Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
eArchive_InvoiceNOS20240004228.exe

Overview

General Information

Sample name:eArchive_InvoiceNOS20240004228.exe
Analysis ID:1501603
MD5:7cc6d90beb7d480a3d35e9fff03832c4
SHA1:f8ba9237ffef8fede8c78a973faffaad887282cd
SHA256:2b504ff2d16bd1d86e92be2b650baff5cd1656df06ffae2fc254ce0303a03ea2
Tags:exe
Infos:

Detection

FormBook
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Initial sample is a PE file and has a suspicious name
Machine Learning detection for sample
Maps a DLL or memory area into another process
Switches to a custom stack to bypass stack traces
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • eArchive_InvoiceNOS20240004228.exe (PID: 7504 cmdline: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe" MD5: 7CC6D90BEB7D480A3D35E9FFF03832C4)
    • svchost.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2c000:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x1409f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x172a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
        • 0x2e403:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
        • 0x164a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
        1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2f203:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x172a2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Uncommon Svchost Parent Process
          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", CommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", ParentImage: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe, ParentProcessId: 7504, ParentProcessName: eArchive_InvoiceNOS20240004228.exe, ProcessCommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", ProcessId: 7520, ProcessName: svchost.exe
          Sigma detected: Windows Processes Suspicious Parent Directory
          Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", CommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", ParentImage: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe, ParentProcessId: 7504, ParentProcessName: eArchive_InvoiceNOS20240004228.exe, ProcessCommandLine: "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe", ProcessId: 7520, ProcessName: svchost.exe

          Suricata Signatures

          No Suricata rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: eArchive_InvoiceNOS20240004228.exeReversingLabs: Detection: 44%
          Source: eArchive_InvoiceNOS20240004228.exeVirustotal: Detection: 24%Perma Link
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          AI detected suspicious sample
          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
          Machine Learning detection for sample
          Source: eArchive_InvoiceNOS20240004228.exeJoe Sandbox ML: detected
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: Binary string: wntdll.pdbUGP source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1658599425.0000000003900000.00000004.00001000.00020000.00000000.sdmp, eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1657090605.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1896285791.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1893506386.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1658599425.0000000003900000.00000004.00001000.00020000.00000000.sdmp, eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1657090605.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1940276318.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1896285791.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1893506386.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A0DBBE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A168EE FindFirstFileW,FindClose,0_2_00A168EE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00A1698F
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A0D076
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A0D3A9
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A19642
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A1979D
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00A19B2B
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00A15C97
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1CE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_00A1CE44
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A1EAFF
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1ED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00A1ED6A
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1EAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00A1EAFF
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0AA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_00A0AA57
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A39576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_00A39576

          E-Banking Fraud

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
          Binary is likely a compiled AutoIt script file
          Source: eArchive_InvoiceNOS20240004228.exeString found in binary or memory: This is a third-party compiled AutoIt script.
          Source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000000.1647476509.0000000000A62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_530ec5e6-1
          Source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000000.1647476509.0000000000A62000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_ebf89a34-c
          Source: eArchive_InvoiceNOS20240004228.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_bf0daa59-f
          Source: eArchive_InvoiceNOS20240004228.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a9d32490-6
          Initial sample is a PE file and has a suspicious name
          Source: initial sampleStatic PE information: Filename: eArchive_InvoiceNOS20240004228.exe
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C4D3 NtClose,1_2_0042C4D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A97D NtAllocateVirtualMemory,1_2_0040A97D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B60 NtClose,LdrInitializeThunk,1_2_03472B60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03472DF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034735C0 NtCreateMutant,LdrInitializeThunk,1_2_034735C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474340 NtSetContextThread,1_2_03474340
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03474650 NtSuspendThread,1_2_03474650
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BE0 NtQueryValueKey,1_2_03472BE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BF0 NtAllocateVirtualMemory,1_2_03472BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472B80 NtQueryInformationFile,1_2_03472B80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472BA0 NtEnumerateValueKey,1_2_03472BA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AD0 NtReadFile,1_2_03472AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AF0 NtWriteFile,1_2_03472AF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472AB0 NtWaitForSingleObject,1_2_03472AB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F60 NtCreateProcessEx,1_2_03472F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F30 NtCreateSection,1_2_03472F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FE0 NtCreateFile,1_2_03472FE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472F90 NtProtectVirtualMemory,1_2_03472F90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FA0 NtQuerySection,1_2_03472FA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472FB0 NtResumeThread,1_2_03472FB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E30 NtWriteVirtualMemory,1_2_03472E30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EE0 NtQueueApcThread,1_2_03472EE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472E80 NtReadVirtualMemory,1_2_03472E80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472EA0 NtAdjustPrivilegesToken,1_2_03472EA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D00 NtSetInformationFile,1_2_03472D00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D10 NtMapViewOfSection,1_2_03472D10
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472D30 NtUnmapViewOfSection,1_2_03472D30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DD0 NtDelayExecution,1_2_03472DD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472DB0 NtEnumerateKey,1_2_03472DB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C60 NtCreateKey,1_2_03472C60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C70 NtFreeVirtualMemory,1_2_03472C70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472C00 NtQueryInformationProcess,1_2_03472C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CC0 NtQueryVirtualMemory,1_2_03472CC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CF0 NtOpenProcess,1_2_03472CF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472CA0 NtQueryInformationToken,1_2_03472CA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473010 NtOpenDirectoryObject,1_2_03473010
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473090 NtSetValueKey,1_2_03473090
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034739B0 NtGetContextThread,1_2_034739B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D70 NtOpenThread,1_2_03473D70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03473D10 NtOpenProcessToken,1_2_03473D10
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0D5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_00A0D5EB
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A01201
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0E8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_00A0E8F6
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A120460_2_00A12046
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A80600_2_009A8060
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A082980_2_00A08298
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009DE4FF0_2_009DE4FF
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009D676B0_2_009D676B
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A348730_2_00A34873
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009CCAA00_2_009CCAA0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009ACAF00_2_009ACAF0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009BCC390_2_009BCC39
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009D6DD90_2_009D6DD9
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A91C00_2_009A91C0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009BB1190_2_009BB119
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C13940_2_009C1394
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C17060_2_009C1706
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C781B0_2_009C781B
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C19B00_2_009C19B0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A79200_2_009A7920
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009B997D0_2_009B997D
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C7A4A0_2_009C7A4A
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C7CA70_2_009C7CA7
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C1C770_2_009C1C77
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009D9EEE0_2_009D9EEE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A2BE440_2_00A2BE44
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C1F320_2_009C1F32
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00F236300_2_00F23630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EAF31_2_0042EAF3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FC7A1_2_0040FC7A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FC831_2_0040FC83
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004166131_2_00416613
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FEA31_2_0040FEA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F601_2_00402F60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040DF231_2_0040DF23
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004027901_2_00402790
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA3521_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F01_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035003E61_2_035003E6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E02741_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C02C01_2_034C02C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C81581_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034301001_2_03430100
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA1181_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F81CC1_2_034F81CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F41A21_2_034F41A2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035001AA1_2_035001AA
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D20001_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034647501_2_03464750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034407701_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C01_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C6E01_2_0345C6E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034405351_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035005911_2_03500591
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F24461_2_034F2446
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E44201_2_034E4420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EE4F61_2_034EE4F6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB401_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F6BD71_2_034F6BD7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA801_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034569621_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A01_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350A9A61_2_0350A9A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344A8401_2_0344A840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034428401_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E8F01_2_0346E8F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034268B81_2_034268B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4F401_2_034B4F40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03482F281_2_03482F28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460F301_2_03460F30
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432FC81_2_03432FC8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BEFA01_2_034BEFA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440E591_2_03440E59
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEE261_2_034FEE26
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FEEDB1_2_034FEEDB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452E901_2_03452E90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FCE931_2_034FCE93
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344AD001_2_0344AD00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DCD1F1_2_034DCD1F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343ADE01_2_0343ADE0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03458DBF1_2_03458DBF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440C001_2_03440C00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430CF21_2_03430CF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0CB51_2_034E0CB5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342D34C1_2_0342D34C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F132D1_2_034F132D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0348739A1_2_0348739A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B2C01_2_0345B2C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E12ED1_2_034E12ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034452A01_2_034452A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347516C1_2_0347516C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342F1721_2_0342F172
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350B16B1_2_0350B16B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344B1B01_2_0344B1B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EF0CC1_2_034EF0CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034470C01_2_034470C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F70E91_2_034F70E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF0E01_2_034FF0E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF7B01_2_034FF7B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034856301_2_03485630
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F16CC1_2_034F16CC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F75711_2_034F7571
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035095C31_2_035095C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DD5B01_2_034DD5B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034314601_2_03431460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FF43F1_2_034FF43F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFB761_2_034FFB76
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B5BF01_2_034B5BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347DBF91_2_0347DBF9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FB801_2_0345FB80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFA491_2_034FFA49
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7A461_2_034F7A46
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B3A6C1_2_034B3A6C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EDAC61_2_034EDAC6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DDAAC1_2_034DDAAC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03485AA01_2_03485AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E1AA31_2_034E1AA3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034499501_2_03449950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345B9501_2_0345B950
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D59101_2_034D5910
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AD8001_2_034AD800
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034438E01_2_034438E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFF091_2_034FFF09
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD21_2_03403FD2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03403FD51_2_03403FD5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03441F921_2_03441F92
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFFB11_2_034FFFB1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03449EB01_2_03449EB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03443D401_2_03443D40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F1D5A1_2_034F1D5A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F7D731_2_034F7D73
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345FDC01_2_0345FDC0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B9C321_2_034B9C32
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FFCF21_2_034FFCF2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 104 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 265 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
          Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 107 times
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: String function: 009C0A30 appears 46 times
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: String function: 009BF9F2 appears 31 times
          Source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1657553293.0000000003A2D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eArchive_InvoiceNOS20240004228.exe
          Source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1658487940.0000000003883000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs eArchive_InvoiceNOS20240004228.exe
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
          Source: classification engineClassification label: mal96.troj.evad.winEXE@3/4@0/0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A137B5 GetLastError,FormatMessageW,0_2_00A137B5
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A010BF AdjustTokenPrivileges,CloseHandle,0_2_00A010BF
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A016C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_00A016C3
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A151CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_00A151CD
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A2A67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_00A2A67C
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_00A1648E
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A42A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_009A42A2
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeFile created: C:\Users\user\AppData\Local\Temp\aut3575.tmpJump to behavior
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: eArchive_InvoiceNOS20240004228.exeReversingLabs: Detection: 44%
          Source: eArchive_InvoiceNOS20240004228.exeVirustotal: Detection: 24%
          Source: unknownProcess created: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"Jump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: wsock32.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: winmm.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: mpr.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: wininet.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: userenv.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: ntmarta.dllJump to behavior
          Source: eArchive_InvoiceNOS20240004228.exeStatic file information: File size 1296384 > 1048576
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
          Source: Binary string: wntdll.pdbUGP source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1658599425.0000000003900000.00000004.00001000.00020000.00000000.sdmp, eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1657090605.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1896285791.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1893506386.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: Binary string: wntdll.pdb source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1658599425.0000000003900000.00000004.00001000.00020000.00000000.sdmp, eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1657090605.0000000003760000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1940276318.000000000359E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1940276318.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1896285791.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1893506386.0000000003000000.00000004.00000020.00020000.00000000.sdmp
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
          Source: eArchive_InvoiceNOS20240004228.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009A42DE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C0A76 push ecx; ret 0_2_009C0A89
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D03B push esi; iretd 1_2_0040D044
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413987 push edi; iretd 1_2_00413988
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041EA7E push ecx; ret 1_2_0041EA84
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403200 push eax; ret 1_2_00403202
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00426A23 push edi; ret 1_2_00426A2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041F37D pushfd ; retf 1_2_0041F37E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E79B push edx; retf 1_2_0041E79C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340225F pushad ; ret 1_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034027FA pushad ; ret 1_2_034027F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD push ecx; mov dword ptr [esp], ecx1_2_034309B6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340283D push eax; iretd 1_2_03402858
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0340135E push eax; iretd 1_2_03401369
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009BF98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_009BF98E
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A31C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00A31C41
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

