreenToClient.USER32(?,?), ref: 0060B320
InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0060B33B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClientRectScreen$InvalidateWindow
String ID:
API String ID: 357397906-0
Opcode ID: 01c75600bc7fdc95ba9b6bef994ee23d8f34521451637bdc348d2b72a2cad812
Instruction ID: 3a306b2605426271c717eed61fb871c42df758587793856e143fddf2b27dfd6e
Opcode Fuzzy Hash: 01c75600bc7fdc95ba9b6bef994ee23d8f34521451637bdc348d2b72a2cad812
Instruction Fuzzy Hash: 141144B9D40209EFDB51CFA9C8849EEBBF9FF08310F109166E914E3620D735AA558F50

Function 005E6BDA Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?), ref: 005E6BE6

Part of subcall function 005E76C4: _memset.LIBCMT ref: 005E76F9

_memmove.LIBCMT ref: 005E6C09
_memset.LIBCMT ref: 005E6C16
LeaveCriticalSection.KERNEL32(?), ref: 005E6C26

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CriticalSection_memset$EnterLeave_memmove
String ID:
API String ID: 48991266-0
Opcode ID: a09909007cdc7e9e2554dfd6969fbdcaa850192d5dbdc4e208183d7973ec5c37
Instruction ID: 0c8ae1a5b6f6c55ced57fe1afeea5474a71d5e580e03670afee9694d2d1ee4d2
Opcode Fuzzy Hash: a09909007cdc7e9e2554dfd6969fbdcaa850192d5dbdc4e208183d7973ec5c37
Instruction Fuzzy Hash: B2F0543A100100ABCF056F95DC89A4ABF2AFF85320F048061FE085E267C732E911DBB4

Function 00582218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 00582231
SetTextColor.GDI32(?,000000FF), ref: 0058223B
SetBkMode.GDI32(?,00000001), ref: 00582250
GetStockObject.GDI32(00000005), ref: 00582258
GetWindowDC.USER32(?,00000000), ref: 005BBE83
GetPixel.GDI32(00000000,00000000,00000000), ref: 005BBE90
GetPixel.GDI32(00000000,?,00000000), ref: 005BBEA9
GetPixel.GDI32(00000000,00000000,?), ref: 005BBEC2
GetPixel.GDI32(00000000,?,?), ref: 005BBEE2
ReleaseDC.USER32(?,00000000), ref: 005BBEED

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
String ID:
API String ID: 1946975507-0
Opcode ID: 0023a82d5e372aa1f0a5e2826c7b06e65068bff1347b2d36aadfbc35bed6b444
Instruction ID: 7c1a4ceb33c31adc0806e2cfc160697198dbd687125f198edd7193113a704c6a
Opcode Fuzzy Hash: 0023a82d5e372aa1f0a5e2826c7b06e65068bff1347b2d36aadfbc35bed6b444
Instruction Fuzzy Hash: A8E03932144244AAEB215F64EC0D7D93F12EB16332F0083A6FA69584E187B24990DB12

Function 005D8712 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 005D871B
OpenThreadToken.ADVAPI32(00000000,?,?,?,005D82E6), ref: 005D8722
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005D82E6), ref: 005D872F
OpenProcessToken.ADVAPI32(00000000,?,?,?,005D82E6), ref: 005D8736

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 29e6e9e0fee2825bd05329fd20ba73365cb8d7e21c66a2ab6a46dc2cb1b7d843
Instruction ID: ed13731593d4e9f174a9cf25dcb5ada641d63179067600fbcedaf101945b2da5
Opcode Fuzzy Hash: 29e6e9e0fee2825bd05329fd20ba73365cb8d7e21c66a2ab6a46dc2cb1b7d843
Instruction Fuzzy Hash: BAE086366512119BDB305FF45D0CF573BADEF50791F148829B246C9040DA348441C750

Function 00586240 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

%a, xrefs: 0058624E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID:
String ID: %a
API String ID: 0-913774005
Opcode ID: 97a2790fb7ed6e7fa335c285bf64921980c403d49d744f40a6e0b3b597f3291f
Instruction ID: 189cbb448b4ef4f35e7f938514e6a6cb206658bb42d70f6daed58b9dc3f08d6f
Opcode Fuzzy Hash: 97a2790fb7ed6e7fa335c285bf64921980c403d49d744f40a6e0b3b597f3291f
Instruction Fuzzy Hash: 98B17D7590010A9BCF14FB94C8899FEBFB9FB48310F644426ED12B7191EB349A81CB91