          Malware Analysis System Evasion

          barindex
          Found API chain indicative of sandbox detection
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-98884
          Switches to a custom stack to bypass stack traces
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeAPI/Special instruction interceptor: Address: F23254
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeAPI coverage: 4.0 %
          Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
          Source: C:\Windows\SysWOW64\svchost.exe TID: 7524Thread sleep time: -30000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0DBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_00A0DBBE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A168EE FindFirstFileW,FindClose,0_2_00A168EE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_00A1698F
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0D076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A0D076
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0D3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_00A0D3A9
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A19642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A19642
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00A1979D
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A19B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00A19B2B
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A15C97 FindFirstFileW,FindNextFileW,FindClose,0_2_00A15C97
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009A42DE
          Source: eArchive_InvoiceNOS20240004228.exe, 00000000.00000003.1650618945.000000000105F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: iLKvMcIMNKX*I
          Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E rdtsc 1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004175C3 LdrLoadDll,1_2_004175C3
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A1EAA2 BlockInput,0_2_00A1EAA2
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009D2622
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009A42DE
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C4CE8 mov eax, dword ptr fs:[00000030h]0_2_009C4CE8
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00F234C0 mov eax, dword ptr fs:[00000030h]0_2_00F234C0
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00F23520 mov eax, dword ptr fs:[00000030h]0_2_00F23520
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00F21E70 mov eax, dword ptr fs:[00000030h]0_2_00F21E70
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B2349 mov eax, dword ptr fs:[00000030h]1_2_034B2349
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov ecx, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B035C mov eax, dword ptr fs:[00000030h]1_2_034B035C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA352 mov eax, dword ptr fs:[00000030h]1_2_034FA352
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8350 mov ecx, dword ptr fs:[00000030h]1_2_034D8350
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350634F mov eax, dword ptr fs:[00000030h]1_2_0350634F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D437C mov eax, dword ptr fs:[00000030h]1_2_034D437C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A30B mov eax, dword ptr fs:[00000030h]1_2_0346A30B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C310 mov ecx, dword ptr fs:[00000030h]1_2_0342C310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450310 mov ecx, dword ptr fs:[00000030h]1_2_03450310
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov ecx, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03508324 mov eax, dword ptr fs:[00000030h]1_2_03508324
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC3CD mov eax, dword ptr fs:[00000030h]1_2_034EC3CD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A3C0 mov eax, dword ptr fs:[00000030h]1_2_0343A3C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B63C0 mov eax, dword ptr fs:[00000030h]1_2_034B63C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov ecx, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE3DB mov eax, dword ptr fs:[00000030h]1_2_034DE3DB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D43D4 mov eax, dword ptr fs:[00000030h]1_2_034D43D4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034403E9 mov eax, dword ptr fs:[00000030h]1_2_034403E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E3F0 mov eax, dword ptr fs:[00000030h]1_2_0344E3F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034663FF mov eax, dword ptr fs:[00000030h]1_2_034663FF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E388 mov eax, dword ptr fs:[00000030h]1_2_0342E388
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345438F mov eax, dword ptr fs:[00000030h]1_2_0345438F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428397 mov eax, dword ptr fs:[00000030h]1_2_03428397
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov eax, dword ptr fs:[00000030h]1_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B8243 mov ecx, dword ptr fs:[00000030h]1_2_034B8243
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0350625D mov eax, dword ptr fs:[00000030h]1_2_0350625D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A250 mov eax, dword ptr fs:[00000030h]1_2_0342A250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436259 mov eax, dword ptr fs:[00000030h]1_2_03436259
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA250 mov eax, dword ptr fs:[00000030h]1_2_034EA250
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434260 mov eax, dword ptr fs:[00000030h]1_2_03434260
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342826B mov eax, dword ptr fs:[00000030h]1_2_0342826B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E0274 mov eax, dword ptr fs:[00000030h]1_2_034E0274
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342823B mov eax, dword ptr fs:[00000030h]1_2_0342823B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A2C3 mov eax, dword ptr fs:[00000030h]1_2_0343A2C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035062D6 mov eax, dword ptr fs:[00000030h]1_2_035062D6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402E1 mov eax, dword ptr fs:[00000030h]1_2_034402E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E284 mov eax, dword ptr fs:[00000030h]1_2_0346E284
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0283 mov eax, dword ptr fs:[00000030h]1_2_034B0283
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034402A0 mov eax, dword ptr fs:[00000030h]1_2_034402A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov ecx, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C62A0 mov eax, dword ptr fs:[00000030h]1_2_034C62A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov ecx, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C4144 mov eax, dword ptr fs:[00000030h]1_2_034C4144
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C156 mov eax, dword ptr fs:[00000030h]1_2_0342C156
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C8158 mov eax, dword ptr fs:[00000030h]1_2_034C8158
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436154 mov eax, dword ptr fs:[00000030h]1_2_03436154
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504164 mov eax, dword ptr fs:[00000030h]1_2_03504164
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov eax, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DE10E mov ecx, dword ptr fs:[00000030h]1_2_034DE10E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov ecx, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DA118 mov eax, dword ptr fs:[00000030h]1_2_034DA118
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F0115 mov eax, dword ptr fs:[00000030h]1_2_034F0115
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460124 mov eax, dword ptr fs:[00000030h]1_2_03460124
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F61C3 mov eax, dword ptr fs:[00000030h]1_2_034F61C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE1D0 mov eax, dword ptr fs:[00000030h]1_2_034AE1D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_035061E5 mov eax, dword ptr fs:[00000030h]1_2_035061E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034601F8 mov eax, dword ptr fs:[00000030h]1_2_034601F8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03470185 mov eax, dword ptr fs:[00000030h]1_2_03470185
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EC188 mov eax, dword ptr fs:[00000030h]1_2_034EC188
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4180 mov eax, dword ptr fs:[00000030h]1_2_034D4180
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B019F mov eax, dword ptr fs:[00000030h]1_2_034B019F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A197 mov eax, dword ptr fs:[00000030h]1_2_0342A197
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432050 mov eax, dword ptr fs:[00000030h]1_2_03432050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6050 mov eax, dword ptr fs:[00000030h]1_2_034B6050
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345C073 mov eax, dword ptr fs:[00000030h]1_2_0345C073
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4000 mov ecx, dword ptr fs:[00000030h]1_2_034B4000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D2000 mov eax, dword ptr fs:[00000030h]1_2_034D2000
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E016 mov eax, dword ptr fs:[00000030h]1_2_0344E016
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A020 mov eax, dword ptr fs:[00000030h]1_2_0342A020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C020 mov eax, dword ptr fs:[00000030h]1_2_0342C020
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6030 mov eax, dword ptr fs:[00000030h]1_2_034C6030
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B20DE mov eax, dword ptr fs:[00000030h]1_2_034B20DE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0342A0E3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034380E9 mov eax, dword ptr fs:[00000030h]1_2_034380E9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B60E0 mov eax, dword ptr fs:[00000030h]1_2_034B60E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C0F0 mov eax, dword ptr fs:[00000030h]1_2_0342C0F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034720F0 mov ecx, dword ptr fs:[00000030h]1_2_034720F0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343208A mov eax, dword ptr fs:[00000030h]1_2_0343208A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034280A0 mov eax, dword ptr fs:[00000030h]1_2_034280A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C80A8 mov eax, dword ptr fs:[00000030h]1_2_034C80A8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov eax, dword ptr fs:[00000030h]1_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F60B8 mov ecx, dword ptr fs:[00000030h]1_2_034F60B8
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov esi, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346674D mov eax, dword ptr fs:[00000030h]1_2_0346674D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430750 mov eax, dword ptr fs:[00000030h]1_2_03430750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE75D mov eax, dword ptr fs:[00000030h]1_2_034BE75D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472750 mov eax, dword ptr fs:[00000030h]1_2_03472750
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B4755 mov eax, dword ptr fs:[00000030h]1_2_034B4755
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438770 mov eax, dword ptr fs:[00000030h]1_2_03438770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440770 mov eax, dword ptr fs:[00000030h]1_2_03440770
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C700 mov eax, dword ptr fs:[00000030h]1_2_0346C700
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430710 mov eax, dword ptr fs:[00000030h]1_2_03430710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460710 mov eax, dword ptr fs:[00000030h]1_2_03460710
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C720 mov eax, dword ptr fs:[00000030h]1_2_0346C720
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov ecx, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346273C mov eax, dword ptr fs:[00000030h]1_2_0346273C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AC730 mov eax, dword ptr fs:[00000030h]1_2_034AC730
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343C7C0 mov eax, dword ptr fs:[00000030h]1_2_0343C7C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B07C3 mov eax, dword ptr fs:[00000030h]1_2_034B07C3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034527ED mov eax, dword ptr fs:[00000030h]1_2_034527ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE7E1 mov eax, dword ptr fs:[00000030h]1_2_034BE7E1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034347FB mov eax, dword ptr fs:[00000030h]1_2_034347FB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D678E mov eax, dword ptr fs:[00000030h]1_2_034D678E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034307AF mov eax, dword ptr fs:[00000030h]1_2_034307AF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E47A0 mov eax, dword ptr fs:[00000030h]1_2_034E47A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344C640 mov eax, dword ptr fs:[00000030h]1_2_0344C640
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F866E mov eax, dword ptr fs:[00000030h]1_2_034F866E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A660 mov eax, dword ptr fs:[00000030h]1_2_0346A660
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03462674 mov eax, dword ptr fs:[00000030h]1_2_03462674
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE609 mov eax, dword ptr fs:[00000030h]1_2_034AE609
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344260B mov eax, dword ptr fs:[00000030h]1_2_0344260B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03472619 mov eax, dword ptr fs:[00000030h]1_2_03472619
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0344E627 mov eax, dword ptr fs:[00000030h]1_2_0344E627
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03466620 mov eax, dword ptr fs:[00000030h]1_2_03466620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468620 mov eax, dword ptr fs:[00000030h]1_2_03468620
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343262C mov eax, dword ptr fs:[00000030h]1_2_0343262C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A6C7 mov eax, dword ptr fs:[00000030h]1_2_0346A6C7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE6F2 mov eax, dword ptr fs:[00000030h]1_2_034AE6F2
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B06F1 mov eax, dword ptr fs:[00000030h]1_2_034B06F1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434690 mov eax, dword ptr fs:[00000030h]1_2_03434690
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C6A6 mov eax, dword ptr fs:[00000030h]1_2_0346C6A6
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034666B0 mov eax, dword ptr fs:[00000030h]1_2_034666B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438550 mov eax, dword ptr fs:[00000030h]1_2_03438550
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346656A mov eax, dword ptr fs:[00000030h]1_2_0346656A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6500 mov eax, dword ptr fs:[00000030h]1_2_034C6500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504500 mov eax, dword ptr fs:[00000030h]1_2_03504500
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440535 mov eax, dword ptr fs:[00000030h]1_2_03440535
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E53E mov eax, dword ptr fs:[00000030h]1_2_0345E53E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E5CF mov eax, dword ptr fs:[00000030h]1_2_0346E5CF
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034365D0 mov eax, dword ptr fs:[00000030h]1_2_034365D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A5D0 mov eax, dword ptr fs:[00000030h]1_2_0346A5D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345E5E7 mov eax, dword ptr fs:[00000030h]1_2_0345E5E7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034325E0 mov eax, dword ptr fs:[00000030h]1_2_034325E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346C5ED mov eax, dword ptr fs:[00000030h]1_2_0346C5ED
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov eax, dword ptr fs:[00000030h]1_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03432582 mov ecx, dword ptr fs:[00000030h]1_2_03432582
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464588 mov eax, dword ptr fs:[00000030h]1_2_03464588
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E59C mov eax, dword ptr fs:[00000030h]1_2_0346E59C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B05A7 mov eax, dword ptr fs:[00000030h]1_2_034B05A7
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034545B1 mov eax, dword ptr fs:[00000030h]1_2_034545B1
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346E443 mov eax, dword ptr fs:[00000030h]1_2_0346E443
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA456 mov eax, dword ptr fs:[00000030h]1_2_034EA456
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342645D mov eax, dword ptr fs:[00000030h]1_2_0342645D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345245A mov eax, dword ptr fs:[00000030h]1_2_0345245A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC460 mov ecx, dword ptr fs:[00000030h]1_2_034BC460
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345A470 mov eax, dword ptr fs:[00000030h]1_2_0345A470
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342E420 mov eax, dword ptr fs:[00000030h]1_2_0342E420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342C427 mov eax, dword ptr fs:[00000030h]1_2_0342C427
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B6420 mov eax, dword ptr fs:[00000030h]1_2_034B6420
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A430 mov eax, dword ptr fs:[00000030h]1_2_0346A430
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034304E5 mov ecx, dword ptr fs:[00000030h]1_2_034304E5
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034EA49A mov eax, dword ptr fs:[00000030h]1_2_034EA49A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034364AB mov eax, dword ptr fs:[00000030h]1_2_034364AB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034644B0 mov ecx, dword ptr fs:[00000030h]1_2_034644B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BA4B0 mov eax, dword ptr fs:[00000030h]1_2_034BA4B0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4B4B mov eax, dword ptr fs:[00000030h]1_2_034E4B4B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03502B57 mov eax, dword ptr fs:[00000030h]1_2_03502B57
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6B40 mov eax, dword ptr fs:[00000030h]1_2_034C6B40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FAB40 mov eax, dword ptr fs:[00000030h]1_2_034FAB40
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D8B42 mov eax, dword ptr fs:[00000030h]1_2_034D8B42
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428B50 mov eax, dword ptr fs:[00000030h]1_2_03428B50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEB50 mov eax, dword ptr fs:[00000030h]1_2_034DEB50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0342CB7E mov eax, dword ptr fs:[00000030h]1_2_0342CB7E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504B00 mov eax, dword ptr fs:[00000030h]1_2_03504B00
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AEB1D mov eax, dword ptr fs:[00000030h]1_2_034AEB1D
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EB20 mov eax, dword ptr fs:[00000030h]1_2_0345EB20
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034F8B28 mov eax, dword ptr fs:[00000030h]1_2_034F8B28
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03450BCB mov eax, dword ptr fs:[00000030h]1_2_03450BCB
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430BCD mov eax, dword ptr fs:[00000030h]1_2_03430BCD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEBD0 mov eax, dword ptr fs:[00000030h]1_2_034DEBD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438BF0 mov eax, dword ptr fs:[00000030h]1_2_03438BF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EBFC mov eax, dword ptr fs:[00000030h]1_2_0345EBFC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCBF0 mov eax, dword ptr fs:[00000030h]1_2_034BCBF0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440BBE mov eax, dword ptr fs:[00000030h]1_2_03440BBE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034E4BB0 mov eax, dword ptr fs:[00000030h]1_2_034E4BB0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03436A50 mov eax, dword ptr fs:[00000030h]1_2_03436A50
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03440A5B mov eax, dword ptr fs:[00000030h]1_2_03440A5B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA6F mov eax, dword ptr fs:[00000030h]1_2_0346CA6F
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034DEA60 mov eax, dword ptr fs:[00000030h]1_2_034DEA60
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034ACA72 mov eax, dword ptr fs:[00000030h]1_2_034ACA72
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BCA11 mov eax, dword ptr fs:[00000030h]1_2_034BCA11
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA24 mov eax, dword ptr fs:[00000030h]1_2_0346CA24
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0345EA2E mov eax, dword ptr fs:[00000030h]1_2_0345EA2E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03454A35 mov eax, dword ptr fs:[00000030h]1_2_03454A35
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346CA38 mov eax, dword ptr fs:[00000030h]1_2_0346CA38
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486ACC mov eax, dword ptr fs:[00000030h]1_2_03486ACC
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03430AD0 mov eax, dword ptr fs:[00000030h]1_2_03430AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03464AD0 mov eax, dword ptr fs:[00000030h]1_2_03464AD0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346AAEE mov eax, dword ptr fs:[00000030h]1_2_0346AAEE
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343EA80 mov eax, dword ptr fs:[00000030h]1_2_0343EA80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504A80 mov eax, dword ptr fs:[00000030h]1_2_03504A80
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03468A90 mov edx, dword ptr fs:[00000030h]1_2_03468A90
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03438AA0 mov eax, dword ptr fs:[00000030h]1_2_03438AA0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03486AA4 mov eax, dword ptr fs:[00000030h]1_2_03486AA4
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B0946 mov eax, dword ptr fs:[00000030h]1_2_034B0946
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03504940 mov eax, dword ptr fs:[00000030h]1_2_03504940
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03456962 mov eax, dword ptr fs:[00000030h]1_2_03456962
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov edx, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0347096E mov eax, dword ptr fs:[00000030h]1_2_0347096E
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D4978 mov eax, dword ptr fs:[00000030h]1_2_034D4978
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC97C mov eax, dword ptr fs:[00000030h]1_2_034BC97C
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034AE908 mov eax, dword ptr fs:[00000030h]1_2_034AE908
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC912 mov eax, dword ptr fs:[00000030h]1_2_034BC912
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03428918 mov eax, dword ptr fs:[00000030h]1_2_03428918
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B892A mov eax, dword ptr fs:[00000030h]1_2_034B892A
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C892B mov eax, dword ptr fs:[00000030h]1_2_034C892B
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C69C0 mov eax, dword ptr fs:[00000030h]1_2_034C69C0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0343A9D0 mov eax, dword ptr fs:[00000030h]1_2_0343A9D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034649D0 mov eax, dword ptr fs:[00000030h]1_2_034649D0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034FA9D3 mov eax, dword ptr fs:[00000030h]1_2_034FA9D3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE9E0 mov eax, dword ptr fs:[00000030h]1_2_034BE9E0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034629F9 mov eax, dword ptr fs:[00000030h]1_2_034629F9
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034429A0 mov eax, dword ptr fs:[00000030h]1_2_034429A0
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034309AD mov eax, dword ptr fs:[00000030h]1_2_034309AD
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov esi, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034B89B3 mov eax, dword ptr fs:[00000030h]1_2_034B89B3
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03442840 mov ecx, dword ptr fs:[00000030h]1_2_03442840
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03460854 mov eax, dword ptr fs:[00000030h]1_2_03460854
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03434859 mov eax, dword ptr fs:[00000030h]1_2_03434859
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BE872 mov eax, dword ptr fs:[00000030h]1_2_034BE872
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034C6870 mov eax, dword ptr fs:[00000030h]1_2_034C6870
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034BC810 mov eax, dword ptr fs:[00000030h]1_2_034BC810
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov ecx, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03452835 mov eax, dword ptr fs:[00000030h]1_2_03452835
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0346A830 mov eax, dword ptr fs:[00000030h]1_2_0346A830
          Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_034D483A mov eax, dword ptr fs:[00000030h]1_2_034D483A
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00A00B62
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009D2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009D2622
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_009C083F
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C09D5 SetUnhandledExceptionFilter,0_2_009C09D5
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C0C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_009C0C21

          HIPS / PFW / Operating System Protection Evasion

          barindex
          Maps a DLL or memory area into another process
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
          Writes to foreign memory regions
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 707008Jump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A01201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_00A01201
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009E2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_009E2BA5
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A0B226 SendInput,keybd_event,0_2_00A0B226
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A222DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_00A222DA
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"Jump to behavior
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A00B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_00A00B62
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A01663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_00A01663
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: Shell_TrayWnd
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009C0698 cpuid 0_2_009C0698
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A18195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_00A18195
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009FD27A GetUserNameW,0_2_009FD27A
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009DBB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_009DBB6F
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_009A42DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_009A42DE

          Stealing of Sensitive Information

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_81
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_XP
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_XPe
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_VISTA
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_7
          Source: eArchive_InvoiceNOS20240004228.exeBinary or memory string: WIN_8

          Remote Access Functionality

          barindex
          Yara detected FormBook
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A21204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_00A21204
          Source: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exeCode function: 0_2_00A21806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_00A21806

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire Infrastructure2
          Valid Accounts          		1
          Native API          		2
          Valid Accounts          		2
          Valid Accounts          		2
          Valid Accounts          		21
          Input Capture          		2
          System Time Discovery          		Remote Services21
          Input Capture          		1
          Encrypted Channel          		Exfiltration Over Other Network Medium1
          System Shutdown/Reboot
          CredentialsDomainsDefault AccountsScheduled Task/Job1
          DLL Side-Loading          		1
          Exploitation for Privilege Escalation          		1
          Disable or Modify Tools          		LSASS Memory241
          Security Software Discovery          		Remote Desktop Protocol1
          Archive Collected Data          		1
          Ingress Tool Transfer          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)21
          Access Token Manipulation          		12
          Virtualization/Sandbox Evasion          		Security Account Manager12
          Virtualization/Sandbox Evasion          		SMB/Windows Admin Shares3
          Clipboard Data          		SteganographyAutomated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook212
          Process Injection          		21
          Access Token Manipulation          		NTDS3
          Process Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
          DLL Side-Loading          		212
          Process Injection          		LSA Secrets1
          Application Window Discovery          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
          Deobfuscate/Decode Files or Information          		Cached Domain Credentials1
          Account Discovery          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
          Obfuscated Files or Information          		DCSync1
          System Owner/User Discovery          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
          DLL Side-Loading          		Proc Filesystem1
          File and Directory Discovery          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow115
          System Information Discovery          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          eArchive_InvoiceNOS20240004228.exe45%ReversingLabsWin32.Trojan.AutoitInject
          eArchive_InvoiceNOS20240004228.exe25%VirustotalBrowse
          eArchive_InvoiceNOS20240004228.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          No Antivirus matches

          Domains and IPs

          Contacted Domains

          No contacted domains info

          World Map of Contacted IPs

          No contacted IP infos

          General Information

          Joe Sandbox version:40.0.0 Tourmaline
          Analysis ID:1501603
          Start date and time:2024-08-30 07:29:05 +02:00
          Joe Sandbox product:CloudBasic
          Overall analysis duration:0h 5m 25s
          Hypervisor based Inspection enabled:false
          Report type:full
          Cookbook file name:default.jbs
          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
          Number of analysed new started processes analysed:7
          Number of new started drivers analysed:0
          Number of existing processes analysed:0
          Number of existing drivers analysed:0
          Number of injected processes analysed:0
          Technologies:
          • HCA enabled
          • EGA enabled
          • AMSI enabled
          Analysis Mode:default
          Analysis stop reason:Timeout
          Sample name:eArchive_InvoiceNOS20240004228.exe
          Detection:MAL
          Classification:mal96.troj.evad.winEXE@3/4@0/0
          EGA Information:
          • Successful, ratio: 100%
          HCA Information:
          • Successful, ratio: 97%
          • Number of executed functions: 53
          • Number of non-executed functions: 297
          Cookbook Comments:
          • Found application associated with file extension: .exe

          Warnings

          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
          • Not all processes where analyzed, report is missing behavior information
          • Report size exceeded maximum capacity and may have missing disassembly code.

          Simulations

          Behavior and APIs

          TimeTypeDescription
          01:30:19API Interceptor3x Sleep call for process: svchost.exe modified

          Joe Sandbox View / Context

          IPs

          No context

          Domains

          No context

          ASNs

          No context

          JA3 Fingerprints

          No context

          Dropped Files

          No context

          Created / dropped Files

          C:\Users\user\AppData\Local\Temp\aut3575.tmp

          Download File
          Process:C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.9948169543529515
          Encrypted:true
          SSDEEP:6144:7brfX+fJJtBBXGrmRZShRuLh7WoezUCZJgwnUJ0V4QkI:7XfXqWiRZSTS7WoeQCdnWa4M
          MD5:21F8ADAE4218B44180B17E0062C44E32
          SHA1:E644595092905732E5D451757D6F1079DD5B2D0C
          SHA-256:20FEE253D4A59B23259CA99C5BBB7D098F8E0DCC360E6A776A918AD741381952
          SHA-512:2ADFB821AAD0F11BC313525813862627DEF7C1BD8DC02158EF48A1FC057DADCEEA3A470D775A235F1ABB07FCF5E1CD6B6C54E46A20186D2E4548222D61D118ED
          Malicious:false
          Reputation:low
          Preview:x.}b.KQ6S..C....w.TJ...pZ0...807KQ6SFALJ57A8K6TIAD7XY895X80.KQ6]Y.BJ.>...7..`._1*.IG7_BV&qU2(/#>.U$.9C:i(*...k.X7\U.F\<wFALJ57AAJ?.t!#.e9_..8_.-...i&&.P....+Q.S...d9_.g1[X.+6.SFALJ57Ah.6T.@E7.>.X5X807KQ6.FCMA4<A8.2TIAD7XY895L807[Q6S6ELJ5wA8[6TICD7^Y895X801KQ6SFALJE3A8I6TIAD7ZYx.5X(07[Q6SFQLJ%7A8K6TYAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALdAR9LK6TM.@7XI895.<07[Q6SFALJ57A8K6TiADWXY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6T

          C:\Users\user\AppData\Local\Temp\aut35A5.tmp

          Download File
          Process:C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
          File Type:data
          Category:dropped
          Size (bytes):11312
          Entropy (8bit):7.60275260213142
          Encrypted:false
          SSDEEP:192:x7FGNNtmFTUJqiu2z3BJDX4vGXe9afeaqqiEd5Sd3GAr0rFKFqJEu8SSg/f7bp:3GrtmgugRJDX4vGOxaUEj+r0rF2Ju8SL
          MD5:B955CE92790387C35D8A2ADA9CE1D7B3
          SHA1:FB2070DF9EC99162E121657FCA9E8A0FA8F2EC5C
          SHA-256:190AB40807CA6833003D957DD29891ACD8A3DC4EBD615D86F0A96562CE006AC0
          SHA-512:1E26BB9FAA0C9EA8F7D32280553FCBADFE4D3127BF70B32855AAF71AF404386A9251914F853FE96CA9B77E27141D503B431940D01BE9445394182D816A949AA6
          Malicious:false
          Reputation:low
          Preview:EA06.....K.......d..Y%.P."./.K........... .B./....@...|`......p.........8......|.. ....3...P."......l.,.. ......@. ...........Y.....B.....C .M.....L...B.....L.....(.`..b..X.C6.!....4.....C3...n..M. ?...N."3a......... ...2......@....M..6.A.....h...!O....Y..>.0..@9...a4.......Lg.......&' ....@....p.... N....Sv.)..bj.MY........vf@.......14.p...'.....W@..(..,...E....8}V ....q.p..`........p~...M......l......d.....t.....l.s..*f..........6@"0.....b.(..53.@.....bvn......s........d.....6.....#.)........1a.0..S14.L...5.$' .......3.@.....@........vd.....h.... l...... .L..C...... ........eFh......@y55. ..90.,.-3p!..@I:...-.l`.....|........l.........c....G...7.......<.Y..*g.......A.>.....2.x.,>0..L..:.....>`'....9H.....'.Y..>@&.M.Q..D.S..J|...).6.....1b....I..O....@.O.... ,......`.... <.....X0.)... :..V&.H. .f.Q8...(<&@...$.I..z|.Y...H}........8.H...>i.....X..~ U....a..&.\.....& 0..=......H...;<....3 ...d.y.DO.`.y...h.C..ff...LAM?@........@.4.........n>i.&ff."...lA].......I8....

          C:\Users\user\AppData\Local\Temp\finitism

          Download File
          Process:C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
          File Type:ASCII text, with very long lines (57348), with no line terminators
          Category:dropped
          Size (bytes):57348
          Entropy (8bit):2.7928078937306
          Encrypted:false
          SSDEEP:768:iKfIDzeot8ltZ7hd88qNApr6ccdoIZlbk9OEmlrWhMb+0ax3v4YyMoqboKVYNDCj:PfezeoGrjaZlST8SQjdo
          MD5:EF408278A8E30B0EF94EA7F96188AADA
          SHA1:D02EBC8540B824CD2D2D66B765CB73FC8669CB04
          SHA-256:E173477604185A9299A44139957761A287017CF8D4FF99405C6217BEF2DF1B1C
          SHA-512:BBF1DBAAFED20A8621C63DC9C20B1713243F327F2ACE0DBCB2DA7955DCF84B2420548B9120F111B2A84B0D962B7E0CB9E4540078F0D1BFE811F7A73E5E8AC2CC
          Malicious:false
          Reputation:low
          Preview:0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/0/c/2/c/d/5/5/e/b/8/0/c/3/3/2/0/b/e/c/f/5/4/b/8/0/0/0/0/0/0/0/0/c/f/5/4/7/c/7/0/b/e/c/f/d/4/9/8/8/f/d/4/b/8/8/0/4/7/0/c/5/8/0/0/0/0/0/0/c/8/5/9/f/f/f/f/a/6/0/5/8/f/5/4/d/8/4/2/4/7/0/0/0/0/0/0/0/0/c/8/d/b/3/8/8/0/c/e/3/8/c/e/b/8/5/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/c/0/2/c/e/5/f/5/9/5/4/a/3/f/8/1/4/2/c/4/b/8/0/1/4/2/c/7/b/8/4/1/4/2/4/7/b/8/1/5/7/5/6/5/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/8/0/2/c/a/f/5/7/b/4/2/4/2/0/8/8/c/0/4/2/c/5/b/8/8/0/4/2/4/4/b/8/4/0/4/2/4/5/b/8/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/c/0/0/4/0/2/c/d/5/5/e/b/8/0/d/7/f/c/f/5/4/b/8/f/f/f/f/f/f/6/5/9/e/4/f/d/4/9/8/1/0/1/c/3/8/4/f/d/4/b/8/c/f/5/4/9/8/0/d/5/4/3/3/8/0/8/e/1/c/c/f/5/4/b/8/0/d/d/4/9/8/a/c/3/3/8/f/5/5/3/2/f/1/a/f/1/c/8/1/2/e/1/c/c/f/5/5/b/8/8/c/3/3/4/d/5/4/3/2/f/1/8/f/1/c/9/1/0/e/

          C:\Users\user\AppData\Local\Temp\piceworth

          Download File
          Process:C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
          File Type:data
          Category:dropped
          Size (bytes):287744
          Entropy (8bit):7.9948169543529515
          Encrypted:true
          SSDEEP:6144:7brfX+fJJtBBXGrmRZShRuLh7WoezUCZJgwnUJ0V4QkI:7XfXqWiRZSTS7WoeQCdnWa4M
          MD5:21F8ADAE4218B44180B17E0062C44E32
          SHA1:E644595092905732E5D451757D6F1079DD5B2D0C
          SHA-256:20FEE253D4A59B23259CA99C5BBB7D098F8E0DCC360E6A776A918AD741381952
          SHA-512:2ADFB821AAD0F11BC313525813862627DEF7C1BD8DC02158EF48A1FC057DADCEEA3A470D775A235F1ABB07FCF5E1CD6B6C54E46A20186D2E4548222D61D118ED
          Malicious:false
          Reputation:low
          Preview:x.}b.KQ6S..C....w.TJ...pZ0...807KQ6SFALJ57A8K6TIAD7XY895X80.KQ6]Y.BJ.>...7..`._1*.IG7_BV&qU2(/#>.U$.9C:i(*...k.X7\U.F\<wFALJ57AAJ?.t!#.e9_..8_.-...i&&.P....+Q.S...d9_.g1[X.+6.SFALJ57Ah.6T.@E7.>.X5X807KQ6.FCMA4<A8.2TIAD7XY895L807[Q6S6ELJ5wA8[6TICD7^Y895X801KQ6SFALJE3A8I6TIAD7ZYx.5X(07[Q6SFQLJ%7A8K6TYAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALdAR9LK6TM.@7XI895.<07[Q6SFALJ57A8K6TiADWXY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6TIAD7XY895X807KQ6SFALJ57A8K6T

          Static File Info

          General

          File type:PE32 executable (GUI) Intel 80386, for MS Windows
          Entropy (8bit):7.182021942578311
          TrID:
          • Win32 Executable (generic) a (10002005/4) 99.96%
          • Generic Win/DOS Executable (2004/3) 0.02%
          • DOS Executable Generic (2002/1) 0.02%
          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
          File name:eArchive_InvoiceNOS20240004228.exe
          File size:1'296'384 bytes
          MD5:7cc6d90beb7d480a3d35e9fff03832c4
          SHA1:f8ba9237ffef8fede8c78a973faffaad887282cd
          SHA256:2b504ff2d16bd1d86e92be2b650baff5cd1656df06ffae2fc254ce0303a03ea2
          SHA512:3c64d65ded063fd04429fa999184d835bc4f24f0fa52ea39400203140e4d17ad272a2c1ed3829991104dc6f4b547f49ae801d1d7799a33f5bfc639fc96741d55
          SSDEEP:24576:5qDEvCTbMWu7rQYlBQcBiT6rprG8abXwuFam7B4wdyotzu2:5TvC/MTQYxsWR7abXwujqQyuq
          TLSH:6755C0027391C062FF9B92334F5BF6514BBC6A260123A61F13981DB9BE705B1563E7A3
          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......................j:......j:..C...j:......@.*...............................n.......~.............{.......{.......{.........z....

          File Icon

          Icon Hash:aaf3e3e3938382a0

          Static PE Info

          General

          Entrypoint:0x420577
          Entrypoint Section:.text
          Digitally signed:false
          Imagebase:0x400000
          Subsystem:windows gui
          Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
          Time Stamp:0x66D10DE3 [Fri Aug 30 00:10:11 2024 UTC]
          TLS Callbacks:
          CLR (.Net) Version:
          OS Version Major:5
          OS Version Minor:1
          File Version Major:5
          File Version Minor:1
          Subsystem Version Major:5
          Subsystem Version Minor:1
          Import Hash:948cc502fe9226992dce9417f952fce3

          Entrypoint Preview

          Instruction
          call 00007F976CC63B03h
          jmp 00007F976CC6340Fh
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F976CC635EDh
          mov dword ptr [esi], 0049FDF0h
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FDF8h
          mov dword ptr [ecx], 0049FDF0h
          ret
          push ebp
          mov ebp, esp
          push esi
          push dword ptr [ebp+08h]
          mov esi, ecx
          call 00007F976CC635BAh
          mov dword ptr [esi], 0049FE0Ch
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          and dword ptr [ecx+04h], 00000000h
          mov eax, ecx
          and dword ptr [ecx+08h], 00000000h
          mov dword ptr [ecx+04h], 0049FE14h
          mov dword ptr [ecx], 0049FE0Ch
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          and dword ptr [eax], 00000000h
          and dword ptr [eax+04h], 00000000h
          push eax
          mov eax, dword ptr [ebp+08h]
          add eax, 04h
          push eax
          call 00007F976CC661ADh
          pop ecx
          pop ecx
          mov eax, esi
          pop esi
          pop ebp
          retn 0004h
          lea eax, dword ptr [ecx+04h]
          mov dword ptr [ecx], 0049FDD0h
          push eax
          call 00007F976CC661F8h
          pop ecx
          ret
          push ebp
          mov ebp, esp
          push esi
          mov esi, ecx
          lea eax, dword ptr [esi+04h]
          mov dword ptr [esi], 0049FDD0h
          push eax
          call 00007F976CC661E1h
          test byte ptr [ebp+08h], 00000001h
          pop ecx

          Rich Headers

          Programming Language:
          • [ C ] VS2008 SP1 build 30729
          • [IMP] VS2008 SP1 build 30729

          Data Directories

          NameVirtual AddressVirtual Size Is in Section
          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IMPORT0xc8e640x17c.rdata
          IMAGE_DIRECTORY_ENTRY_RESOURCE0xd40000x65d84.rsrc
          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
          IMAGE_DIRECTORY_ENTRY_BASERELOC0x13a0000x7594.reloc
          IMAGE_DIRECTORY_ENTRY_DEBUG0xb0ff00x1c.rdata
          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
          IMAGE_DIRECTORY_ENTRY_TLS0xc34000x18.rdata
          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb10100x40.rdata
          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_IAT0x9c0000x894.rdata
          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

          Sections

          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
          .text0x10000x9ab1d0x9ac000a1473f3064dcbc32ef93c5c8a90f3a6False0.565500681542811data6.668273581389308IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          .rdata0x9c0000x2fb820x2fc00c9cf2468b60bf4f80f136ed54b3989fbFalse0.35289185209424084data5.691811547483722IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .data0xcc0000x706c0x480053b9025d545d65e23295e30afdbd16d9False0.04356553819444445DOS executable (block device driver @\273\)0.5846666986982398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
          .rsrc0xd40000x65d840x65e00d2bcf1d852678cb2fc94a1d8f83cc7ccFalse0.9357577645705522data7.909578783510011IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
          .reloc0x13a0000x75940x7600c68ee8931a32d45eb82dc450ee40efc3False0.7628111758474576data6.7972128181359786IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

          Resources

          NameRVASizeTypeLanguageCountryZLIB Complexity
          RT_ICON0xd45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
          RT_ICON0xd46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
          RT_ICON0xd47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
          RT_ICON0xd49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
          RT_ICON0xd4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
          RT_ICON0xd4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
          RT_ICON0xd5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
          RT_ICON0xd64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
          RT_ICON0xd69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
          RT_ICON0xd8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
          RT_ICON0xda0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
          RT_MENU0xda4a00x50dataEnglishGreat Britain0.9
          RT_STRING0xda4f00x594dataEnglishGreat Britain0.3333333333333333
          RT_STRING0xdaa840x68adataEnglishGreat Britain0.2735961768219833
          RT_STRING0xdb1100x490dataEnglishGreat Britain0.3715753424657534
          RT_STRING0xdb5a00x5fcdataEnglishGreat Britain0.3087467362924282
          RT_STRING0xdbb9c0x65cdataEnglishGreat Britain0.34336609336609336
          RT_STRING0xdc1f80x466dataEnglishGreat Britain0.3605683836589698
          RT_STRING0xdc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
          RT_RCDATA0xdc7b80x5d01cdata1.0003307468579048
          RT_GROUP_ICON0x1397d40x76dataEnglishGreat Britain0.6610169491525424
          RT_GROUP_ICON0x13984c0x14dataEnglishGreat Britain1.25
          RT_GROUP_ICON0x1398600x14dataEnglishGreat Britain1.15
          RT_GROUP_ICON0x1398740x14dataEnglishGreat Britain1.25
          RT_VERSION0x1398880x10cdataEnglishGreat Britain0.582089552238806
          RT_MANIFEST0x1399940x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

          Imports

          DLLImport
          WSOCK32.dllgethostbyname, recv, send, socket, inet_ntoa, setsockopt, ntohs, WSACleanup, WSAStartup, sendto, htons, __WSAFDIsSet, select, accept, listen, bind, inet_addr, ioctlsocket, recvfrom, WSAGetLastError, closesocket, gethostname, connect
          VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
          WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
          COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
          MPR.dllWNetGetConnectionW, WNetCancelConnection2W, WNetUseConnectionW, WNetAddConnection2W
          WININET.dllHttpOpenRequestW, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, InternetConnectW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetQueryDataAvailable
          PSAPI.DLLGetProcessMemoryInfo
          IPHLPAPI.DLLIcmpSendEcho, IcmpCloseHandle, IcmpCreateFile
          USERENV.dllDestroyEnvironmentBlock, LoadUserProfileW, CreateEnvironmentBlock, UnloadUserProfile
          UxTheme.dllIsThemeActive
          KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetShortPathNameW, DeleteFileW, IsDebuggerPresent, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, LoadResource, LockResource, SizeofResource, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, LoadLibraryW, GetLocalTime, CompareStringW, GetCurrentThread, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, VirtualAlloc, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCurrentProcess, CloseHandle, GetFullPathNameW, GetStartupInfoW, GetSystemTimeAsFileTime, InitializeSListHead, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, ResumeThread, FreeLibraryAndExitThread, GetACP, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetStringTypeW, GetFileType, SetStdHandle, GetConsoleCP, GetConsoleMode, ReadConsoleW, GetTimeZoneInformation, FindFirstFileExW, IsValidCodePage, GetOEMCP, GetCPInfo, GetCommandLineA, GetCommandLineW, GetEnvironmentStringsW, FreeEnvironmentStringsW, SetEnvironmentVariableA, SetCurrentDirectoryW, FindNextFileW, WriteConsoleW
          USER32.dllGetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, PeekMessageW, GetInputState, UnregisterHotKey, CharLowerBuffW, MonitorFromPoint, MonitorFromRect, LoadImageW, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, ClientToScreen, GetCursorPos, DeleteMenu, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, LockWindowUpdate, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, RegisterHotKey, GetCursorInfo, SetWindowPos, CopyImage, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, TrackPopupMenuEx, GetMessageW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, DispatchMessageW, keybd_event, TranslateMessage, ScreenToClient
          GDI32.dllEndPath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, GetDeviceCaps, SetPixel, CloseFigure, LineTo, AngleArc, MoveToEx, Ellipse, CreateCompatibleBitmap, CreateCompatibleDC, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, SelectObject, StretchBlt, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, GetDIBits, StrokePath
          COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
          ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, RegCreateKeyExW, GetSecurityDescriptorDacl, GetAclInformation, GetUserNameW, AddAce, SetSecurityDescriptorDacl, InitiateSystemShutdownExW
          SHELL32.dllDragFinish, DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW
          ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
          OLEAUT32.dllCreateStdDispatch, CreateDispTypeInfo, UnRegisterTypeLib, UnRegisterTypeLibForUser, RegisterTypeLibForUser, RegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, VariantChangeType, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, SysStringLen, QueryPathOfRegTypeLib, SysAllocString, VariantInit, VariantClear, DispCallFunc, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, SafeArrayDestroyDescriptor, VariantCopy, OleLoadPicture

          Possible Origin

          Language of compilation systemCountry where language is spokenMap
          EnglishGreat Britain

          Network Behavior

          No network behavior found

          Statistics

          CPU Usage

          Click to jump to process

          Memory Usage

          Click to jump to process

          High Level Behavior Distribution

          Click to dive into process behavior distribution

          Behavior

          Click to jump to process

          System Behavior

          General

          Target ID:0
          Start time:01:29:53
          Start date:30/08/2024
          Path:C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"
          Imagebase:0x9a0000
          File size:1'296'384 bytes
          MD5 hash:7CC6D90BEB7D480A3D35E9FFF03832C4
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Reputation:low
          Has exited:true

          General

          Target ID:1
          Start time:01:29:54
          Start date:30/08/2024
          Path:C:\Windows\SysWOW64\svchost.exe
          Wow64 process (32bit):true
          Commandline:"C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe"
          Imagebase:0xb10000
          File size:46'504 bytes
          MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
          Has elevated privileges:true
          Has administrator privileges:true
          Programmed in:C, C++ or other language
          Yara matches:
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1940113309.0000000000A80000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
          • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
          • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1939939255.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
          Reputation:high
          Has exited:true