Function 005FAEA2 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 313COMMON

Download Yara Rule

APIs

__itow_s.LIBCMT ref: 005FAFAE

Strings

xbd, xrefs: 005FAFE4
xbd, xrefs: 005FB010

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: __itow_s
String ID: xbd$xbd
API String ID: 3653519197-63148811
Opcode ID: ab0fc12d7f281fb11f91265f4df415e06bd44e3e2d48bb8439d57f0100bb7771
Instruction ID: 3b0c97abdf501e1ca90414fe009fda6d46d338e5d7cf6283fa40aa87a5c5801f
Opcode Fuzzy Hash: ab0fc12d7f281fb11f91265f4df415e06bd44e3e2d48bb8439d57f0100bb7771
Instruction Fuzzy Hash: 8FB19274A0010AEFDB14EF54C894DBABFB9FF49300F148459FA45AB291EB74E941CB61

Function 005EAFAC Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON

Download Yara Rule

APIs

Part of subcall function 0059FC86: _wcscpy.LIBCMT ref: 0059FCA9

Part of subcall function 00589837: __itow.LIBCMT ref: 00589862
Part of subcall function 00589837: __swprintf.LIBCMT ref: 005898AC

__wcsnicmp.LIBCMT ref: 005EB02D
WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 005EB0F6

Strings

LPT, xrefs: 005EB027

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
String ID: LPT
API String ID: 3222508074-1350329615
Opcode ID: c0007036dad73d9fce99fbbc506f73225708eaf570631b7f25478a581168c763
Instruction ID: 4dadb322b56cc4201c87bfae990829fb7ccf7e377c55deba8324767cdb936c37
Opcode Fuzzy Hash: c0007036dad73d9fce99fbbc506f73225708eaf570631b7f25478a581168c763
Instruction Fuzzy Hash: 19619071A00216AFDB18EF95C895EAFBBB4FF48310F044069F956AB291D730AE44CB90

Function 00592957 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 00592968
GlobalMemoryStatusEx.KERNEL32(?), ref: 00592981

Strings

@, xrefs: 00592975

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 13bdc7145d21479130169e6cf61708ba6b6be9d8eb31340ce9bf48eb642fef04
Instruction ID: d088a247227bc95b1b430effb3d12209984bd2ff1109322d6e449680619809bd
Opcode Fuzzy Hash: 13bdc7145d21479130169e6cf61708ba6b6be9d8eb31340ce9bf48eb642fef04
Instruction Fuzzy Hash: CC513472408B459BD320EF10D88ABABBBECFBC5344F81885DF6D9510A1DF308569CB66

Function 005E9734 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Part of subcall function 00584F0B: __fread_nolock.LIBCMT ref: 00584F29

_wcscmp.LIBCMT ref: 005E9824
_wcscmp.LIBCMT ref: 005E9837

Strings

FILE, xrefs: 005E9770

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: _wcscmp$__fread_nolock
String ID: FILE
API String ID: 4029003684-3121273764
Opcode ID: 418687e6d6e985eb34177fcc2ab1bfcb0a9c27b8ea2ee700c84cc66fb56b24e5
Instruction ID: 52d2415fff16345610dbffd4e86fd89050d7ddcf80aeb7c9a8b76019da00b908
Opcode Fuzzy Hash: 418687e6d6e985eb34177fcc2ab1bfcb0a9c27b8ea2ee700c84cc66fb56b24e5
Instruction Fuzzy Hash: EB41C771A0024BBADF24AAA5CC49FEFBFBDEF86710F004469F904B7180D6719904CB61

Function 005C0574 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 115COMMON

Download Yara Rule

APIs

VariantClear.OLEAUT32 ref: 005C057F

Strings

Ddd, xrefs: 0058A317
Ddd, xrefs: 0058A151

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClearVariant
String ID: Ddd$Ddd
API String ID: 1473721057-3245474882
Opcode ID: 4c14c12c8e027b3f123f17310f6ef77ebd6512a10a4a089e7a48ea00eba1aa01
Instruction ID: a04ae3cc3214b609d2bc9553fb26d6fb6a58131f20cfec8fea140bbad149bc70
Opcode Fuzzy Hash: 4c14c12c8e027b3f123f17310f6ef77ebd6512a10a4a089e7a48ea00eba1aa01
Instruction Fuzzy Hash: 5F510378604341DFEB64DF18C484A1ABBF2BB99354F54981DF9859B361D331E881CF42