          Disassembly

          Reset < >

            Execution Graph

            Execution Coverage:3.4%
            Dynamic/Decrypted Code Coverage:1.5%
            Signature Coverage:3.2%
            Total number of Nodes:2000
            Total number of Limit Nodes:68
            execution_graph 96156 9a105b 96161 9a344d 96156->96161 96158 9a106a 96192 9c00a3 29 API calls __onexit 96158->96192 96160 9a1074 96162 9a345d __wsopen_s 96161->96162 96193 9aa961 96162->96193 96166 9a351c 96205 9a3357 96166->96205 96173 9aa961 22 API calls 96174 9a354d 96173->96174 96226 9aa6c3 96174->96226 96177 9e3176 RegQueryValueExW 96178 9e320c RegCloseKey 96177->96178 96179 9e3193 96177->96179 96181 9a3578 96178->96181 96191 9e321e _wcslen 96178->96191 96232 9bfe0b 96179->96232 96181->96158 96182 9e31ac 96242 9a5722 96182->96242 96185 9a4c6d 22 API calls 96185->96191 96186 9e31d4 96245 9a6b57 96186->96245 96188 9e31ee messages 96188->96178 96190 9a515f 22 API calls 96190->96191 96191->96181 96191->96185 96191->96190 96257 9a9cb3 96191->96257 96192->96160 96194 9bfe0b 22 API calls 96193->96194 96195 9aa976 96194->96195 96263 9bfddb 96195->96263 96197 9a3513 96198 9a3a5a 96197->96198 96285 9e1f50 96198->96285 96201 9a9cb3 22 API calls 96202 9a3a8d 96201->96202 96287 9a3aa2 96202->96287 96204 9a3a97 96204->96166 96206 9e1f50 __wsopen_s 96205->96206 96207 9a3364 GetFullPathNameW 96206->96207 96208 9a3386 96207->96208 96209 9a6b57 22 API calls 96208->96209 96210 9a33a4 96209->96210 96211 9a33c6 96210->96211 96212 9e30bb 96211->96212 96213 9a33dd 96211->96213 96215 9bfddb 22 API calls 96212->96215 96311 9a33ee 96213->96311 96217 9e30c5 _wcslen 96215->96217 96216 9a33e8 96220 9a515f 96216->96220 96218 9bfe0b 22 API calls 96217->96218 96219 9e30fe __fread_nolock 96218->96219 96221 9a516e 96220->96221 96225 9a518f __fread_nolock 96220->96225 96223 9bfe0b 22 API calls 96221->96223 96222 9bfddb 22 API calls 96224 9a3544 96222->96224 96223->96225 96224->96173 96225->96222 96227 9aa6dd 96226->96227 96228 9a3556 RegOpenKeyExW 96226->96228 96229 9bfddb 22 API calls 96227->96229 96228->96177 96228->96181 96230 9aa6e7 96229->96230 96231 9bfe0b 22 API calls 96230->96231 96231->96228 96234 9bfddb 96232->96234 96233 9cea0c ___std_exception_copy 21 API calls 96233->96234 96234->96233 96235 9bfdfa 96234->96235 96238 9bfdfc 96234->96238 96326 9c4ead 7 API calls 2 library calls 96234->96326 96235->96182 96237 9c066d 96328 9c32a4 RaiseException 96237->96328 96238->96237 96327 9c32a4 RaiseException 96238->96327 96241 9c068a 96241->96182 96243 9bfddb 22 API calls 96242->96243 96244 9a5734 RegQueryValueExW 96243->96244 96244->96186 96244->96188 96246 9a6b67 _wcslen 96245->96246 96247 9e4ba1 96245->96247 96250 9a6b7d 96246->96250 96251 9a6ba2 96246->96251 96248 9a93b2 22 API calls 96247->96248 96249 9e4baa 96248->96249 96249->96249 96329 9a6f34 22 API calls 96250->96329 96253 9bfddb 22 API calls 96251->96253 96254 9a6bae 96253->96254 96255 9bfe0b 22 API calls 96254->96255 96256 9a6b85 __fread_nolock 96255->96256 96256->96188 96258 9a9cc2 _wcslen 96257->96258 96259 9bfe0b 22 API calls 96258->96259 96260 9a9cea __fread_nolock 96259->96260 96261 9bfddb 22 API calls 96260->96261 96262 9a9d00 96261->96262 96262->96191 96266 9bfde0 96263->96266 96265 9bfdfa 96265->96197 96266->96265 96269 9bfdfc 96266->96269 96273 9cea0c 96266->96273 96280 9c4ead 7 API calls 2 library calls 96266->96280 96268 9c066d 96282 9c32a4 RaiseException 96268->96282 96269->96268 96281 9c32a4 RaiseException 96269->96281 96272 9c068a 96272->96197 96278 9d3820 __dosmaperr 96273->96278 96274 9d385e 96284 9cf2d9 20 API calls __dosmaperr 96274->96284 96275 9d3849 RtlAllocateHeap 96277 9d385c 96275->96277 96275->96278 96277->96266 96278->96274 96278->96275 96283 9c4ead 7 API calls 2 library calls 96278->96283 96280->96266 96281->96268 96282->96272 96283->96278 96284->96277 96286 9a3a67 GetModuleFileNameW 96285->96286 96286->96201 96288 9e1f50 __wsopen_s 96287->96288 96289 9a3aaf GetFullPathNameW 96288->96289 96290 9a3ae9 96289->96290 96291 9a3ace 96289->96291 96293 9aa6c3 22 API calls 96290->96293 96292 9a6b57 22 API calls 96291->96292 96294 9a3ada 96292->96294 96293->96294 96297 9a37a0 96294->96297 96298 9a37ae 96297->96298 96301 9a93b2 96298->96301 96300 9a37c2 96300->96204 96302 9a93c0 96301->96302 96304 9a93c9 __fread_nolock 96301->96304 96302->96304 96305 9aaec9 96302->96305 96304->96300 96306 9aaedc 96305->96306 96310 9aaed9 __fread_nolock 96305->96310 96307 9bfddb 22 API calls 96306->96307 96308 9aaee7 96307->96308 96309 9bfe0b 22 API calls 96308->96309 96309->96310 96310->96304 96312 9a33fe _wcslen 96311->96312 96313 9e311d 96312->96313 96314 9a3411 96312->96314 96316 9bfddb 22 API calls 96313->96316 96321 9aa587 96314->96321 96318 9e3127 96316->96318 96317 9a341e __fread_nolock 96317->96216 96319 9bfe0b 22 API calls 96318->96319 96320 9e3157 __fread_nolock 96319->96320 96322 9aa598 __fread_nolock 96321->96322 96323 9aa59d 96321->96323 96322->96317 96324 9bfe0b 22 API calls 96323->96324 96325 9ef80f 96323->96325 96324->96322 96325->96325 96326->96234 96327->96237 96328->96241 96329->96256 96330 9a1098 96335 9a42de 96330->96335 96334 9a10a7 96336 9aa961 22 API calls 96335->96336 96337 9a42f5 GetVersionExW 96336->96337 96338 9a6b57 22 API calls 96337->96338 96339 9a4342 96338->96339 96340 9a93b2 22 API calls 96339->96340 96352 9a4378 96339->96352 96341 9a436c 96340->96341 96343 9a37a0 22 API calls 96341->96343 96342 9a441b GetCurrentProcess IsWow64Process 96344 9a4437 96342->96344 96343->96352 96345 9a444f LoadLibraryA 96344->96345 96346 9e3824 GetSystemInfo 96344->96346 96347 9a449c GetSystemInfo 96345->96347 96348 9a4460 GetProcAddress 96345->96348 96349 9a4476 96347->96349 96348->96347 96351 9a4470 GetNativeSystemInfo 96348->96351 96353 9a447a FreeLibrary 96349->96353 96354 9a109d 96349->96354 96350 9e37df 96351->96349 96352->96342 96352->96350 96353->96354 96355 9c00a3 29 API calls __onexit 96354->96355 96355->96334 96356 f223b0 96370 f20000 96356->96370 96358 f22495 96373 f222a0 96358->96373 96376 f234c0 GetPEB 96370->96376 96372 f2068b 96372->96358 96374 f222a9 Sleep 96373->96374 96375 f222b7 96374->96375 96377 f234ea 96376->96377 96377->96372 96378 9af7bf 96379 9af7d3 96378->96379 96380 9afcb6 96378->96380 96382 9afcc2 96379->96382 96383 9bfddb 22 API calls 96379->96383 96473 9aaceb 23 API calls messages 96380->96473 96474 9aaceb 23 API calls messages 96382->96474 96385 9af7e5 96383->96385 96385->96382 96386 9af83e 96385->96386 96387 9afd3d 96385->96387 96392 9aed9d messages 96386->96392 96413 9b1310 96386->96413 96475 a11155 22 API calls 96387->96475 96390 9f4beb 96483 a1359c 82 API calls __wsopen_s 96390->96483 96391 9bfddb 22 API calls 96395 9aec76 messages 96391->96395 96393 9afef7 96393->96392 96400 9aa8c7 22 API calls 96393->96400 96395->96390 96395->96391 96395->96392 96395->96393 96397 9f4b0b 96395->96397 96398 9f4600 96395->96398 96403 9aa8c7 22 API calls 96395->96403 96405 9c0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96395->96405 96406 9afbe3 96395->96406 96407 9aa961 22 API calls 96395->96407 96410 9c00a3 29 API calls pre_c_initialization 96395->96410 96411 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96395->96411 96412 9af3ae messages 96395->96412 96471 9b01e0 256 API calls 2 library calls 96395->96471 96472 9b06a0 41 API calls messages 96395->96472 96481 a1359c 82 API calls __wsopen_s 96397->96481 96398->96392 96476 9aa8c7 96398->96476 96400->96392 96403->96395 96405->96395 96406->96392 96408 9f4bdc 96406->96408 96406->96412 96407->96395 96482 a1359c 82 API calls __wsopen_s 96408->96482 96410->96395 96411->96395 96412->96392 96480 a1359c 82 API calls __wsopen_s 96412->96480 96414 9b17b0 96413->96414 96415 9b1376 96413->96415 96760 9c0242 5 API calls __Init_thread_wait 96414->96760 96417 9b1390 96415->96417 96418 9f6331 96415->96418 96484 9b1940 96417->96484 96419 9f633d 96418->96419 96765 a2709c 256 API calls 96418->96765 96419->96395 96421 9b17ba 96423 9b17fb 96421->96423 96425 9a9cb3 22 API calls 96421->96425 96429 9f6346 96423->96429 96430 9b182c 96423->96430 96434 9b17d4 96425->96434 96426 9b1940 9 API calls 96427 9b13b6 96426->96427 96427->96423 96428 9b13ec 96427->96428 96428->96429 96435 9b1408 __fread_nolock 96428->96435 96766 a1359c 82 API calls __wsopen_s 96429->96766 96762 9aaceb 23 API calls messages 96430->96762 96433 9b1839 96763 9bd217 256 API calls 96433->96763 96761 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96434->96761 96435->96433 96438 9f636e 96435->96438 96444 9bfddb 22 API calls 96435->96444 96447 9bfe0b 22 API calls 96435->96447 96454 9b152f 96435->96454 96456 9f63b2 96435->96456 96461 9b15c7 messages 96435->96461 96494 9aec40 96435->96494 96767 a1359c 82 API calls __wsopen_s 96438->96767 96440 9b153c 96443 9b1940 9 API calls 96440->96443 96441 9f63d1 96769 a25745 54 API calls _wcslen 96441->96769 96445 9b1549 96443->96445 96444->96435 96448 9b1940 9 API calls 96445->96448 96445->96461 96446 9b1872 96764 9bfaeb 23 API calls 96446->96764 96447->96435 96459 9b1563 96448->96459 96451 9b171d 96451->96395 96453 9b167b messages 96453->96451 96759 9bce17 22 API calls messages 96453->96759 96454->96440 96454->96441 96455 9b1940 9 API calls 96455->96461 96768 a1359c 82 API calls __wsopen_s 96456->96768 96460 9aa8c7 22 API calls 96459->96460 96459->96461 96460->96461 96461->96446 96461->96453 96461->96455 96518 9beffa 96461->96518 96575 a2e3af 96461->96575 96598 a0d4ce 96461->96598 96601 a16ef1 96461->96601 96681 a2958b 96461->96681 96684 a1f0ec 96461->96684 96693 a2959f 96461->96693 96696 9a4f39 96461->96696 96702 a1744a 96461->96702 96770 a1359c 82 API calls __wsopen_s 96461->96770 96471->96395 96472->96395 96473->96382 96474->96387 96475->96392 96477 9aa8db 96476->96477 96479 9aa8ea __fread_nolock 96476->96479 96478 9bfe0b 22 API calls 96477->96478 96477->96479 96478->96479 96479->96392 96480->96392 96481->96392 96482->96390 96483->96392 96485 9b1981 96484->96485 96492 9b195d 96484->96492 96771 9c0242 5 API calls __Init_thread_wait 96485->96771 96487 9b13a0 96487->96426 96488 9b198b 96488->96492 96772 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96488->96772 96490 9b8727 96490->96487 96774 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 96490->96774 96492->96487 96773 9c0242 5 API calls __Init_thread_wait 96492->96773 96513 9aec76 messages 96494->96513 96495 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 96495->96513 96496 9bfddb 22 API calls 96496->96513 96497 9afef7 96503 9aa8c7 22 API calls 96497->96503 96511 9aed9d messages 96497->96511 96500 9f4b0b 96778 a1359c 82 API calls __wsopen_s 96500->96778 96501 9f4600 96506 9aa8c7 22 API calls 96501->96506 96501->96511 96503->96511 96505 9aa8c7 22 API calls 96505->96513 96506->96511 96508 9c0242 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 96508->96513 96509 9afbe3 96509->96511 96512 9f4bdc 96509->96512 96517 9af3ae messages 96509->96517 96510 9aa961 22 API calls 96510->96513 96511->96435 96779 a1359c 82 API calls __wsopen_s 96512->96779 96513->96495 96513->96496 96513->96497 96513->96500 96513->96501 96513->96505 96513->96508 96513->96509 96513->96510 96513->96511 96515 9c00a3 29 API calls pre_c_initialization 96513->96515 96516 9f4beb 96513->96516 96513->96517 96775 9b01e0 256 API calls 2 library calls 96513->96775 96776 9b06a0 41 API calls messages 96513->96776 96515->96513 96780 a1359c 82 API calls __wsopen_s 96516->96780 96517->96511 96777 a1359c 82 API calls __wsopen_s 96517->96777 96781 9a9c6e 96518->96781 96521 9bfddb 22 API calls 96523 9bf02b 96521->96523 96524 9bfe0b 22 API calls 96523->96524 96526 9bf03c 96524->96526 96525 9ff0a8 96565 9bf0a4 96525->96565 96879 a19caa 39 API calls 96525->96879 96824 9a6246 96526->96824 96530 9ff10a 96532 9bf0b1 96530->96532 96533 9ff112 96530->96533 96531 9aa961 22 API calls 96534 9bf04f 96531->96534 96795 9bfa5b 96532->96795 96537 9ab567 39 API calls 96533->96537 96535 9a6246 CloseHandle 96534->96535 96538 9bf056 96535->96538 96542 9bf0b8 96537->96542 96828 9a7510 96538->96828 96541 9a6246 CloseHandle 96543 9bf06c 96541->96543 96544 9ff127 96542->96544 96545 9bf0d3 96542->96545 96851 9a5745 96543->96851 96548 9bfe0b 22 API calls 96544->96548 96800 9a6270 96545->96800 96551 9ff12c 96548->96551 96555 9ff140 96551->96555 96880 9bf866 ReadFile SetFilePointerEx 96551->96880 96552 9bf085 96859 9a53de 96552->96859 96553 9ff0a0 96878 9a6216 CloseHandle messages 96553->96878 96560 9ff144 __fread_nolock 96555->96560 96881 a10e85 22 API calls ___scrt_fastfail 96555->96881 96558 9bf0ea 96558->96560 96875 9a62b5 22 API calls 96558->96875 96563 9bf093 96874 9a53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96563->96874 96565->96532 96819 9ab567 96565->96819 96566 9bf0fe 96567 9bf138 96566->96567 96570 9a6246 CloseHandle 96566->96570 96567->96461 96568 9ff069 96877 a0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96568->96877 96569 9bf09a 96569->96565 96569->96568 96571 9bf12c 96570->96571 96571->96567 96876 9a6216 CloseHandle messages 96571->96876 96573 9ff080 96573->96565 96576 9a7510 53 API calls 96575->96576 96577 a2e3ca 96576->96577 96578 9a6270 22 API calls 96577->96578 96579 a2e3d9 96578->96579 96580 a2e40d 96579->96580 96581 9ab567 39 API calls 96579->96581 96584 9a9cb3 22 API calls 96580->96584 96582 a2e3ea 96581->96582 96582->96580 96583 a2e3ef 96582->96583 96585 a2e3ff 96583->96585 96586 9aa8c7 22 API calls 96583->96586 96587 a2e424 96584->96587 96969 9a62b5 22 API calls 96585->96969 96586->96585 96950 a094bc 96587->96950 96591 9aa961 22 API calls 96595 a2e466 96591->96595 96592 a2e4f1 96592->96461 96593 a2e49d 96593->96585 96960 9a6350 96593->96960 96595->96593 96597 9a515f 22 API calls 96595->96597 96954 a0904e 96595->96954 96597->96595 96981 a0dbbe lstrlenW 96598->96981 96602 9aa961 22 API calls 96601->96602 96603 a16f1d 96602->96603 96604 9aa961 22 API calls 96603->96604 96605 a16f26 96604->96605 96606 a16f3a 96605->96606 96607 9ab567 39 API calls 96605->96607 96608 9a7510 53 API calls 96606->96608 96607->96606 96613 a16f57 _wcslen 96608->96613 96609 a16fbc 96611 9a7510 53 API calls 96609->96611 96610 a170bf 96986 9a4ecb 96610->96986 96614 a16fc8 96611->96614 96613->96609 96613->96610 96622 a170e9 96613->96622 96616 a16fdb 96614->96616 96619 9aa8c7 22 API calls 96614->96619 96624 a17027 96616->96624 96627 a17005 96616->96627 96631 9aa8c7 22 API calls 96616->96631 96617 a170e5 96618 9aa961 22 API calls 96617->96618 96617->96622 96621 a1711a 96618->96621 96619->96616 96620 9a4ecb 94 API calls 96620->96617 96623 9aa961 22 API calls 96621->96623 96622->96461 96626 a17126 96623->96626 96625 9a7510 53 API calls 96624->96625 96629 a17034 96625->96629 96630 9aa961 22 API calls 96626->96630 96628 9a33c6 22 API calls 96627->96628 96632 a1700f 96628->96632 96633 a17047 96629->96633 96634 a1703d 96629->96634 96635 a1712f 96630->96635 96631->96627 96636 9a7510 53 API calls 96632->96636 97162 a0e199 GetFileAttributesW 96633->97162 96637 9aa8c7 22 API calls 96634->96637 96639 9aa961 22 API calls 96635->96639 96640 a1701b 96636->96640 96637->96633 96642 a17138 96639->96642 96643 9a6350 22 API calls 96640->96643 96641 a17050 96644 a17063 96641->96644 96647 9a4c6d 22 API calls 96641->96647 96645 9a7510 53 API calls 96642->96645 96643->96624 96646 9a7510 53 API calls 96644->96646 96654 a17069 96644->96654 96648 a17145 96645->96648 96650 a170a0 96646->96650 96647->96644 97008 9a525f 96648->97008 97163 a0d076 57 API calls 96650->97163 96651 a17166 97050 9a4c6d 96651->97050 96654->96622 96656 a171a9 96658 9aa8c7 22 API calls 96656->96658 96657 9a4c6d 22 API calls 96659 a17186 96657->96659 96660 a171ba 96658->96660 96659->96656 96662 9a6b57 22 API calls 96659->96662 96661 9a6350 22 API calls 96660->96661 96663 a171c8 96661->96663 96665 a1719b 96662->96665 96664 9a6350 22 API calls 96663->96664 96666 a171d6 96664->96666 96667 9a6b57 22 API calls 96665->96667 96668 9a6350 22 API calls 96666->96668 96667->96656 96669 a171e4 96668->96669 96670 9a7510 53 API calls 96669->96670 96671 a171f0 96670->96671 97053 a0d7bc 96671->97053 96673 a17201 96674 a0d4ce 4 API calls 96673->96674 96675 a1720b 96674->96675 96676 9a7510 53 API calls 96675->96676 96679 a17239 96675->96679 96677 a17229 96676->96677 97107 a12947 96677->97107 96680 9a4f39 68 API calls 96679->96680 96680->96622 97792 a27f59 96681->97792 96683 a2959b 96683->96461 96685 9a7510 53 API calls 96684->96685 96686 a1f126 96685->96686 97884 9a9e90 96686->97884 96688 a1f136 96689 a1f15b 96688->96689 96690 9aec40 256 API calls 96688->96690 96691 9a9c6e 22 API calls 96689->96691 96692 a1f15f 96689->96692 96690->96689 96691->96692 96692->96461 96694 a27f59 120 API calls 96693->96694 96695 a295af 96694->96695 96695->96461 96697 9a4f4a 96696->96697 96698 9a4f43 96696->96698 96700 9a4f6a FreeLibrary 96697->96700 96701 9a4f59 96697->96701 96699 9ce678 67 API calls 96698->96699 96699->96697 96700->96701 96701->96461 96703 a17469 96702->96703 96704 a17474 96702->96704 96705 9ab567 39 API calls 96703->96705 96706 a17554 96704->96706 96709 9aa961 22 API calls 96704->96709 96705->96704 96707 9bfddb 22 API calls 96706->96707 96748 a176a4 96706->96748 96708 a17587 96707->96708 96710 9bfe0b 22 API calls 96708->96710 96711 a17495 96709->96711 96712 a17598 96710->96712 96713 9aa961 22 API calls 96711->96713 96714 9a6246 CloseHandle 96712->96714 96715 a1749e 96713->96715 96717 a175a3 96714->96717 96716 9a7510 53 API calls 96715->96716 96718 a174aa 96716->96718 96719 9aa961 22 API calls 96717->96719 96720 9a525f 22 API calls 96718->96720 96721 a175ab 96719->96721 96722 a174bf 96720->96722 96723 9a6246 CloseHandle 96721->96723 96724 9a6350 22 API calls 96722->96724 96725 a175b2 96723->96725 96726 a174f2 96724->96726 96727 9a7510 53 API calls 96725->96727 96728 a1754a 96726->96728 96730 a0d4ce 4 API calls 96726->96730 96729 a175be 96727->96729 96732 9ab567 39 API calls 96728->96732 96731 9a6246 CloseHandle 96729->96731 96733 a17502 96730->96733 96734 a175c8 96731->96734 96732->96706 96733->96728 96735 a17506 96733->96735 96736 9a5745 5 API calls 96734->96736 96737 9a9cb3 22 API calls 96735->96737 96738 a175e2 96736->96738 96739 a17513 96737->96739 96740 a175ea 96738->96740 96741 a176de GetLastError 96738->96741 97927 a0d2c1 26 API calls 96739->97927 96744 9a53de 27 API calls 96740->96744 96743 a176f7 96741->96743 97931 9a6216 CloseHandle messages 96743->97931 96747 a175f8 96744->96747 96746 a1751c 96746->96728 97928 9a53c7 SetFilePointerEx SetFilePointerEx SetFilePointerEx 96747->97928 96748->96461 96750 a17645 96751 9bfddb 22 API calls 96750->96751 96754 a17679 96751->96754 96752 a175ff 96752->96750 96753 a17619 96752->96753 97929 a0ccff SetFilePointerEx SetFilePointerEx SetFilePointerEx WriteFile 96753->97929 96756 9aa961 22 API calls 96754->96756 96757 a17686 96756->96757 96757->96748 97930 a0417d 22 API calls __fread_nolock 96757->97930 96759->96453 96760->96421 96761->96423 96762->96433 96763->96446 96764->96446 96765->96419 96766->96461 96767->96461 96768->96461 96769->96459 96770->96461 96771->96488 96772->96492 96773->96490 96774->96487 96775->96513 96776->96513 96777->96511 96778->96511 96779->96516 96780->96511 96782 9a9c7e 96781->96782 96783 9ef545 96781->96783 96788 9bfddb 22 API calls 96782->96788 96784 9ef556 96783->96784 96785 9a6b57 22 API calls 96783->96785 96786 9aa6c3 22 API calls 96784->96786 96785->96784 96787 9ef560 96786->96787 96787->96787 96789 9a9c91 96788->96789 96790 9a9c9a 96789->96790 96791 9a9cac 96789->96791 96792 9a9cb3 22 API calls 96790->96792 96793 9aa961 22 API calls 96791->96793 96794 9a9ca2 96792->96794 96793->96794 96794->96521 96794->96525 96882 9a54c6 96795->96882 96798 9a54c6 3 API calls 96799 9bfa9a 96798->96799 96799->96542 96801 9bfe0b 22 API calls 96800->96801 96802 9a6295 96801->96802 96803 9bfddb 22 API calls 96802->96803 96804 9a62a3 96803->96804 96805 9bf141 96804->96805 96806 9bf188 96805->96806 96807 9bf14c 96805->96807 96808 9aa6c3 22 API calls 96806->96808 96807->96806 96812 9bf15b 96807->96812 96818 a0caeb 96808->96818 96809 9bf170 96888 9bf18e 96809->96888 96812->96809 96813 9bf17d 96812->96813 96895 a0cbf2 26 API calls 96813->96895 96814 9bf179 96814->96558 96816 a0cb1a 96816->96558 96818->96816 96896 a0ca89 ReadFile SetFilePointerEx 96818->96896 96897 9a49bd 22 API calls __fread_nolock 96818->96897 96820 9ab578 96819->96820 96821 9ab57f 96819->96821 96820->96821 96945 9c62d1 39 API calls 96820->96945 96821->96530 96823 9ab5c2 96823->96530 96825 9a625f 96824->96825 96826 9a6250 96824->96826 96825->96826 96827 9a6264 CloseHandle 96825->96827 96826->96531 96827->96826 96829 9a7525 96828->96829 96845 9a7522 96828->96845 96830 9a755b 96829->96830 96831 9a752d 96829->96831 96832 9e50f6 96830->96832 96834 9e500f 96830->96834 96835 9a756d 96830->96835 96946 9c51c6 26 API calls 96831->96946 96949 9c5183 26 API calls 96832->96949 96842 9e5088 96834->96842 96846 9bfe0b 22 API calls 96834->96846 96947 9bfb21 51 API calls 96835->96947 96836 9a753d 96841 9bfddb 22 API calls 96836->96841 96838 9e510e 96838->96838 96843 9a7547 96841->96843 96948 9bfb21 51 API calls 96842->96948 96844 9a9cb3 22 API calls 96843->96844 96844->96845 96845->96541 96847 9e5058 96846->96847 96848 9bfddb 22 API calls 96847->96848 96849 9e507f 96848->96849 96850 9a9cb3 22 API calls 96849->96850 96850->96842 96852 9a575c CreateFileW 96851->96852 96853 9e4035 96851->96853 96855 9a577b 96852->96855 96854 9e403b CreateFileW 96853->96854 96853->96855 96854->96855 96856 9e4063 96854->96856 96855->96552 96855->96553 96857 9a54c6 3 API calls 96856->96857 96858 9e406e 96857->96858 96858->96855 96860 9a53f3 96859->96860 96873 9a53f0 messages 96859->96873 96861 9a54c6 3 API calls 96860->96861 96860->96873 96862 9a5410 96861->96862 96863 9e3f4b 96862->96863 96864 9a541d 96862->96864 96865 9bfa5b 3 API calls 96863->96865 96866 9bfe0b 22 API calls 96864->96866 96865->96873 96867 9a5429 96866->96867 96868 9a5722 22 API calls 96867->96868 96869 9a5433 96868->96869 96870 9a9a40 2 API calls 96869->96870 96871 9a543f 96870->96871 96872 9a54c6 3 API calls 96871->96872 96872->96873 96873->96563 96874->96569 96875->96566 96876->96567 96877->96573 96878->96525 96879->96525 96880->96555 96881->96560 96886 9a54dd 96882->96886 96883 9e3f9c SetFilePointerEx 96884 9a5564 SetFilePointerEx SetFilePointerEx 96887 9a5530 96884->96887 96885 9e3f8b 96885->96883 96886->96883 96886->96884 96886->96885 96886->96887 96887->96798 96898 9bf1d8 96888->96898 96894 9bf1c1 96894->96814 96895->96814 96896->96818 96897->96818 96899 9bfe0b 22 API calls 96898->96899 96900 9bf1ef 96899->96900 96901 9bfddb 22 API calls 96900->96901 96902 9bf1a6 96901->96902 96903 9a97b6 96902->96903 96917 9a9a1e 96903->96917 96906 9a97fc 96906->96894 96909 9a6e14 MultiByteToWideChar 96906->96909 96908 9a97c7 96908->96906 96924 9a9a40 96908->96924 96930 9a9b01 22 API calls __fread_nolock 96908->96930 96910 9a6e40 96909->96910 96911 9a6e87 96909->96911 96912 9bfe0b 22 API calls 96910->96912 96913 9aa6c3 22 API calls 96911->96913 96914 9a6e55 MultiByteToWideChar 96912->96914 96916 9a6e7b 96913->96916 96932 9a6e90 96914->96932 96916->96894 96918 9a9a2f 96917->96918 96919 9ef378 96917->96919 96918->96908 96920 9bfddb 22 API calls 96919->96920 96921 9ef382 96920->96921 96922 9bfe0b 22 API calls 96921->96922 96923 9ef397 96922->96923 96925 9a9abb 96924->96925 96929 9a9a4e 96924->96929 96931 9be40f SetFilePointerEx 96925->96931 96926 9a9a7c 96926->96908 96928 9a9a8c ReadFile 96928->96926 96928->96929 96929->96926 96929->96928 96930->96908 96931->96929 96933 9a6ea3 96932->96933 96934 9a6f24 96932->96934 96933->96934 96936 9a6eaf 96933->96936 96935 9a93b2 22 API calls 96934->96935 96937 9a6ec1 __fread_nolock 96935->96937 96938 9a6eb9 96936->96938 96939 9a6ee7 96936->96939 96937->96916 96944 9a6f34 22 API calls 96938->96944 96941 9bfddb 22 API calls 96939->96941 96942 9a6ef1 96941->96942 96943 9bfe0b 22 API calls 96942->96943 96943->96937 96944->96937 96945->96823 96946->96836 96947->96836 96948->96832 96949->96838 96951 a094c8 96950->96951 96952 9bfddb 22 API calls 96951->96952 96953 a094cf 96952->96953 96953->96591 96955 a09067 96954->96955 96956 a09059 96954->96956 96958 9a6e90 22 API calls 96955->96958 96957 9a93b2 22 API calls 96956->96957 96959 a09065 96957->96959 96958->96959 96959->96595 96961 9a6362 96960->96961 96962 9e4a51 96960->96962 96970 9a6373 96961->96970 96980 9a4a88 22 API calls __fread_nolock 96962->96980 96965 9a636e 96965->96593 96966 9e4a5b 96967 9e4a67 96966->96967 96968 9aa8c7 22 API calls 96966->96968 96968->96967 96969->96592 96971 9a6382 96970->96971 96977 9a63b6 __fread_nolock 96970->96977 96972 9e4a82 96971->96972 96973 9a63a9 96971->96973 96971->96977 96974 9bfddb 22 API calls 96972->96974 96975 9aa587 22 API calls 96973->96975 96976 9e4a91 96974->96976 96975->96977 96978 9bfe0b 22 API calls 96976->96978 96977->96965 96979 9e4ac5 __fread_nolock 96978->96979 96980->96966 96982 a0d4d5 96981->96982 96983 a0dbdc GetFileAttributesW 96981->96983 96982->96461 96983->96982 96984 a0dbe8 FindFirstFileW 96983->96984 96984->96982 96985 a0dbf9 FindClose 96984->96985 96985->96982 97164 9a4e90 LoadLibraryA 96986->97164 96991 9e3ccf 96993 9a4f39 68 API calls 96991->96993 96992 9a4ef6 LoadLibraryExW 97172 9a4e59 LoadLibraryA 96992->97172 96996 9e3cd6 96993->96996 96998 9a4e59 3 API calls 96996->96998 97000 9e3cde 96998->97000 96999 9a4f20 96999->97000 97001 9a4f2c 96999->97001 97194 9a50f5 97000->97194 97002 9a4f39 68 API calls 97001->97002 97004 9a4f31 97002->97004 97004->96617 97004->96620 97007 9e3d05 97009 9aa961 22 API calls 97008->97009 97010 9a5275 97009->97010 97011 9aa961 22 API calls 97010->97011 97012 9a527d 97011->97012 97013 9aa961 22 API calls 97012->97013 97014 9a5285 97013->97014 97015 9aa961 22 API calls 97014->97015 97016 9a528d 97015->97016 97017 9e3df5 97016->97017 97018 9a52c1 97016->97018 97019 9aa8c7 22 API calls 97017->97019 97020 9a6d25 22 API calls 97018->97020 97021 9e3dfe 97019->97021 97022 9a52cf 97020->97022 97023 9aa6c3 22 API calls 97021->97023 97024 9a93b2 22 API calls 97022->97024 97026 9a5304 97023->97026 97025 9a52d9 97024->97025 97025->97026 97027 9a6d25 22 API calls 97025->97027 97031 9a5325 97026->97031 97041 9e3e20 97026->97041 97044 9a5349 97026->97044 97029 9a52fa 97027->97029 97030 9a93b2 22 API calls 97029->97030 97030->97026 97034 9a4c6d 22 API calls 97031->97034 97031->97044 97032 9a5370 97035 9a5384 97032->97035 97042 9aa8c7 22 API calls 97032->97042 97033 9a535a 97033->97032 97038 9aa8c7 22 API calls 97033->97038 97036 9a5332 97034->97036 97039 9a538f 97035->97039 97043 9aa8c7 22 API calls 97035->97043 97040 9a6d25 22 API calls 97036->97040 97036->97044 97037 9a6b57 22 API calls 97047 9e3ee0 97037->97047 97038->97032 97045 9aa8c7 22 API calls 97039->97045 97048 9a539a 97039->97048 97040->97044 97041->97037 97042->97035 97043->97039 97455 9a6d25 97044->97455 97045->97048 97046 9a4c6d 22 API calls 97046->97047 97047->97044 97047->97046 97468 9a49bd 22 API calls __fread_nolock 97047->97468 97048->96651 97051 9aaec9 22 API calls 97050->97051 97052 9a4c78 97051->97052 97052->96656 97052->96657 97054 a0d7d8 97053->97054 97055 a0d7f3 97054->97055 97056 a0d7dd 97054->97056 97057 9aa961 22 API calls 97055->97057 97059 9aa8c7 22 API calls 97056->97059 97106 a0d7ee 97056->97106 97058 a0d7fb 97057->97058 97060 9aa961 22 API calls 97058->97060 97059->97106 97061 a0d803 97060->97061 97062 9aa961 22 API calls 97061->97062 97063 a0d80e 97062->97063 97064 9aa961 22 API calls 97063->97064 97065 a0d816 97064->97065 97066 9aa961 22 API calls 97065->97066 97067 a0d81e 97066->97067 97068 9aa961 22 API calls 97067->97068 97069 a0d826 97068->97069 97070 9aa961 22 API calls 97069->97070 97071 a0d82e 97070->97071 97072 9aa961 22 API calls 97071->97072 97073 a0d836 97072->97073 97074 9a525f 22 API calls 97073->97074 97075 a0d84d 97074->97075 97076 9a525f 22 API calls 97075->97076 97077 a0d866 97076->97077 97078 9a4c6d 22 API calls 97077->97078 97079 a0d872 97078->97079 97080 a0d885 97079->97080 97081 9a93b2 22 API calls 97079->97081 97082 9a4c6d 22 API calls 97080->97082 97081->97080 97083 a0d88e 97082->97083 97084 a0d89e 97083->97084 97086 9a93b2 22 API calls 97083->97086 97085 a0d8b0 97084->97085 97087 9aa8c7 22 API calls 97084->97087 97088 9a6350 22 API calls 97085->97088 97086->97084 97087->97085 97089 a0d8bb 97088->97089 97470 a0d978 22 API calls 97089->97470 97091 a0d8ca 97471 a0d978 22 API calls 97091->97471 97093 a0d8dd 97094 9a4c6d 22 API calls 97093->97094 97095 a0d8e7 97094->97095 97096 a0d8ec 97095->97096 97097 a0d8fe 97095->97097 97098 9a33c6 22 API calls 97096->97098 97099 9a4c6d 22 API calls 97097->97099 97101 a0d8f9 97098->97101 97100 a0d907 97099->97100 97102 a0d925 97100->97102 97103 9a33c6 22 API calls 97100->97103 97104 9a6350 22 API calls 97101->97104 97105 9a6350 22 API calls 97102->97105 97103->97101 97104->97102 97105->97106 97106->96673 97108 a12954 __wsopen_s 97107->97108 97109 9bfe0b 22 API calls 97108->97109 97110 a12971 97109->97110 97111 9a5722 22 API calls 97110->97111 97112 a1297b 97111->97112 97113 a1274e 27 API calls 97112->97113 97114 a12986 97113->97114 97115 9a511f 64 API calls 97114->97115 97116 a1299b 97115->97116 97117 a12a6c 97116->97117 97118 a129bf 97116->97118 97119 a12e66 75 API calls 97117->97119 97498 a12e66 97118->97498 97135 a12a38 97119->97135 97123 9a50f5 40 API calls 97124 a12a91 97123->97124 97125 9a50f5 40 API calls 97124->97125 97128 a12aa1 97125->97128 97126 a12a75 messages 97126->96679 97127 a129ed 97505 9cd583 26 API calls 97127->97505 97129 9a50f5 40 API calls 97128->97129 97131 a12abc 97129->97131 97132 9a50f5 40 API calls 97131->97132 97133 a12acc 97132->97133 97134 9a50f5 40 API calls 97133->97134 97136 a12ae7 97134->97136 97135->97123 97135->97126 97137 9a50f5 40 API calls 97136->97137 97138 a12af7 97137->97138 97139 9a50f5 40 API calls 97138->97139 97140 a12b07 97139->97140 97141 9a50f5 40 API calls 97140->97141 97142 a12b17 97141->97142 97472 a13017 GetTempPathW GetTempFileNameW 97142->97472 97144 a12b22 97145 9ce5eb 29 API calls 97144->97145 97147 a12b33 97145->97147 97147->97126 97149 9a50f5 40 API calls 97147->97149 97158 a12bed 97147->97158 97473 9cdbb3 97147->97473 97148 a12bf8 97150 a12c12 97148->97150 97151 a12bfe DeleteFileW 97148->97151 97149->97147 97152 a12c91 CopyFileW 97150->97152 97157 a12c18 97150->97157 97151->97126 97153 a12ca7 DeleteFileW 97152->97153 97154 a12cb9 DeleteFileW 97152->97154 97153->97126 97495 a12fd8 CreateFileW 97154->97495 97506 a122ce 97157->97506 97482 9ce678 97158->97482 97162->96641 97163->96654 97165 9a4ea8 GetProcAddress 97164->97165 97166 9a4ec6 97164->97166 97167 9a4eb8 97165->97167 97169 9ce5eb 97166->97169 97167->97166 97168 9a4ebf FreeLibrary 97167->97168 97168->97166 97202 9ce52a 97169->97202 97171 9a4eea 97171->96991 97171->96992 97173 9a4e6e GetProcAddress 97172->97173 97174 9a4e8d 97172->97174 97175 9a4e7e 97173->97175 97177 9a4f80 97174->97177 97175->97174 97176 9a4e86 FreeLibrary 97175->97176 97176->97174 97178 9bfe0b 22 API calls 97177->97178 97179 9a4f95 97178->97179 97180 9a5722 22 API calls 97179->97180 97181 9a4fa1 __fread_nolock 97180->97181 97182 9e3d1d 97181->97182 97183 9a50a5 97181->97183 97193 9a4fdc 97181->97193 97274 a1304d 74 API calls 97182->97274 97263 9a42a2 CreateStreamOnHGlobal 97183->97263 97186 9e3d22 97188 9a511f 64 API calls 97186->97188 97187 9a50f5 40 API calls 97187->97193 97189 9e3d45 97188->97189 97190 9a50f5 40 API calls 97189->97190 97192 9a506e messages 97190->97192 97192->96999 97193->97186 97193->97187 97193->97192 97269 9a511f 97193->97269 97195 9a5107 97194->97195 97196 9e3d70 97194->97196 97296 9ce8c4 97195->97296 97199 a128fe 97438 a1274e 97199->97438 97201 a12919 97201->97007 97204 9ce536 __FrameHandler3::FrameUnwindToState 97202->97204 97203 9ce544 97227 9cf2d9 20 API calls __dosmaperr 97203->97227 97204->97203 97207 9ce574 97204->97207 97206 9ce549 97228 9d27ec 26 API calls ___std_exception_copy 97206->97228 97209 9ce579 97207->97209 97210 9ce586 97207->97210 97229 9cf2d9 20 API calls __dosmaperr 97209->97229 97219 9d8061 97210->97219 97213 9ce58f 97214 9ce595 97213->97214 97215 9ce5a2 97213->97215 97230 9cf2d9 20 API calls __dosmaperr 97214->97230 97231 9ce5d4 LeaveCriticalSection __fread_nolock 97215->97231 97216 9ce554 __wsopen_s 97216->97171 97220 9d806d __FrameHandler3::FrameUnwindToState 97219->97220 97232 9d2f5e EnterCriticalSection 97220->97232 97222 9d807b 97233 9d80fb 97222->97233 97226 9d80ac __wsopen_s 97226->97213 97227->97206 97228->97216 97229->97216 97230->97216 97231->97216 97232->97222 97234 9d811e 97233->97234 97235 9d8177 97234->97235 97242 9d8088 97234->97242 97250 9c918d EnterCriticalSection 97234->97250 97251 9c91a1 LeaveCriticalSection 97234->97251 97252 9d4c7d 20 API calls 2 library calls 97235->97252 97238 9d8180 97253 9d29c8 97238->97253 97240 9d8189 97240->97242 97259 9d3405 11 API calls 2 library calls 97240->97259 97247 9d80b7 97242->97247 97243 9d81a8 97260 9c918d EnterCriticalSection 97243->97260 97246 9d81bb 97246->97242 97262 9d2fa6 LeaveCriticalSection 97247->97262 97249 9d80be 97249->97226 97250->97234 97251->97234 97252->97238 97254 9d29d3 RtlFreeHeap 97253->97254 97258 9d29fc _free 97253->97258 97255 9d29e8 97254->97255 97254->97258 97261 9cf2d9 20 API calls __dosmaperr 97255->97261 97257 9d29ee GetLastError 97257->97258 97258->97240 97259->97243 97260->97246 97261->97257 97262->97249 97264 9a42bc FindResourceExW 97263->97264 97268 9a42d9 97263->97268 97265 9e35ba LoadResource 97264->97265 97264->97268 97266 9e35cf SizeofResource 97265->97266 97265->97268 97267 9e35e3 LockResource 97266->97267 97266->97268 97267->97268 97268->97193 97270 9a512e 97269->97270 97271 9e3d90 97269->97271 97275 9cece3 97270->97275 97274->97186 97278 9ceaaa 97275->97278 97277 9a513c 97277->97193 97281 9ceab6 __FrameHandler3::FrameUnwindToState 97278->97281 97279 9ceac2 97291 9cf2d9 20 API calls __dosmaperr 97279->97291 97281->97279 97282 9ceae8 97281->97282 97293 9c918d EnterCriticalSection 97282->97293 97283 9ceac7 97292 9d27ec 26 API calls ___std_exception_copy 97283->97292 97286 9ceaf4 97294 9cec0a 62 API calls 2 library calls 97286->97294 97288 9ceb08 97295 9ceb27 LeaveCriticalSection __fread_nolock 97288->97295 97290 9cead2 __wsopen_s 97290->97277 97291->97283 97292->97290 97293->97286 97294->97288 97295->97290 97299 9ce8e1 97296->97299 97298 9a5118 97298->97199 97300 9ce8ed __FrameHandler3::FrameUnwindToState 97299->97300 97301 9ce92d 97300->97301 97302 9ce900 ___scrt_fastfail 97300->97302 97304 9ce925 __wsopen_s 97300->97304 97312 9c918d EnterCriticalSection 97301->97312 97326 9cf2d9 20 API calls __dosmaperr 97302->97326 97304->97298 97305 9ce937 97313 9ce6f8 97305->97313 97308 9ce91a 97327 9d27ec 26 API calls ___std_exception_copy 97308->97327 97312->97305 97317 9ce70a ___scrt_fastfail 97313->97317 97319 9ce727 97313->97319 97314 9ce717 97401 9cf2d9 20 API calls __dosmaperr 97314->97401 97316 9ce71c 97402 9d27ec 26 API calls ___std_exception_copy 97316->97402 97317->97314 97317->97319 97321 9ce76a __fread_nolock 97317->97321 97328 9ce96c LeaveCriticalSection __fread_nolock 97319->97328 97320 9ce886 ___scrt_fastfail 97404 9cf2d9 20 API calls __dosmaperr 97320->97404 97321->97319 97321->97320 97329 9cd955 97321->97329 97336 9d8d45 97321->97336 97403 9ccf78 26 API calls 4 library calls 97321->97403 97326->97308 97327->97304 97328->97304 97330 9cd976 97329->97330 97331 9cd961 97329->97331 97330->97321 97405 9cf2d9 20 API calls __dosmaperr 97331->97405 97333 9cd966 97406 9d27ec 26 API calls ___std_exception_copy 97333->97406 97335 9cd971 97335->97321 97337 9d8d6f 97336->97337 97338 9d8d57 97336->97338 97340 9d90d9 97337->97340 97345 9d8db4 97337->97345 97416 9cf2c6 20 API calls __dosmaperr 97338->97416 97432 9cf2c6 20 API calls __dosmaperr 97340->97432 97341 9d8d5c 97417 9cf2d9 20 API calls __dosmaperr 97341->97417 97344 9d90de 97433 9cf2d9 20 API calls __dosmaperr 97344->97433 97346 9d8d64 97345->97346 97348 9d8dbf 97345->97348 97353 9d8def 97345->97353 97346->97321 97418 9cf2c6 20 API calls __dosmaperr 97348->97418 97350 9d8dcc 97434 9d27ec 26 API calls ___std_exception_copy 97350->97434 97351 9d8dc4 97419 9cf2d9 20 API calls __dosmaperr 97351->97419 97355 9d8e08 97353->97355 97356 9d8e2e 97353->97356 97357 9d8e4a 97353->97357 97355->97356 97389 9d8e15 97355->97389 97420 9cf2c6 20 API calls __dosmaperr 97356->97420 97423 9d3820 21 API calls 2 library calls 97357->97423 97360 9d8e33 97421 9cf2d9 20 API calls __dosmaperr 97360->97421 97361 9d8e61 97366 9d29c8 _free 20 API calls 97361->97366 97364 9d8fb3 97367 9d9029 97364->97367 97370 9d8fcc GetConsoleMode 97364->97370 97365 9d8e3a 97422 9d27ec 26 API calls ___std_exception_copy 97365->97422 97369 9d8e6a 97366->97369 97372 9d902d ReadFile 97367->97372 97371 9d29c8 _free 20 API calls 97369->97371 97370->97367 97375 9d8fdd 97370->97375 97376 9d8e71 97371->97376 97373 9d9047 97372->97373 97374 9d90a1 GetLastError 97372->97374 97373->97374 97384 9d901e 97373->97384 97377 9d90ae 97374->97377 97385 9d9005 97374->97385 97375->97372 97378 9d8fe3 ReadConsoleW 97375->97378 97379 9d8e7b 97376->97379 97380 9d8e96 97376->97380 97430 9cf2d9 20 API calls __dosmaperr 97377->97430 97383 9d8fff GetLastError 97378->97383 97378->97384 97424 9cf2d9 20 API calls __dosmaperr 97379->97424 97426 9d9424 28 API calls __wsopen_s 97380->97426 97383->97385 97393 9d906c 97384->97393 97394 9d9083 97384->97394 97398 9d8e45 __fread_nolock 97384->97398 97385->97398 97427 9cf2a3 20 API calls 2 library calls 97385->97427 97386 9d29c8 _free 20 API calls 97386->97346 97388 9d90b3 97431 9cf2c6 20 API calls __dosmaperr 97388->97431 97407 9df89b 97389->97407 97391 9d8e80 97425 9cf2c6 20 API calls __dosmaperr 97391->97425 97428 9d8a61 31 API calls 4 library calls 97393->97428 97397 9d909a 97394->97397 97394->97398 97429 9d88a1 29 API calls __wsopen_s 97397->97429 97398->97386 97400 9d909f 97400->97398 97401->97316 97402->97319 97403->97321 97404->97316 97405->97333 97406->97335 97408 9df8a8 97407->97408 97409 9df8b5 97407->97409 97435 