Function 005F258E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005F259E
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 005F25D4

Strings

|, xrefs: 005F25A5

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CrackInternet_memset
String ID: |
API String ID: 1413715105-2343686810
Opcode ID: 9382ed0bc3187792e5246a27730ceb51277f48ed50efd2317d703dee764414ef
Instruction ID: 5eb935a1428aad7a66afbdd7b9c913db577cf3f69a92071144ba81fa22ba0d5e
Opcode Fuzzy Hash: 9382ed0bc3187792e5246a27730ceb51277f48ed50efd2317d703dee764414ef
Instruction Fuzzy Hash: 1D31F97180411EABCF11AFA4CC89EEEBFB9FF48310F100069FD15B6162EA359956DB60

Function 00607A71 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 00607B61
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00607B76

Strings

', xrefs: 00607ACA

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: 3ae9c04ccd2181cab197b74e43d3086d37b986c9e1d536cf989e436a316f7154
Instruction ID: 8b86dbeb9b8f5b43ee21a5510cd3eeb2de3192bf0acd54aafd91680190a923aa
Opcode Fuzzy Hash: 3ae9c04ccd2181cab197b74e43d3086d37b986c9e1d536cf989e436a316f7154
Instruction Fuzzy Hash: AB41F874E4520A9FDB54CF64C981BDABBB6FB09300F10416AE905AB391D771A951CFA0

Function 00606A63 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00606B17
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00606B53

Strings

static, xrefs: 00606AB3

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: 5a7365cfe028dc528e488294e05cb2cd9023037335b5283d2bf10a33ea6d3939
Instruction ID: 710c4cd9a78524211d39e4711264e9b93ad8afe8720bce1fba02f1d661b808e2
Opcode Fuzzy Hash: 5a7365cfe028dc528e488294e05cb2cd9023037335b5283d2bf10a33ea6d3939
Instruction Fuzzy Hash: 3C31AF71240604AEDB14AF64CC80BFB77AAFF48764F109619F9A5D7290DB31ACA1CB60

Function 005E28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2911
GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 005E294C

Strings

0, xrefs: 005E290A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 13ac9fbbfea3742930609088279fd11efdc35329cb8f22bc6a14c7d374049642
Instruction ID: 306c56c30a78b0f2bb65f04f5b9dbfa431cbd0f536b8c40374f587ef1b9f7ee1
Opcode Fuzzy Hash: 13ac9fbbfea3742930609088279fd11efdc35329cb8f22bc6a14c7d374049642
Instruction Fuzzy Hash: A831B4719003499BDB2CCF5ACC45BAEBFADFF45350F142019E9C5E61A6DB709980CB51

Function 006066D4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00606761
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0060676C

Strings

Combobox, xrefs: 0060672E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: d78cf34a53b6dc566e2dd16dc0db83ed139bcebadd602608fb8a4f28f2c21ef9
Instruction ID: 7468081b399d49f813021abbad8a4bcade93d2160978ee0d73c04eee23c92a63
Opcode Fuzzy Hash: d78cf34a53b6dc566e2dd16dc0db83ed139bcebadd602608fb8a4f28f2c21ef9
Instruction Fuzzy Hash: 4411B675280209AFEF159F54CC80EEB376BEB44368F104129F914972D0D671DC6187A0

Function 00606C07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 00581D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00581D73
Part of subcall function 00581D35: GetStockObject.GDI32(00000011), ref: 00581D87
Part of subcall function 00581D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00581D91

GetWindowRect.USER32(00000000,?), ref: 00606C71
GetSysColor.USER32(00000012), ref: 00606C8B

Strings

static, xrefs: 00606C4E

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 4edfec9d6474f037d740878af22b0640965665ca359d17ecb76de442d4746f85
Instruction ID: b7fceb31c9cdc856e6e449924a26a4660a5218f31cc279f8ace9740dac6ad614
Opcode Fuzzy Hash: 4edfec9d6474f037d740878af22b0640965665ca359d17ecb76de442d4746f85
Instruction Fuzzy Hash: 6021297255020AAFDF18DFA8CC45AFA7BA9FB08314F005629FD95D2290D635E861DB60

Function 00606920 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 006069A2
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006069B1