9cf2d9 20 API calls __dosmaperr 97408->97435 97412 9df8c1 97409->97412 97436 9cf2d9 20 API calls __dosmaperr 97409->97436 97411 9df8ad 97411->97364 97412->97364 97414 9df8e2 97437 9d27ec 26 API calls ___std_exception_copy 97414->97437 97416->97341 97417->97346 97418->97351 97419->97350 97420->97360 97421->97365 97422->97398 97423->97361 97424->97391 97425->97398 97426->97389 97427->97398 97428->97398 97429->97400 97430->97388 97431->97398 97432->97344 97433->97350 97434->97346 97435->97411 97436->97414 97437->97411 97441 9ce4e8 97438->97441 97440 a1275d 97440->97201 97444 9ce469 97441->97444 97443 9ce505 97443->97440 97445 9ce478 97444->97445 97446 9ce48c 97444->97446 97452 9cf2d9 20 API calls __dosmaperr 97445->97452 97451 9ce488 __alldvrm 97446->97451 97454 9d333f 11 API calls 2 library calls 97446->97454 97449 9ce47d 97453 9d27ec 26 API calls ___std_exception_copy 97449->97453 97451->97443 97452->97449 97453->97451 97454->97451 97456 9a6d91 97455->97456 97457 9a6d34 97455->97457 97458 9a93b2 22 API calls 97456->97458 97457->97456 97459 9a6d3f 97457->97459 97464 9a6d62 __fread_nolock 97458->97464 97460 9a6d5a 97459->97460 97461 9e4c9d 97459->97461 97469 9a6f34 22 API calls 97460->97469 97463 9bfddb 22 API calls 97461->97463 97465 9e4ca7 97463->97465 97464->97033 97466 9bfe0b 22 API calls 97465->97466 97467 9e4cda 97466->97467 97468->97047 97469->97464 97470->97091 97471->97093 97472->97144 97474 9cdbdd 97473->97474 97475 9cdbc1 97473->97475 97474->97147 97475->97474 97476 9cdbcd 97475->97476 97477 9cdbe3 97475->97477 97538 9cf2d9 20 API calls __dosmaperr 97476->97538 97535 9cd9cc 97477->97535 97480 9cdbd2 97539 9d27ec 26 API calls ___std_exception_copy 97480->97539 97483 9ce684 __FrameHandler3::FrameUnwindToState 97482->97483 97484 9ce6aa 97483->97484 97485 9ce695 97483->97485 97494 9ce6a5 __wsopen_s 97484->97494 97674 9c918d EnterCriticalSection 97484->97674 97691 9cf2d9 20 API calls __dosmaperr 97485->97691 97487 9ce69a 97692 9d27ec 26 API calls ___std_exception_copy 97487->97692 97490 9ce6c6 97675 9ce602 97490->97675 97492 9ce6d1 97494->97148 97499 a12e7a 97498->97499 97500 9a50f5 40 API calls 97499->97500 97501 a129c4 97499->97501 97502 a128fe 27 API calls 97499->97502 97503 9a511f 64 API calls 97499->97503 97500->97499 97501->97126 97504 9cd583 26 API calls 97501->97504 97502->97499 97503->97499 97504->97127 97505->97135 97507 a122d9 97506->97507 97508 a122e7 97506->97508 97509 9ce5eb 29 API calls 97507->97509 97511 9ce5eb 29 API calls 97508->97511 97521 a122f0 97508->97521 97509->97508 97521->97154 97540 9cd97b 97535->97540 97538->97480 97539->97474 97541 9cd987 __FrameHandler3::FrameUnwindToState 97540->97541 97548 9c918d EnterCriticalSection 97541->97548 97543 9cd995 97549 9cd9f4 97543->97549 97548->97543 97557 9d49a1 97549->97557 97558 9cd955 __fread_nolock 26 API calls 97557->97558 97674->97490 97676 9ce60f 97675->97676 97678 9ce624 97675->97678 97713 9cf2d9 20 API calls __dosmaperr 97676->97713 97680 9cdc0b 62 API calls 97678->97680 97684 9ce61f 97678->97684 97679 9ce614 97682 9ce638 97680->97682 97694 9d4d7a 97682->97694 97684->97492 97691->97487 97692->97494 97713->97679 97793 9a7510 53 API calls 97792->97793 97794 a27f90 97793->97794 97817 a27fd5 messages 97794->97817 97830 a28cd3 97794->97830 97796 a28281 97797 a2844f 97796->97797 97801 a2828f 97796->97801 97871 a28ee4 60 API calls 97797->97871 97800 a2845e 97800->97801 97802 a2846a 97800->97802 97843 a27e86 97801->97843 97802->97817 97803 9a7510 53 API calls 97820 a28049 97803->97820 97808 a282c8 97858 9bfc70 97808->97858 97811 a28302 97865 9a63eb 22 API calls 97811->97865 97812 a282e8 97864 a1359c 82 API calls __wsopen_s 97812->97864 97815 a28311 97866 9a6a50 22 API calls 97815->97866 97816 a282f3 GetCurrentProcess TerminateProcess 97816->97811 97817->96683 97819 a2832a 97828 a28352 97819->97828 97867 9b04f0 22 API calls 97819->97867 97820->97796 97820->97803 97820->97817 97862 a0417d 22 API calls __fread_nolock 97820->97862 97863 a2851d 42 API calls _strftime 97820->97863 97822 a284c5 97822->97817 97824 a284d9 FreeLibrary 97822->97824 97823 a28341 97868 a28b7b 75 API calls 97823->97868 97824->97817 97828->97822 97869 9b04f0 22 API calls 97828->97869 97870 9aaceb 23 API calls messages 97828->97870 97872 a28b7b 75 API calls 97828->97872 97831 9aaec9 22 API calls 97830->97831 97832 a28cee CharLowerBuffW 97831->97832 97873 a08e54 97832->97873 97836 9aa961 22 API calls 97837 a28d2a 97836->97837 97838 9a6d25 22 API calls 97837->97838 97839 a28d3e 97838->97839 97840 9a93b2 22 API calls 97839->97840 97842 a28d48 _wcslen 97840->97842 97841 a28e5e _wcslen 97841->97820 97842->97841 97880 a2851d 42 API calls _strftime 97842->97880 97844 a27eec 97843->97844 97845 a27ea1 97843->97845 97849 a29096 97844->97849 97846 9bfe0b 22 API calls 97845->97846 97847 a27ec3 97846->97847 97847->97844 97848 9bfddb 22 API calls 97847->97848 97848->97847 97850 a292ab messages 97849->97850 97855 a290ba _strcat _wcslen 97849->97855 97850->97808 97851 9ab567 39 API calls 97851->97855 97852 9ab38f 39 API calls 97852->97855 97853 9ab6b5 39 API calls 97853->97855 97854 9a7510 53 API calls 97854->97855 97855->97850 97855->97851 97855->97852 97855->97853 97855->97854 97856 9cea0c 21 API calls ___std_exception_copy 97855->97856 97883 a0efae 24 API calls _wcslen 97855->97883 97856->97855 97860 9bfc85 97858->97860 97859 9bfd1d VirtualAlloc 97861 9bfceb 97859->97861 97860->97859 97860->97861 97861->97811 97861->97812 97862->97820 97863->97820 97864->97816 97865->97815 97866->97819 97867->97823 97868->97828 97869->97828 97870->97828 97871->97800 97872->97828 97874 a08e74 _wcslen 97873->97874 97875 a08f63 97874->97875 97877 a08ea9 97874->97877 97879 a08f68 97874->97879 97875->97836 97875->97842 97877->97875 97881 9bce60 41 API calls 97877->97881 97879->97875 97882 9bce60 41 API calls 97879->97882 97880->97841 97881->97877 97882->97879 97883->97855 97885 9a6270 22 API calls 97884->97885 97890 9a9eb5 97885->97890 97886 9a9fd2 97913 9aa4a1 97886->97913 97888 9a9fec 97888->96688 97890->97886 97892 9ef7c4 97890->97892 97893 9aa12c __fread_nolock 97890->97893 97894 9ef699 97890->97894 97898 9aa6c3 22 API calls 97890->97898 97903 9aa405 97890->97903 97907 9aa587 22 API calls 97890->97907 97908 9aaec9 22 API calls 97890->97908 97909 9aa4a1 22 API calls 97890->97909 97912 9a4573 41 API calls _wcslen 97890->97912 97922 9a48c8 23 API calls 97890->97922 97923 9a49bd 22 API calls __fread_nolock 97890->97923 97924 9aa673 22 API calls 97890->97924 97925 a096e2 84 API calls __wsopen_s 97892->97925 97893->97892 97893->97903 97900 9bfddb 22 API calls 97894->97900 97898->97890 97899 9ef7d2 97902 9aa4a1 22 API calls 97899->97902 97901 9ef754 97900->97901 97905 9bfe0b 22 API calls 97901->97905 97904 9ef7e8 97902->97904 97903->97888 97926 a096e2 84 API calls __wsopen_s 97903->97926 97904->97888 97905->97893 97907->97890 97910 9aa0db CharUpperBuffW 97908->97910 97909->97890 97921 9aa673 22 API calls 97910->97921 97912->97890 97914 9aa52b 97913->97914 97920 9aa4b1 __fread_nolock 97913->97920 97916 9bfe0b 22 API calls 97914->97916 97915 9bfddb 22 API calls 97917 9aa4b8 97915->97917 97916->97920 97918 9bfddb 22 API calls 97917->97918 97919 9aa4d6 97917->97919 97918->97919 97919->97888 97920->97915 97921->97890 97922->97890 97923->97890 97924->97890 97925->97899 97926->97888 97927->96746 97928->96752 97929->96750 97930->96748 97931->96748 97932 9adddc 97935 9ab710 97932->97935 97936 9ab72b 97935->97936 97937 9f00f8 97936->97937 97938 9f0146 97936->97938 97964 9ab750 97936->97964 97941 9f0102 97937->97941 97944 9f010f 97937->97944 97937->97964 97977 a258a2 256 API calls 2 library calls 97938->97977 97975 a25d33 256 API calls 97941->97975 97961 9aba20 97944->97961 97976 a261d0 256 API calls 2 library calls 97944->97976 97947 9f03d9 97947->97947 97951 9f0322 97980 a25c0c 82 API calls 97951->97980 97955 9aba4e 97959 9bd336 40 API calls 97959->97964 97960 9abbe0 40 API calls 97960->97964 97961->97955 97981 a1359c 82 API calls __wsopen_s 97961->97981 97962 9aec40 256 API calls 97962->97964 97963 9aa8c7 22 API calls 97963->97964 97964->97951 97964->97955 97964->97959 97964->97960 97964->97961 97964->97962 97964->97963 97966 9aa81b 41 API calls 97964->97966 97967 9bd2f0 40 API calls 97964->97967 97968 9ba01b 256 API calls 97964->97968 97969 9c0242 5 API calls __Init_thread_wait 97964->97969 97970 9bedcd 22 API calls 97964->97970 97971 9c00a3 29 API calls __onexit 97964->97971 97972 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 97964->97972 97973 9bee53 82 API calls 97964->97973 97974 9be5ca 256 API calls 97964->97974 97978 9aaceb 23 API calls messages 97964->97978 97979 9ff6bf 23 API calls 97964->97979 97966->97964 97967->97964 97968->97964 97969->97964 97970->97964 97971->97964 97972->97964 97973->97964 97974->97964 97975->97944 97976->97961 97977->97964 97978->97964 97979->97964 97980->97961 97981->97947 97982 9d90fa 97983 9d9107 97982->97983 97986 9d911f 97982->97986 98032 9cf2d9 20 API calls __dosmaperr 97983->98032 97985 9d910c 98033 9d27ec 26 API calls ___std_exception_copy 97985->98033 97988 9d917a 97986->97988 97989 9d9117 97986->97989 98034 9dfdc4 21 API calls 2 library calls 97986->98034 97991 9cd955 __fread_nolock 26 API calls 97988->97991 97992 9d9192 97991->97992 98002 9d8c32 97992->98002 97994 9d9199 97994->97989 97995 9cd955 __fread_nolock 26 API calls 97994->97995 97996 9d91c5 97995->97996 97996->97989 97997 9cd955 __fread_nolock 26 API calls 97996->97997 97998 9d91d3 97997->97998 97998->97989 97999 9cd955 __fread_nolock 26 API calls 97998->97999 98000 9d91e3 97999->98000 98001 9cd955 __fread_nolock 26 API calls 98000->98001 98001->97989 98003 9d8c3e __FrameHandler3::FrameUnwindToState 98002->98003 98004 9d8c5e 98003->98004 98005 9d8c46 98003->98005 98007 9d8d24 98004->98007 98011 9d8c97 98004->98011 98036 9cf2c6 20 API calls __dosmaperr 98005->98036 98043 9cf2c6 20 API calls __dosmaperr 98007->98043 98008 9d8c4b 98037 9cf2d9 20 API calls __dosmaperr 98008->98037 98013 9d8cbb 98011->98013 98014 9d8ca6 98011->98014 98012 9d8d29 98044 9cf2d9 20 API calls __dosmaperr 98012->98044 98035 9d5147 EnterCriticalSection 98013->98035 98038 9cf2c6 20 API calls __dosmaperr 98014->98038 98018 9d8c53 __wsopen_s 98018->97994 98019 9d8cab 98039 9cf2d9 20 API calls __dosmaperr 98019->98039 98020 9d8cc1 98021 9d8cdd 98020->98021 98022 9d8cf2 98020->98022 98040 9cf2d9 20 API calls __dosmaperr 98021->98040 98026 9d8d45 __fread_nolock 38 API calls 98022->98026 98029 9d8ced 98026->98029 98027 9d8cb3 98045 9d27ec 26 API calls ___std_exception_copy 98027->98045 98028 9d8ce2 98041 9cf2c6 20 API calls __dosmaperr 98028->98041 98042 9d8d1c LeaveCriticalSection __wsopen_s 98029->98042 98032->97985 98033->97989 98034->97988 98035->98020 98036->98008 98037->98018 98038->98019 98039->98027 98040->98028 98041->98029 98042->98018 98043->98012 98044->98027 98045->98018 98046 9c03fb 98047 9c0407 __FrameHandler3::FrameUnwindToState 98046->98047 98075 9bfeb1 98047->98075 98049 9c040e 98050 9c0561 98049->98050 98053 9c0438 98049->98053 98102 9c083f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 98050->98102 98052 9c0568 98103 9c4e52 28 API calls _abort 98052->98103 98064 9c0477 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 98053->98064 98086 9d247d 98053->98086 98055 9c056e 98104 9c4e04 28 API calls _abort 98055->98104 98059 9c0576 98060 9c0457 98062 9c04d8 98094 9c0959 98062->98094 98064->98062 98098 9c4e1a 38 API calls 2 library calls 98064->98098 98066 9c04de 98067 9c04f3 98066->98067 98099 9c0992 GetModuleHandleW 98067->98099 98069 9c04fa 98069->98052 98070 9c04fe 98069->98070 98071 9c0507 98070->98071 98100 9c4df5 28 API calls _abort 98070->98100 98101 9c0040 13 API calls 2 library calls 98071->98101 98074 9c050f 98074->98060 98076 9bfeba 98075->98076 98105 9c0698 IsProcessorFeaturePresent 98076->98105 98078 9bfec6 98106 9c2c94 10 API calls 3 library calls 98078->98106 98080 9bfecb 98085 9bfecf 98080->98085 98107 9d2317 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98080->98107 98082 9bfed8 98083 9bfee6 98082->98083 98108 9c2cbd 8 API calls 3 library calls 98082->98108 98083->98049 98085->98049 98087 9d2494 98086->98087 98109 9c0a8c 98087->98109 98089 9c0451 98089->98060 98090 9d2421 98089->98090 98091 9d2450 98090->98091 98092 9c0a8c _ValidateLocalCookies 5 API calls 98091->98092 98093 9d2479 98092->98093 98093->98064 98117 9c2340 98094->98117 98097 9c097f 98097->98066 98098->98062 98099->98069 98100->98071 98101->98074 98102->98052 98103->98055 98104->98059 98105->98078 98106->98080 98107->98082 98108->98085 98110 9c0a95 98109->98110 98111 9c0a97 IsProcessorFeaturePresent 98109->98111 98110->98089 98113 9c0c5d 98111->98113 98116 9c0c21 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 98113->98116 98115 9c0d40 98115->98089 98116->98115 98118 9c096c GetStartupInfoW 98117->98118 98118->98097 98119 9a1033 98124 9a4c91 98119->98124 98123 9a1042 98125 9aa961 22 API calls 98124->98125 98126 9a4cff 98125->98126 98132 9a3af0 98126->98132 98128 9a4d9c 98129 9a1038 98128->98129 98135 9a51f7 22 API calls __fread_nolock 98128->98135 98131 9c00a3 29 API calls __onexit 98129->98131 98131->98123 98136 9a3b1c 98132->98136 98135->98128 98137 9a3b0f 98136->98137 98138 9a3b29 98136->98138 98137->98128 98138->98137 98139 9a3b30 RegOpenKeyExW 98138->98139 98139->98137 98140 9a3b4a RegQueryValueExW 98139->98140 98141 9a3b6b 98140->98141 98142 9a3b80 RegCloseKey 98140->98142 98141->98142 98142->98137 98143 f2295b 98144 f22962 98143->98144 98145 f22a00 98144->98145 98146 f2296a 98144->98146 98163 f232b0 9 API calls 98145->98163 98150 f22610 98146->98150 98149 f229e7 98151 f20000 GetPEB 98150->98151 98160 f226af 98151->98160 98153 f226e0 CreateFileW 98156 f226ed 98153->98156 98153->98160 98154 f22709 VirtualAlloc 98155 f2272a ReadFile 98154->98155 98154->98156 98155->98156 98157 f22748 VirtualAlloc 98155->98157 98158 f2290a 98156->98158 98159 f228fc VirtualFree 98156->98159 98157->98156 98157->98160 98158->98149 98159->98158 98160->98154 98160->98156 98161 f22810 FindCloseChangeNotification 98160->98161 98162 f22820 VirtualFree 98160->98162 98164 f23520 GetPEB 98160->98164 98161->98160 98162->98160 98163->98149 98165 f2354a 98164->98165 98165->98153 98166 9adf10 98167 9ab710 256 API calls 98166->98167 98168 9adf1e 98167->98168 98169 9f3f75 98180 9bceb1 98169->98180 98171 9f3f8b 98179 9f4006 98171->98179 98247 9be300 23 API calls 98171->98247 98175 9f4052 98177 9f4a88 98175->98177 98249 a1359c 82 API calls __wsopen_s 98175->98249 98176 9f3fe6 98176->98175 98248 a11abf 22 API calls 98176->98248 98189 9abf40 98179->98189 98181 9bcebf 98180->98181 98182 9bced2 98180->98182 98250 9aaceb 23 API calls messages 98181->98250 98184 9bced7 98182->98184 98185 9bcf05 98182->98185 98186 9bfddb 22 API calls 98184->98186 98251 9aaceb 23 API calls messages 98185->98251 98188 9bcec9 98186->98188 98188->98171 98252 9aadf0 98189->98252 98191 9abf9d 98192 9abfa9 98191->98192 98193 9f04b6 98191->98193 98195 9f04c6 98192->98195 98196 9ac01e 98192->98196 98271 a1359c 82 API calls __wsopen_s 98193->98271 98272 a1359c 82 API calls __wsopen_s 98195->98272 98257 9aac91 98196->98257 98199 9ac7da 98203 9bfe0b 22 API calls 98199->98203 98208 9ac808 __fread_nolock 98203->98208 98205 9f04f5 98209 9f055a 98205->98209 98273 9bd217 256 API calls 98205->98273 98211 9bfe0b 22 API calls 98208->98211 98246 9ac603 98209->98246 98274 a1359c 82 API calls __wsopen_s 98209->98274 98210 9aec40 256 API calls 98232 9ac039 __fread_nolock messages 98210->98232 98231 9ac350 __fread_nolock messages 98211->98231 98212 9aaf8a 22 API calls 98212->98232 98213 a07120 22 API calls 98213->98232 98214 9f091a 98284 a13209 23 API calls 98214->98284 98217 9f08a5 98218 9aec40 256 API calls 98217->98218 98219 9f08cf 98218->98219 98219->98246 98282 9aa81b 41 API calls 98219->98282 98221 9f0591 98275 a1359c 82 API calls __wsopen_s 98221->98275 98225 9f08f6 98283 a1359c 82 API calls __wsopen_s 98225->98283 98226 9abbe0 40 API calls 98226->98232 98228 9ac3ac 98228->98175 98229 9ac237 98233 9ac253 98229->98233 98234 9aa8c7 22 API calls 98229->98234 98231->98228 98270 9bce17 22 API calls messages 98231->98270 98232->98199 98232->98205 98232->98208 98232->98209 98232->98210 98232->98212 98232->98213 98232->98214 98232->98217 98232->98221 98232->98225 98232->98226 98232->98229 98237 9bfddb 22 API calls 98232->98237 98241 9f09bf 98232->98241 98245 9bfe0b 22 API calls 98232->98245 98232->98246 98261 9aad81 98232->98261 98276 a07099 22 API calls __fread_nolock 98232->98276 98277 a25745 54 API calls _wcslen 98232->98277 98278 9baa42 22 API calls messages 98232->98278 98279 a0f05c 40 API calls 98232->98279 98280 9aa993 41 API calls 98232->98280 98281 9aaceb 23 API calls messages 98232->98281 98235 9f0976 98233->98235 98239 9ac297 messages 98233->98239 98234->98233 98285 9aaceb 23 API calls messages 98235->98285 98237->98232 98239->98241 98268 9aaceb 23 API calls messages 98239->98268 98241->98246 98286 a1359c 82 API calls __wsopen_s 98241->98286 98242 9ac335 98242->98241 98243 9ac342 98242->98243 98269 9aa704 22 API calls messages 98243->98269 98245->98232 98246->98175 98247->98176 98248->98179 98249->98177 98250->98188 98251->98188 98253 9aae01 98252->98253 98256 9aae1c messages 98252->98256 98254 9aaec9 22 API calls 98253->98254 98255 9aae09 CharUpperBuffW 98254->98255 98255->98256 98256->98191 98258 9aacae 98257->98258 98259 9aacd1 98258->98259 98287 a1359c 82 API calls __wsopen_s 98258->98287 98259->98232 98262 9efadb 98261->98262 98263 9aad92 98261->98263 98264 9bfddb 22 API calls 98263->98264 98265 9aad99 98264->98265 98288 9aadcd 98265->98288 98268->98242 98269->98231 98270->98231 98271->98195 98272->98246 98273->98209 98274->98246 98275->98246 98276->98232 98277->98232 98278->98232 98279->98232 98280->98232 98281->98232 98282->98225 98283->98246 98284->98229 98285->98241 98286->98246 98287->98259 98294 9aaddd 98288->98294 98289 9aadb6 98289->98232 98290 9bfddb 22 API calls 98290->98294 98291 9aa961 22 API calls 98291->98294 98292 9aa8c7 22 API calls 98292->98294 98293 9aadcd 22 API calls 98293->98294 98294->98289 98294->98290 98294->98291 98294->98292 98294->98293 98295 9a3156 98298 9a3170 98295->98298 98299 9a3187 98298->98299 98300 9a31eb 98299->98300 98301 9a318c 98299->98301 98338 9a31e9 98299->98338 98303 9e2dfb 98300->98303 98304 9a31f1 98300->98304 98305 9a3199 98301->98305 98306 9a3265 PostQuitMessage 98301->98306 98302 9a31d0 DefWindowProcW 98340 9a316a 98302->98340 98347 9a18e2 10 API calls 98303->98347 98309 9a31f8 98304->98309 98310 9a321d SetTimer RegisterWindowMessageW 98304->98310 98307 9e2e7c 98305->98307 98308 9a31a4 98305->98308 98306->98340 98362 a0bf30 34 API calls ___scrt_fastfail 98307->98362 98313 9a31ae 98308->98313 98314 9e2e68 98308->98314 98317 9e2d9c 98309->98317 98318 9a3201 KillTimer 98309->98318 98315 9a3246 CreatePopupMenu 98310->98315 98310->98340 98312 9e2e1c 98348 9be499 42 API calls 98312->98348 98320 9a31b9 98313->98320 98331 9e2e4d 98313->98331 98361 