Strings

edit, xrefs: 00606986

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: daa86b2b5f6ca01c7d99b7c696ead0a063370373249a23d59bb8239b41475585
Instruction ID: fccc337883283a23f89e5ffddcddc5cfd78d1f66198f81526e02e6d68c2ac0f7
Opcode Fuzzy Hash: daa86b2b5f6ca01c7d99b7c696ead0a063370373249a23d59bb8239b41475585
Instruction Fuzzy Hash: 4E11BC7118020AABEB148F64DC44EEB3BABEB05378F504724F9A5976E0C771DC619BA0

Function 005E29AF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 005E2A22
GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 005E2A41

Strings

0, xrefs: 005E2A18

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: InfoItemMenu_memset
String ID: 0
API String ID: 2223754486-4108050209
Opcode ID: 9cc1f2337678552f2d1a334dea8f73ed2150d9c5a38934b8e33e407bba30dd5c
Instruction ID: d8782e6aee8d5a7ea240effb6c9a5a60241f2a86226dcd0ce0611e104074d6b8
Opcode Fuzzy Hash: 9cc1f2337678552f2d1a334dea8f73ed2150d9c5a38934b8e33e407bba30dd5c
Instruction Fuzzy Hash: 32112232900194ABCB38DF99DC44BAA7BBDBB46300F045035E8D5E7294DBB0AD0AC791

Function 005F21D6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 005F222C
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 005F2255

Strings

<local>, xrefs: 005F221D

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: ed9dfe40263aa3f35d5a6a287a83c835c3a46c4731f5407ee5b41e03ced7d8f5
Instruction ID: ce91fd1f3355297f3d07d26fb764741c729aecd9886a8c18536a3592c238e2ac
Opcode Fuzzy Hash: ed9dfe40263aa3f35d5a6a287a83c835c3a46c4731f5407ee5b41e03ced7d8f5
Instruction Fuzzy Hash: 561102B4541229BAEB258F518C95EFBFFA8FF06351F10862AFA0546040D3745881DAF1

Function 0059092D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00583C14,006452F8,?,?,?), ref: 0059096E

Part of subcall function 00587BCC: _memmove.LIBCMT ref: 00587C06

_wcscat.LIBCMT ref: 005C4CB7

Strings

Sd, xrefs: 005909AE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FullNamePath_memmove_wcscat
String ID: Sd
API String ID: 257928180-1064845130
Opcode ID: 223de92e6912f83ce7ede3ce79f17ef9d1078627568febc632d3f49272205994
Instruction ID: d1b94e2dd8f2b10e1d787ac3db4e976aef803c6d67e200282e996a6c5ec2e6b0
Opcode Fuzzy Hash: 223de92e6912f83ce7ede3ce79f17ef9d1078627568febc632d3f49272205994
Instruction Fuzzy Hash: 4C11A531A0521A9FCF51FFA4C80AEDD7FE9FF48350F1058A5B949D3182EA70DA845B14

Function 005D8E05 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005D8E73

Strings

ListBox, xrefs: 005D8E3D
ComboBox, xrefs: 005D8E12

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: c7aa354222d165c8ae506c7b1b1486a2e00f0cb75c744b2397c32ee5ab15b113
Instruction ID: f00c96fddea379ae17becf5c745283719230b8322e22e4bfcb288009ec8a16fb
Opcode Fuzzy Hash: c7aa354222d165c8ae506c7b1b1486a2e00f0cb75c744b2397c32ee5ab15b113
Instruction Fuzzy Hash: 2A01F5B160121AABCB24FBA8CC498FE7B69FF85320B500A1BF861673D1EE315808C750

Function 005D8CFD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,00000180,00000000,?), ref: 005D8D6B

Strings

ListBox, xrefs: 005D8D35
ComboBox, xrefs: 005D8D0A

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: d2ebcf8e7354c702409a89afa9d7345641cd011367452f60718504a9884adcb4
Instruction ID: 15864a72a2a386972af0be11cdfba79d4850db6876fc13cfb14d51f97ce7cf84
Opcode Fuzzy Hash: d2ebcf8e7354c702409a89afa9d7345641cd011367452f60718504a9884adcb4
Instruction Fuzzy Hash: 5101D871641109ABCB24F7A4C956AFF7BA9AF55300F500417B802732D1DE219E08D3B1

Function 005D8D82 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00587DE1: _memmove.LIBCMT ref: 00587E22