a0c161 27 API calls ___scrt_fastfail 98314->98361 98315->98340 98321 9e2dd7 MoveWindow 98317->98321 98322 9e2da1 98317->98322 98343 9a30f2 Shell_NotifyIconW ___scrt_fastfail 98318->98343 98326 9a31c4 98320->98326 98327 9a3253 98320->98327 98321->98340 98329 9e2dc6 SetFocus 98322->98329 98330 9e2da7 98322->98330 98325 9a3263 98325->98340 98326->98302 98349 9a30f2 Shell_NotifyIconW ___scrt_fastfail 98326->98349 98345 9a326f 44 API calls ___scrt_fastfail 98327->98345 98328 9e2e8e 98328->98302 98328->98340 98329->98340 98330->98326 98334 9e2db0 98330->98334 98331->98302 98360 a00ad7 22 API calls 98331->98360 98332 9a3214 98344 9a3c50 DeleteObject DestroyWindow 98332->98344 98346 9a18e2 10 API calls 98334->98346 98338->98302 98341 9e2e41 98350 9a3837 98341->98350 98343->98332 98344->98340 98345->98325 98346->98340 98347->98312 98348->98326 98349->98341 98351 9a3862 ___scrt_fastfail 98350->98351 98363 9a4212 98351->98363 98355 9e3386 Shell_NotifyIconW 98356 9a3906 Shell_NotifyIconW 98367 9a3923 98356->98367 98358 9a38e8 98358->98355 98358->98356 98359 9a391c 98359->98338 98360->98338 98361->98325 98362->98328 98364 9e35a4 98363->98364 98365 9a38b7 98363->98365 98364->98365 98366 9e35ad DestroyIcon 98364->98366 98365->98358 98389 a0c874 42 API calls _strftime 98365->98389 98366->98365 98368 9a393f 98367->98368 98369 9a3a13 98367->98369 98370 9a6270 22 API calls 98368->98370 98369->98359 98371 9a394d 98370->98371 98372 9a395a 98371->98372 98373 9e3393 LoadStringW 98371->98373 98374 9a6b57 22 API calls 98372->98374 98375 9e33ad 98373->98375 98376 9a396f 98374->98376 98381 9aa8c7 22 API calls 98375->98381 98383 9a3994 ___scrt_fastfail 98375->98383 98377 9a397c 98376->98377 98378 9e33c9 98376->98378 98377->98375 98379 9a3986 98377->98379 98380 9a6350 22 API calls 98378->98380 98382 9a6350 22 API calls 98379->98382 98384 9e33d7 98380->98384 98381->98383 98382->98383 98386 9a39f9 Shell_NotifyIconW 98383->98386 98384->98383 98385 9a33c6 22 API calls 98384->98385 98387 9e33f9 98385->98387 98386->98369 98388 9a33c6 22 API calls 98387->98388 98388->98383 98389->98358 98390 9a2e37 98391 9aa961 22 API calls 98390->98391 98392 9a2e4d 98391->98392 98469 9a4ae3 98392->98469 98394 9a2e6b 98395 9a3a5a 24 API calls 98394->98395 98396 9a2e7f 98395->98396 98397 9a9cb3 22 API calls 98396->98397 98398 9a2e8c 98397->98398 98399 9a4ecb 94 API calls 98398->98399 98400 9a2ea5 98399->98400 98401 9a2ead 98400->98401 98402 9e2cb0 98400->98402 98405 9aa8c7 22 API calls 98401->98405 98499 a12cf9 98402->98499 98404 9e2cc3 98406 9e2ccf 98404->98406 98408 9a4f39 68 API calls 98404->98408 98407 9a2ec3 98405->98407 98410 9a4f39 68 API calls 98406->98410 98483 9a6f88 22 API calls 98407->98483 98408->98406 98412 9e2ce5 98410->98412 98411 9a2ecf 98413 9a9cb3 22 API calls 98411->98413 98525 9a3084 22 API calls 98412->98525 98414 9a2edc 98413->98414 98484 9aa81b 41 API calls 98414->98484 98417 9a2eec 98419 9a9cb3 22 API calls 98417->98419 98418 9e2d02 98526 9a3084 22 API calls 98418->98526 98420 9a2f12 98419->98420 98485 9aa81b 41 API calls 98420->98485 98423 9e2d1e 98424 9a3a5a 24 API calls 98423->98424 98425 9e2d44 98424->98425 98527 9a3084 22 API calls 98425->98527 98426 9a2f21 98429 9aa961 22 API calls 98426->98429 98428 9e2d50 98430 9aa8c7 22 API calls 98428->98430 98431 9a2f3f 98429->98431 98432 9e2d5e 98430->98432 98486 9a3084 22 API calls 98431->98486 98528 9a3084 22 API calls 98432->98528 98435 9a2f4b 98487 9c4a28 40 API calls 3 library calls 98435->98487 98436 9e2d6d 98440 9aa8c7 22 API calls 98436->98440 98438 9a2f59 98438->98412 98439 9a2f63 98438->98439 98488 9c4a28 40 API calls 3 library calls 98439->98488 98442 9e2d83 98440->98442 98529 9a3084 22 API calls 98442->98529 98443 9a2f6e 98443->98418 98444 9a2f78 98443->98444 98489 9c4a28 40 API calls 3 library calls 98444->98489 98447 9e2d90 98448 9a2f83 98448->98423 98449 9a2f8d 98448->98449 98490 9c4a28 40 API calls 3 library calls 98449->98490 98451 9a2f98 98452 9a2fdc 98451->98452 98491 9a3084 22 API calls 98451->98491 98452->98436 98453 9a2fe8 98452->98453 98453->98447 98493 9a63eb 22 API calls 98453->98493 98456 9a2fbf 98458 9aa8c7 22 API calls 98456->98458 98457 9a2ff8 98494 9a6a50 22 API calls 98457->98494 98460 9a2fcd 98458->98460 98492 9a3084 22 API calls 98460->98492 98461 9a3006 98495 9a70b0 23 API calls 98461->98495 98466 9a3021 98467 9a3065 98466->98467 98496 9a6f88 22 API calls 98466->98496 98497 9a70b0 23 API calls 98466->98497 98498 9a3084 22 API calls 98466->98498 98470 9a4af0 __wsopen_s 98469->98470 98471 9a6b57 22 API calls 98470->98471 98472 9a4b22 98470->98472 98471->98472 98473 9a4c6d 22 API calls 98472->98473 98482 9a4b58 98472->98482 98473->98472 98474 9a9cb3 22 API calls 98476 9a4c52 98474->98476 98475 9a9cb3 22 API calls 98475->98482 98478 9a515f 22 API calls 98476->98478 98477 9a4c6d 22 API calls 98477->98482 98479 9a4c5e 98478->98479 98479->98394 98480 9a515f 22 API calls 98480->98482 98481 9a4c29 98481->98474 98481->98479 98482->98475 98482->98477 98482->98480 98482->98481 98483->98411 98484->98417 98485->98426 98486->98435 98487->98438 98488->98443 98489->98448 98490->98451 98491->98456 98492->98452 98493->98457 98494->98461 98495->98466 98496->98466 98497->98466 98498->98466 98500 a12d15 98499->98500 98501 9a511f 64 API calls 98500->98501 98502 a12d29 98501->98502 98503 a12e66 75 API calls 98502->98503 98504 a12d3b 98503->98504 98505 9a50f5 40 API calls 98504->98505 98523 a12d3f 98504->98523 98506 a12d56 98505->98506 98507 9a50f5 40 API calls 98506->98507 98508 a12d66 98507->98508 98509 9a50f5 40 API calls 98508->98509 98510 a12d81 98509->98510 98511 9a50f5 40 API calls 98510->98511 98512 a12d9c 98511->98512 98513 9a511f 64 API calls 98512->98513 98514 a12db3 98513->98514 98515 9cea0c ___std_exception_copy 21 API calls 98514->98515 98516 a12dba 98515->98516 98517 9cea0c ___std_exception_copy 21 API calls 98516->98517 98518 a12dc4 98517->98518 98519 9a50f5 40 API calls 98518->98519 98520 a12dd8 98519->98520 98521 a128fe 27 API calls 98520->98521 98522 a12dee 98521->98522 98522->98523 98524 a122ce 79 API calls 98522->98524 98523->98404 98524->98523 98525->98418 98526->98423 98527->98428 98528->98436 98529->98447 98530 9a1cad SystemParametersInfoW 98531 9a2de3 98532 9a2df0 __wsopen_s 98531->98532 98533 9a2e09 98532->98533 98534 9e2c2b ___scrt_fastfail 98532->98534 98535 9a3aa2 23 API calls 98533->98535 98536 9e2c47 GetOpenFileNameW 98534->98536 98537 9a2e12 98535->98537 98538 9e2c96 98536->98538 98547 9a2da5 98537->98547 98540 9a6b57 22 API calls 98538->98540 98542 9e2cab 98540->98542 98542->98542 98544 9a2e27 98565 9a44a8 98544->98565 98548 9e1f50 __wsopen_s 98547->98548 98549 9a2db2 GetLongPathNameW 98548->98549 98550 9a6b57 22 API calls 98549->98550 98551 9a2dda 98550->98551 98552 9a3598 98551->98552 98553 9aa961 22 API calls 98552->98553 98554 9a35aa 98553->98554 98555 9a3aa2 23 API calls 98554->98555 98556 9a35b5 98555->98556 98557 9e32eb 98556->98557 98558 9a35c0 98556->98558 98563 9e330d 98557->98563 98600 9bce60 41 API calls 98557->98600 98559 9a515f 22 API calls 98558->98559 98561 9a35cc 98559->98561 98594 9a35f3 98561->98594 98564 9a35df 98564->98544 98566 9a4ecb 94 API calls 98565->98566 98567 9a44cd 98566->98567 98568 9e3833 98567->98568 98569 9a4ecb 94 API calls 98567->98569 98570 a12cf9 80 API calls 98568->98570 98571 9a44e1 98569->98571 98572 9e3848 98570->98572 98571->98568 98575 9a44e9 98571->98575 98573 9e384c 98572->98573 98574 9e3869 98572->98574 98576 9a4f39 68 API calls 98573->98576 98577 9bfe0b 22 API calls 98574->98577 98578 9e3854 98575->98578 98579 9a44f5 98575->98579 98576->98578 98584 9e38ae 98577->98584 98617 a0da5a 82 API calls 98578->98617 98616 9a940c 136 API calls 2 library calls 98579->98616 98582 9e3862 98582->98574 98583 9a2e31 98586 9e3a5f 98584->98586 98587 9aa4a1 22 API calls 98584->98587 98591 9a9cb3 22 API calls 98584->98591 98601 a0967e 98584->98601 98604 a10b5a 98584->98604 98610 9a3ff7 98584->98610 98618 a095ad 42 API calls _wcslen 98584->98618 98585 9a4f39 68 API calls 98585->98586 98586->98585 98619 a0989b 82 API calls __wsopen_s 98586->98619 98587->98584 98591->98584 98595 9a3605 98594->98595 98599 9a3624 __fread_nolock 98594->98599 98597 9bfe0b 22 API calls 98595->98597 98596 9bfddb 22 API calls 98598 9a363b 98596->98598 98597->98599 98598->98564 98599->98596 98600->98557 98602 9bfe0b 22 API calls 98601->98602 98603 a096ae __fread_nolock 98602->98603 98603->98584 98605 a10b65 98604->98605 98606 9bfddb 22 API calls 98605->98606 98607 a10b7c 98606->98607 98608 9a9cb3 22 API calls 98607->98608 98609 a10b87 98608->98609 98609->98584 98611 9a400a 98610->98611 98613 9a40ae 98610->98613 98612 9bfe0b 22 API calls 98611->98612 98614 9a403c 98611->98614 98612->98614 98613->98584 98614->98613 98615 9bfddb 22 API calls 98614->98615 98615->98614 98616->98583 98617->98582 98618->98584 98619->98586 98620 9e2ba5 98621 9e2baf 98620->98621 98622 9a2b25 98620->98622 98624 9a3a5a 24 API calls 98621->98624 98648 9a2b83 7 API calls 98622->98648 98626 9e2bb8 98624->98626 98628 9a9cb3 22 API calls 98626->98628 98630 9e2bc6 98628->98630 98629 9a2b2f 98631 9a2b44 98629->98631 98635 9a3837 49 API calls 98629->98635 98632 9e2bce 98630->98632 98633 9e2bf5 98630->98633 98639 9a2b5f 98631->98639 98652 9a30f2 Shell_NotifyIconW ___scrt_fastfail 98631->98652 98636 9a33c6 22 API calls 98632->98636 98634 9a33c6 22 API calls 98633->98634 98646 9e2bf1 GetForegroundWindow ShellExecuteW 98634->98646 98635->98631 98637 9e2bd9 98636->98637 98640 9a6350 22 API calls 98637->98640 98645 9a2b66 SetCurrentDirectoryW 98639->98645 98643 9e2be7 98640->98643 98641 9e2c26 98641->98639 98644 9a33c6 22 API calls 98643->98644 98644->98646 98647 9a2b7a 98645->98647 98646->98641 98653 9a2cd4 7 API calls 98648->98653 98650 9a2b2a 98651 9a2c63 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 98650->98651 98651->98629 98652->98639 98653->98650 98654 9a1044 98659 9a10f3 98654->98659 98656 9a104a 98695 9c00a3 29 API calls __onexit 98656->98695 98658 9a1054 98696 9a1398 98659->98696 98663 9a116a 98664 9aa961 22 API calls 98663->98664 98665 9a1174 98664->98665 98666 9aa961 22 API calls 98665->98666 98667 9a117e 98666->98667 98668 9aa961 22 API calls 98667->98668 98669 9a1188 98668->98669 98670 9aa961 22 API calls 98669->98670 98671 9a11c6 98670->98671 98672 9aa961 22 API calls 98671->98672 98673 9a1292 98672->98673 98706 9a171c 98673->98706 98677 9a12c4 98678 9aa961 22 API calls 98677->98678 98679 9a12ce 98678->98679 98680 9b1940 9 API calls 98679->98680 98681 9a12f9 98680->98681 98727 9a1aab 98681->98727 98683 9a1315 98684 9a1325 GetStdHandle 98683->98684 98685 9a137a 98684->98685 98686 9e2485 98684->98686 98689 9a1387 OleInitialize 98685->98689 98686->98685 98687 9e248e 98686->98687 98688 9bfddb 22 API calls 98687->98688 98690 9e2495 98688->98690 98689->98656 98734 a1011d InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 98690->98734 98692 9e249e 98735 a10944 CreateThread 98692->98735 98694 9e24aa CloseHandle 98694->98685 98695->98658 98736 9a13f1 98696->98736 98699 9a13f1 22 API calls 98700 9a13d0 98699->98700 98701 9aa961 22 API calls 98700->98701 98702 9a13dc 98701->98702 98703 9a6b57 22 API calls 98702->98703 98704 9a1129 98703->98704 98705 9a1bc3 6 API calls 98704->98705 98705->98663 98707 9aa961 22 API calls 98706->98707 98708 9a172c 98707->98708 98709 9aa961 22 API calls 98708->98709 98710 9a1734 98709->98710 98711 9aa961 22 API calls 98710->98711 98712 9a174f 98711->98712 98713 9bfddb 22 API calls 98712->98713 98714 9a129c 98713->98714 98715 9a1b4a 98714->98715 98716 9a1b58 98715->98716 98717 9aa961 22 API calls 98716->98717 98718 9a1b63 98717->98718 98719 9aa961 22 API calls 98718->98719 98720 9a1b6e 98719->98720 98721 9aa961 22 API calls 98720->98721 98722 9a1b79 98721->98722 98723 9aa961 22 API calls 98722->98723 98724 9a1b84 98723->98724 98725 9bfddb 22 API calls 98724->98725 98726 9a1b96 RegisterWindowMessageW 98725->98726 98726->98677 98728 9a1abb 98727->98728 98729 9e272d 98727->98729 98730 9bfddb 22 API calls 98728->98730 98743 a13209 23 API calls 98729->98743 98732 9a1ac3 98730->98732 98732->98683 98733 9e2738 98734->98692 98735->98694 98744 a1092a 28 API calls 98735->98744 98737 9aa961 22 API calls 98736->98737 98738 9a13fc 98737->98738 98739 9aa961 22 API calls 98738->98739 98740 9a1404 98739->98740 98741 9aa961 22 API calls 98740->98741 98742 9a13c6 98741->98742 98742->98699 98743->98733 98745 9d8402 98750 9d81be 98745->98750 98748 9d842a 98751 9d81ef try_get_first_available_module 98750->98751 98761 9d8338 98751->98761 98765 9c8e0b 40 API calls 2 library calls 98751->98765 98753 9d83ee 98769 9d27ec 26 API calls ___std_exception_copy 98753->98769 98755 9d8343 98755->98748 98762 9e0984 98755->98762 98757 9d838c 98757->98761 98766 9c8e0b 40 API calls 2 library calls 98757->98766 98759 9d83ab 98759->98761 98767 9c8e0b 40 API calls 2 library calls 98759->98767 98761->98755 98768 9cf2d9 20 API calls __dosmaperr 98761->98768 98770 9e0081 98762->98770 98764 9e099f 98764->98748 98765->98757 98766->98759 98767->98761 98768->98753 98769->98755 98773 9e008d __FrameHandler3::FrameUnwindToState 98770->98773 98771 9e009b 98827 9cf2d9 20 API calls __dosmaperr 98771->98827 98773->98771 98775 9e00d4 98773->98775 98774 9e00a0 98828 9d27ec 26 API calls ___std_exception_copy 98774->98828 98781 9e065b 98775->98781 98780 9e00aa __wsopen_s 98780->98764 98782 9e0678 98781->98782 98783 9e068d 98782->98783 98784 9e06a6 98782->98784 98844 9cf2c6 20 API calls __dosmaperr 98783->98844 98830 9d5221 98784->98830 98787 9e06ab 98788 9e06cb 98787->98788 98789 9e06b4 98787->98789 98843 9e039a CreateFileW 98788->98843 98846 9cf2c6 20 API calls __dosmaperr 98789->98846 98793 9e00f8 98829 9e0121 LeaveCriticalSection __wsopen_s 98793->98829 98794 9e06b9 98847 9cf2d9 20 API calls __dosmaperr 98794->98847 98795 9e0781 GetFileType 98799 9e078c GetLastError 98795->98799 98800 9e07d3 98795->98800 98797 9e0692 98845 9cf2d9 20 API calls __dosmaperr 98797->98845 98798 9e0756 GetLastError 98849 9cf2a3 20 API calls 2 library calls 98798->98849 98850 9cf2a3 20 API calls 2 library calls 98799->98850 98852 9d516a 21 API calls 3 library calls 98800->98852 98801 9e0704 98801->98795 98801->98798 98848 9e039a CreateFileW 98801->98848 98805 9e079a CloseHandle 98805->98797 98806 9e07c3 98805->98806 98851 9cf2d9 20 API calls __dosmaperr 98806->98851 98808 9e0749 98808->98795 98808->98798 98810 9e07f4 98812 9e0840 98810->98812 98853 9e05ab 72 API calls 4 library calls 98810->98853 98811 9e07c8 98811->98797 98817 9e086d 98812->98817 98854 9e014d 72 API calls 4 library calls 98812->98854 98815 9e0866 98816 9e087e 98815->98816 98815->98817 98816->98793 98819 9e08fc CloseHandle 98816->98819 98818 9d86ae __wsopen_s 29 API calls 98817->98818 98818->98793 98855 9e039a CreateFileW 98819->98855 98821 9e0927 98822 9e095d 98821->98822 98823 9e0931 GetLastError 98821->98823 98822->98793 98856 9cf2a3 20 API calls 2 library calls 98823->98856 98825 9e093d 98857 9d5333 21 API calls 3 library calls 98825->98857 98827->98774 98828->98780 98829->98780 98831 9d522d __FrameHandler3::FrameUnwindToState 98830->98831 98858 9d2f5e EnterCriticalSection 98831->98858 98834 9d5259 98862 9d5000 21 API calls 3 library calls 98834->98862 98835 9d52a4 __wsopen_s 98835->98787 98837 9d5234 98837->98834 98839 9d52c7 EnterCriticalSection 98837->98839 98840 9d527b 98837->98840 98838 9d525e 98838->98840 98863 9d5147 EnterCriticalSection 98838->98863 98839->98840 98841 9d52d4 LeaveCriticalSection 98839->98841 98859 9d532a 98840->98859 98841->98837 98843->98801 98844->98797 98845->98793 98846->98794 98847->98797 98848->98808 98849->98797 98850->98805 98851->98811 98852->98810 98853->98812 98854->98815 98855->98821 98856->98825 98857->98822 98858->98837 98864 9d2fa6 LeaveCriticalSection 98859->98864 98861 9d5331 98861->98835 98862->98838 98863->98840 98864->98861 98865 9f2a00 98879 9ad7b0 messages 98865->98879 98866 9adb11 PeekMessageW 98866->98879 98867 9ad807 GetInputState 98867->98866 98867->98879 98869 9f1cbe TranslateAcceleratorW 98869->98879 98870 9ada04 timeGetTime 98870->98879 98871 9adb8f PeekMessageW 98871->98879 98872 9adb73 TranslateMessage DispatchMessageW 98872->98871 98873 9adbaf Sleep 98890 9adbc0 98873->98890 98874 9f2b74 Sleep 98874->98890 98875 9be551 timeGetTime 98875->98890 98876 9f1dda timeGetTime 98933 9be300 23 API calls 98876->98933 98879->98866 98879->98867 98879->98869 98879->98870 98879->98871 98879->98872 98879->98873 98879->98874 98879->98876 98885 9ad9d5 98879->98885 98893 9aec40 256 API calls 98879->98893 98894 9b1310 256 API calls 98879->98894 98895 9abf40 256 API calls 98879->98895 98897 9add50 98879->98897 98904 9adfd0 98879->98904 98932 9bedf6 IsDialogMessageW GetClassLongW 98879->98932 98934 a13a2a 23 API calls 98879->98934 98935 a1359c 82 API calls __wsopen_s 98879->98935 98880 9f2c0b GetExitCodeProcess 98881 9f2c37 CloseHandle 98880->98881 98882 9f2c21 WaitForSingleObject 98880->98882 98881->98890 98882->98879 98882->98881 98883 9f2a31 98883->98885 98884 a329bf GetForegroundWindow 98884->98890 98887 9f2ca9 Sleep 98887->98879 98890->98875 98890->98879 98890->98880 98890->98883 98890->98884 98890->98885 98890->98887 98936 a25658 23 API calls 98890->98936 98937 a0e97b QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98890->98937 98938 a0d4dc 47 API calls 98890->98938 98893->98879 98894->98879 98895->98879 98898 9add6f 98897->98898 98899 9add83 98897->98899 98939 9ad260 256 API calls 2 library calls 98898->98939 98940 a1359c 82 API calls __wsopen_s 98899->98940 98902 9add7a 98902->98879 98903 9f2f75 98903->98903 98906 9ae010 98904->98906 98905 9f2f7a 98907 9aec40 256 API calls 98905->98907 98906->98905 98909 9ae075 98906->98909 98908 9f2f8c 98907->98908 98926 9ae0dc messages 98908->98926 98943 a1359c 82 API calls __wsopen_s 98908->98943 98909->98926 98944 9c0242 5 API calls __Init_thread_wait 98909->98944 98913 9f2fca 98916 9aa961 22 API calls 98913->98916 98913->98926 98914 9aa961 22 API calls 98914->98926 98915 a1359c 82 API calls 98915->98926 98917 9f2fe4 98916->98917 98945 9c00a3 29 API calls __onexit 98917->98945 98921 9f2fee 98946 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98921->98946 98924 9aec40 256 API calls 98924->98926 98926->98914 98926->98915 98926->98924 98927 9aa8c7 22 API calls 98926->98927 98928 9ae3e1 98926->98928 98929 9b04f0 22 API calls 98926->98929 98941 9aa81b 41 API calls 98926->98941 98942 9ba308 256 API calls 98926->98942 98947 9c0242 5 API calls __Init_thread_wait 98926->98947 98948 9c00a3 29 API calls __onexit 98926->98948 98949 9c01f8 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 98926->98949 98950 a247d4 256 API calls 98926->98950 98951 a268c1 256 API calls 98926->98951 98927->98926 98928->98879 98929->98926 98932->98879 98933->98879 98934->98879 98935->98879 98936->98890 98937->98890 98938->98890 98939->98902 98940->98903 98941->98926 98942->98926 98943->98926 98944->98913 98945->98921 98946->98926 98947->98926 98948->98926 98949->98926 98950->98926 98951->98926

            Executed Functions

            Function 009A42DE Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 235libraryloaderCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 235 9a42de-9a434d call 9aa961 GetVersionExW call 9a6b57 240 9e3617-9e362a 235->240 241 9a4353 235->241 242 9e362b-9e362f 240->242 243 9a4355-9a4357 241->243 244 9e3632-9e363e 242->244 245 9e3631 242->245 246 9a435d-9a43bc call 9a93b2 call 9a37a0 243->246 247 9e3656 243->247 244->242 248 9e3640-9e3642 244->248 245->244 262 9e37df-9e37e6 246->262 263 9a43c2-9a43c4 246->263 251 9e365d-9e3660 247->251 248->243 250 9e3648-9e364f 248->250 250->240 253 9e3651 250->253 254 9a441b-9a4435 GetCurrentProcess IsWow64Process 251->254 255 9e3666-9e36a8 251->255 253->247 257 9a4437 254->257 258 9a4494-9a449a 254->258 255->254 259 9e36ae-9e36b1 255->259 261 9a443d-9a4449 257->261 258->261 264 9e36db-9e36e5 259->264 265 9e36b3-9e36bd 259->265 271 9a444f-9a445e LoadLibraryA 261->271 272 9e3824-9e3828 GetSystemInfo 261->272 267 9e37e8 262->267 268 9e3806-9e3809 262->268 263->251 266 9a43ca-9a43dd 263->266 269 9e36f8-9e3702 264->269 270 9e36e7-9e36f3 264->270 273 9e36bf-9e36c5 265->273 274 9e36ca-9e36d6 265->274 275 9e3726-9e372f 266->275 276 9a43e3-9a43e5 266->276 277 9e37ee 267->277 280 9e380b-9e381a 268->280 281 9e37f4-9e37fc 268->281 278 9e3704-9e3710 269->278 279 9e3715-9e3721 269->279 270->254 282 9a449c-9a44a6 GetSystemInfo 271->282 283 9a4460-9a446e GetProcAddress 271->283 273->254 274->254 287 9e373c-9e3748 275->287 288 9e3731-9e3737 275->288 285 9a43eb-9a43ee 276->285 286 9e374d-9e3762 276->286 277->281 278->254 279->254 280->277 289 9e381c-9e3822 280->289 281->268 284 9a4476-9a4478 282->284 283->282 290 9a4470-9a4474 GetNativeSystemInfo 283->290 295 9a447a-9a447b FreeLibrary 284->295 296 9a4481-9a4493 284->296 291 9a43f4-9a440f 285->291 292 9e3791-9e3794 285->292 293 9e376f-9e377b 286->293 294 9e3764-9e376a 286->294 287->254 288->254 289->281 290->284 297 9e3780-9e378c 291->297 298 9a4415 291->298 292->254 299 9e379a-9e37c1 292->299 293->254 294->254 295->296 297->254 298->254 300 9e37ce-9e37da 299->300 301 9e37c3-9e37c9 299->301 300->254 301->254
            APIs
            • GetVersionExW.KERNEL32(?), ref: 009A430D
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            • GetCurrentProcess.KERNEL32(?,00A3CB64,00000000,?,?), ref: 009A4422
            • IsWow64Process.KERNEL32(00000000,?,?), ref: 009A4429
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 009A4454
            • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 009A4466
            • GetNativeSystemInfo.KERNELBASE(?,?,?), ref: 009A4474
            • FreeLibrary.KERNEL32(00000000,?,?), ref: 009A447B
            • GetSystemInfo.KERNEL32(?,?,?), ref: 009A44A0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
            • String ID: GetNativeSystemInfo$kernel32.dll$|O
            • API String ID: 3290436268-3101561225
            • Opcode ID: a70e039f3fe9a80e2a9f1021cf454ae20e10b65799d90f0176c50f57ce2a48ff
            • Instruction ID: 6fe14cd036985676519626d87c82e61a5173301e29031ed5bc51102e66416e90
            • Opcode Fuzzy Hash: a70e039f3fe9a80e2a9f1021cf454ae20e10b65799d90f0176c50f57ce2a48ff
            • Instruction Fuzzy Hash: AAA1C67290E2C0DFC792CBFDBC851957FE86B66700B04CC99E08D9FA62D2644987DB61
            Function 009A42A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 662 9a42a2-9a42ba CreateStreamOnHGlobal 663 9a42da-9a42dd 662->663 664 9a42bc-9a42d3 FindResourceExW 662->664 665 9a42d9 664->665 666 9e35ba-9e35c9 LoadResource 664->666 665->663 666->665 667 9e35cf-9e35dd SizeofResource 666->667 667->665 668 9e35e3-9e35ee LockResource 667->668 668->665 669 9e35f4-9e3612 668->669 669->665
            APIs
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,009A50AA,?,?,00000000,00000000), ref: 009A42B2
            • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,009A50AA,?,?,00000000,00000000), ref: 009A42C9
            • LoadResource.KERNEL32(?,00000000,?,?,009A50AA,?,?,00000000,00000000,?,?,?,?,?,?,009A4F20), ref: 009E35BE
            • SizeofResource.KERNEL32(?,00000000,?,?,009A50AA,?,?,00000000,00000000,?,?,?,?,?,?,009A4F20), ref: 009E35D3
            • LockResource.KERNEL32(009A50AA,?,?,009A50AA,?,?,00000000,00000000,?,?,?,?,?,?,009A4F20,?), ref: 009E35E6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
            • String ID: SCRIPT
            • API String ID: 3051347437-3967369404
            • Opcode ID: 3b6999de2238bf9f316d1d0fb0c2732b0895076a52bfa9398e9a0d70000e1da1
            • Instruction ID: 1c04e8255e49b9dec3e75038aca394dd842dc23bcc4eefb91278787d054abb28
            • Opcode Fuzzy Hash: 3b6999de2238bf9f316d1d0fb0c2732b0895076a52bfa9398e9a0d70000e1da1
            • Instruction Fuzzy Hash: 3F118E71240700BFD7219BA5DC48F677BBDEBC6B61F108569F812E6250DBB1DC018760
            Function 009E2BA5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • SetCurrentDirectoryW.KERNEL32(?), ref: 009A2B6B
              • Part of subcall function 009A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A71418,?,009A2E7F,?,?,?,00000000), ref: 009A3A78
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • GetForegroundWindow.USER32(runas,?,?,?,?,?,00A62224), ref: 009E2C10
            • ShellExecuteW.SHELL32(00000000,?,?,00A62224), ref: 009E2C17
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
            • String ID: runas
            • API String ID: 448630720-4000483414
            • Opcode ID: 1bb7de0c0be9d83999f656a0ac0e935327c32369a0a1577a5168d48a4e1f2211
            • Instruction ID: c43120affed63491d70d012672cf604a9560890743659968a175e42728b5f9fd
            • Opcode Fuzzy Hash: 1bb7de0c0be9d83999f656a0ac0e935327c32369a0a1577a5168d48a4e1f2211
            • Instruction Fuzzy Hash: 0111B9715083416BC714FF78DC56BBEB7A8AFD3350F44982DF186520A2DF25894AC792
            Function 00A0DBBE Relevance: 6.0, APIs: 4, Instructions: 29filestringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,009E5222), ref: 00A0DBCE
            • GetFileAttributesW.KERNELBASE(?), ref: 00A0DBDD
            • FindFirstFileW.KERNELBASE(?,?), ref: 00A0DBEE
            • FindClose.KERNEL32(00000000), ref: 00A0DBFA
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FileFind$AttributesCloseFirstlstrlen
            • String ID:
            • API String ID: 2695905019-0
            • Opcode ID: 5eb8726e414bd4784d2740cbd846dd313a53dec48d7fffbd212e545c9cc5f532
            • Instruction ID: 03784fa6ff5681da0f26c758b06319141b388f681fad91c083fd498012141e3d
            • Opcode Fuzzy Hash: 5eb8726e414bd4784d2740cbd846dd313a53dec48d7fffbd212e545c9cc5f532
            • Instruction Fuzzy Hash: 51F0A03281092867D220ABF8AC0D8AB7B6C9E01334B104702F836D20E0EBB059568A95
            Function 009AD730 Relevance: 21.6, APIs: 14, Instructions: 615windowsleeptimeCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 009AD807
            • timeGetTime.WINMM ref: 009ADA07
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009ADB28
            • TranslateMessage.USER32(?), ref: 009ADB7B
            • DispatchMessageW.USER32(?), ref: 009ADB89
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 009ADB9F
            • Sleep.KERNEL32(0000000A), ref: 009ADBB1
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
            • String ID:
            • API String ID: 2189390790-0
            • Opcode ID: 98beec246699199053c42af9ebc64e95382f0be05dfb975b0fff328d8ab1934c
            • Instruction ID: 3da8c48c6e9fc8fecccaad9f25ee5dd15df1355df6c69b15308b5cde3b645636
            • Opcode Fuzzy Hash: 98beec246699199053c42af9ebc64e95382f0be05dfb975b0fff328d8ab1934c
            • Instruction Fuzzy Hash: 2B42F130609345DFD728CF24C894BBAB7E8BF86314F148919F59A876A1D774E884CBD2
            Function 009A2CD4 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 009A2D07
            • RegisterClassExW.USER32(00000030), ref: 009A2D31
            • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009A2D42
            • InitCommonControlsEx.COMCTL32(?), ref: 009A2D5F
            • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009A2D6F
            • LoadIconW.USER32(000000A9), ref: 009A2D85
            • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009A2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
            • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
            • API String ID: 2914291525-1005189915
            • Opcode ID: d0c5ebe26dde216705ad24450ea0130022c6320c04a35af3cbea48a52e3ecbe9
            • Instruction ID: c90bcd59cc1de82327bb03f9d5506a048ebe26d36053a3513fd922aea0842016
            • Opcode Fuzzy Hash: d0c5ebe26dde216705ad24450ea0130022c6320c04a35af3cbea48a52e3ecbe9
            • Instruction Fuzzy Hash: C521D3B5911308AFDB00DFE8EC49B9DBBF4FB08714F00811AFA15B62A0D7B145828F90
            Function 009E065B Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 303 9e065b-9e068b call 9e042f 306 9e068d-9e0698 call 9cf2c6 303->306 307 9e06a6-9e06b2 call 9d5221 303->307 312 9e069a-9e06a1 call 9cf2d9 306->312 313 9e06cb-9e0714 call 9e039a 307->313 314 9e06b4-9e06c9 call 9cf2c6 call 9cf2d9 307->314 323 9e097d-9e0983 312->323 321 9e0716-9e071f 313->321 322 9e0781-9e078a GetFileType 313->322 314->312 326 9e0756-9e077c GetLastError call 9cf2a3 321->326 327 9e0721-9e0725 321->327 328 9e078c-9e07bd GetLastError call 9cf2a3 CloseHandle 322->328 329 9e07d3-9e07d6 322->329 326->312 327->326 332 9e0727-9e0754 call 9e039a 327->332 328->312 340 9e07c3-9e07ce call 9cf2d9 328->340 330 9e07df-9e07e5 329->330 331 9e07d8-9e07dd 329->331 335 9e07e9-9e0837 call 9d516a 330->335 336 9e07e7 330->336 331->335 332->322 332->326 346 9e0839-9e0845 call 9e05ab 335->346 347 9e0847-9e086b call 9e014d 335->347 336->335 340->312 346->347 354 9e086f-9e0879 call 9d86ae 346->354 352 9e087e-9e08c1 347->352 353 9e086d 347->353 356 9e08e2-9e08f0 352->356 357 9e08c3-9e08c7 352->357 353->354 354->323 360 9e097b 356->360 361 9e08f6-9e08fa 356->361 357->356 359 9e08c9-9e08dd 357->359 359->356 360->323 361->360 362 9e08fc-9e092f CloseHandle call 9e039a 361->362 365 9e0963-9e0977 362->365 366 9e0931-9e095d GetLastError call 9cf2a3 call 9d5333 362->366 365->360 366->365
            APIs
              • Part of subcall function 009E039A: CreateFileW.KERNELBASE(00000000,00000000,?,009E0704,?,?,00000000,?,009E0704,00000000,0000000C), ref: 009E03B7
            • GetLastError.KERNEL32 ref: 009E076F
            • __dosmaperr.LIBCMT ref: 009E0776
            • GetFileType.KERNELBASE(00000000), ref: 009E0782
            • GetLastError.KERNEL32 ref: 009E078C
            • __dosmaperr.LIBCMT ref: 009E0795
            • CloseHandle.KERNEL32(00000000), ref: 009E07B5
            • CloseHandle.KERNEL32(?), ref: 009E08FF
            • GetLastError.KERNEL32 ref: 009E0931
            • __dosmaperr.LIBCMT ref: 009E0938
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
            • String ID: H
            • API String ID: 4237864984-2852464175
            • Opcode ID: 7100a21517fd77b20794a314810c12340ffb762f3d0315b6d958962eb8e04491
            • Instruction ID: 661907fde22a152ad8df290c1dfb32ee552f0eb87339d7a6bbc79045c1f49958
            • Opcode Fuzzy Hash: 7100a21517fd77b20794a314810c12340ffb762f3d0315b6d958962eb8e04491
            • Instruction Fuzzy Hash: 67A13632A001848FDF1AEFA8DC51BAE7BA4AB86320F14415DF815AF292C7719C53CB91
            Function 009A344D Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
              • Part of subcall function 009A3A5A: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00A71418,?,009A2E7F,?,?,?,00000000), ref: 009A3A78
              • Part of subcall function 009A3357: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 009A3379
            • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 009A356A
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 009E318D
            • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 009E31CE
            • RegCloseKey.ADVAPI32(?), ref: 009E3210
            • _wcslen.LIBCMT ref: 009E3277
            • _wcslen.LIBCMT ref: 009E3286
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
            • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
            • API String ID: 98802146-2727554177
            • Opcode ID: 4cfd17a41d70bf60fd5588ad6e8964f427a328810d3e14969132b5b7ab73d95b
            • Instruction ID: 1284d7b79aaf03ce0a79ad319cc635eb1a700e985b7d72c7a2b2cd96f4616a04
            • Opcode Fuzzy Hash: 4cfd17a41d70bf60fd5588ad6e8964f427a328810d3e14969132b5b7ab73d95b
            • Instruction Fuzzy Hash: D87192715043009EC314DFA5DC85AABB7F8FFD5750F40882EF5899B1A0EB749A89CB92
            Function 009A2B83 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • GetSysColorBrush.USER32(0000000F), ref: 009A2B8E
            • LoadCursorW.USER32(00000000,00007F00), ref: 009A2B9D
            • LoadIconW.USER32(00000063), ref: 009A2BB3
            • LoadIconW.USER32(000000A4), ref: 009A2BC5
            • LoadIconW.USER32(000000A2), ref: 009A2BD7
            • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 009A2BEF
            • RegisterClassExW.USER32(?), ref: 009A2C40
              • Part of subcall function 009A2CD4: GetSysColorBrush.USER32(0000000F), ref: 009A2D07
              • Part of subcall function 009A2CD4: RegisterClassExW.USER32(00000030), ref: 009A2D31
              • Part of subcall function 009A2CD4: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 009A2D42
              • Part of subcall function 009A2CD4: InitCommonControlsEx.COMCTL32(?), ref: 009A2D5F
              • Part of subcall function 009A2CD4: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 009A2D6F
              • Part of subcall function 009A2CD4: LoadIconW.USER32(000000A9), ref: 009A2D85
              • Part of subcall function 009A2CD4: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 009A2D94
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
            • String ID: #$0$AutoIt v3
            • API String ID: 423443420-4155596026
            • Opcode ID: 4b7b9eaf2cc22b5ff159dabf1909940ce03d6e3f0ee6594e1bb3ab9fb39c12f2
            