Part of subcall function 005DAA99: GetClassNameW.USER32(?,?,000000FF), ref: 005DAABC

SendMessageW.USER32(?,00000182,?,00000000), ref: 005D8DEE

Strings

ListBox, xrefs: 005D8DBA
ComboBox, xrefs: 005D8D8F

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassMessageNameSend_memmove
String ID: ComboBox$ListBox
API String ID: 372448540-1403004172
Opcode ID: 9bcf59fbf2c2c7b2143c0be34c63227f0f1258cdc44dc86cdb30501ffba8b642
Instruction ID: 8ec603a9237360af98f384f1c95ee94f7db58780b0733760335b801cc7146849
Opcode Fuzzy Hash: 9bcf59fbf2c2c7b2143c0be34c63227f0f1258cdc44dc86cdb30501ffba8b642
Instruction Fuzzy Hash: AB01A7B1A4110AA7DB31F7A8C946AFF7BA9AF15300F540517B845733D1DE219E08D371

Function 005DC4EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 005DC534

Part of subcall function 005DC816: _memmove.LIBCMT ref: 005DC860
Part of subcall function 005DC816: VariantInit.OLEAUT32(00000000), ref: 005DC882
Part of subcall function 005DC816: VariantCopy.OLEAUT32(00000000,?), ref: 005DC88C

VariantClear.OLEAUT32(?), ref: 005DC556

Strings

d}c, xrefs: 005DC517

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Variant$Init$ClearCopy_memmove
String ID: d}c
API String ID: 2932060187-4273311159
Opcode ID: 54de290a802388cf4fc0b459829088d6728d704e363525bed037ec8787913f15
Instruction ID: d6347b37e754624c17edc53f36c12e7d119157778b8b61b62f57e4d98a08245e
Opcode Fuzzy Hash: 54de290a802388cf4fc0b459829088d6728d704e363525bed037ec8787913f15
Instruction Fuzzy Hash: 2511FEB19007099FC720DF99D88489ABBF8FF08314B50856FE98A97611D771AA44CB90

Function 005E4F28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 005E4F46
_wcscmp.LIBCMT ref: 005E4F58

Strings

#32770, xrefs: 005E4F52

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: ClassName_wcscmp
String ID: #32770
API String ID: 2292705959-463685578
Opcode ID: 24edded40408414bd6c2a183a5fb6e0799265d006e5cf84c6715393fa47d7c83
Instruction ID: 66e0278574a1c9a749573093a2e1e678c2cf97ef812b7a9ca4452730494e6df9
Opcode Fuzzy Hash: 24edded40408414bd6c2a183a5fb6e0799265d006e5cf84c6715393fa47d7c83
Instruction Fuzzy Hash: AEE0D1329003292BD7209B59EC49FE7FBACEB46B71F010057FD04D3151D5609B4587D1

Function 005BB2C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 005BB314: _memset.LIBCMT ref: 005BB321

Part of subcall function 005A0940: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,005BB2F0,?,?,?,0058100A), ref: 005A0945

IsDebuggerPresent.KERNEL32(?,?,?,0058100A), ref: 005BB2F4
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0058100A), ref: 005BB303

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 005BB2FE

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 3158253471-631824599
Opcode ID: 02175cfa1d826941fc8176d184a1e8810ef86da0c05343258306e699651a312d
Instruction ID: f9c7605cc7bd12f1c5a6333d8b027ab74693893d3ebbe2621e35718c0668c81a
Opcode Fuzzy Hash: 02175cfa1d826941fc8176d184a1e8810ef86da0c05343258306e699651a312d
Instruction Fuzzy Hash: F1E06D702007128FE7609F28E4083877EE4BF00314F119E2DE496C7641E7F4E444CBA1

Function 005D7C74 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005D7C82

Part of subcall function 005A3358: _doexit.LIBCMT ref: 005A3362

Strings

AutoIt, xrefs: 005D7C76
Error allocating memory., xrefs: 005D7C7B

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Message_doexit
String ID: AutoIt$Error allocating memory.
API String ID: 1993061046-4017498283
Opcode ID: f19fac428bf6f3c56f3dd4c0109ccbec5fadc8bc9e5ee37120b607d271d17e3b
Instruction ID: ae5a990e30ae9a7cae734a03c5c149a5beb1a7287282d2a370c2546570cdaa40
Opcode Fuzzy Hash: f19fac428bf6f3c56f3dd4c0109ccbec5fadc8bc9e5ee37120b607d271d17e3b
Instruction Fuzzy Hash: 1ED0C2323D831836D22032A86C0ABCA2E499B06B12F040412BF045D5D349D2488082E4

Function 005C1935 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?), ref: 005C1775

Part of subcall function 005FBFF0: LoadLibraryA.KERNEL32(kernel32.dll,?,005C195E,?), ref: 005FBFFE
Part of subcall function 005FBFF0: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 005FC010

FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 005C196D

Strings

WIN_XPe, xrefs: 005C1788

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: Library$AddressDirectoryFreeLoadProcSystem
String ID: WIN_XPe
API String ID: 582185067-3257408948
Opcode ID: 96cd7ec2cfb900452219e362c0f80548769f0d8c99e1cb6ca87f2e9463623357
Instruction ID: d5ae99a19c78ba925a7ddf46e3679433aab3a941719c6630ec5c356666a9157c
Opcode Fuzzy Hash: 96cd7ec2cfb900452219e362c0f80548769f0d8c99e1cb6ca87f2e9463623357
Instruction Fuzzy Hash: D5F0A570804109DFDB26DBA5C998BEDBEF8FB09301F541499E102A2091DB755E84DFA5

Function 00605964 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0060596E
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00605981

Part of subcall function 005E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E52BC

Strings

Shell_TrayWnd, xrefs: 00605967

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: f6fde58305ba36d0f8fef869f7c9f31ae0ac6bdb45d9d84c32e814425d4b9512
Instruction ID: 303eb3dccdf1b84fced0e4b5705b707eaf316a4f702b9a7047b92942cb1a738e
Opcode Fuzzy Hash: f6fde58305ba36d0f8fef869f7c9f31ae0ac6bdb45d9d84c32e814425d4b9512
Instruction Fuzzy Hash: 5CD0C9357D4311BAE7B8AB709C0FFD76A16BB50B51F011825B349AA5D0D9E09800C694

Function 00605998 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006059AE
PostMessageW.USER32(00000000), ref: 006059B5

Part of subcall function 005E5244: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 005E52BC

Strings

Shell_TrayWnd, xrefs: 006059A7

Memory Dump Source

Source File: 00000000.00000002.2127311429.0000000000581000.00000020.00000001.01000000.00000003.sdmp, Offset: 00580000, based on PE: true

Associated: 00000000.00000002.2127291385.0000000000580000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.000000000060F000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127368268.0000000000634000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127444822.000000000063E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2127468063.0000000000647000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_580000_INVOICE NO.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 49165b98c39b9cfabdcec40405205d970f05bd3f5fd075cda3d3ab67e55fcead
Instruction ID: 52b085ef9320d9740abe0790f89ded549ba21dcb735b6ac4b766077454d72a0c
Opcode Fuzzy Hash: 49165b98c39b9cfabdcec40405205d970f05bd3f5fd075cda3d3ab67e55fcead
Instruction Fuzzy Hash: 0BD0C9317C43117AE7B9AB709C0FFD76A16BB54B51F011825B345AA5D0D9E0A800C694

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report INVOICE NO. USF23-24072 IGR23110.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\aut3D4.tmp

C:\Users\user\AppData\Local\Temp\aut414.tmp

C:\Users\user\AppData\Local\Temp\iodization

C:\Users\user\AppData\Local\Temp\undiscernibly

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Windows Analysis Report
INVOICE NO. USF23-24072 IGR23110.exe

Function 00583B3A Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 153
windowCOMMON

Function 005849A0 Relevance: 10.7, APIs: 7, Instructions: 223
COMMON

Function 00584E89 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62
COMMON

Function 005E9155 Relevance: 19.8, APIs: 13, Instructions: 322
fileCOMMON

Function 00583015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 73
windowregistryCOMMON

Function 00583041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54
windowregistryCOMMON

Function 0058708B Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201
registryCOMMON

Function 00583633 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 151
windowtimeregistryCOMMON

Function 00583A46 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71
windowregistryCOMMON

Function 00583766 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 267
COMMON

Function 0058F76F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 168
comCOMMON

Function 00F987F0 Relevance: 10.7, APIs: 7, Instructions: 239
fileCOMMON

Function 005839D5 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 00F98580 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 159
fileCOMMON

Function 0058407C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88
windowCOMMON

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre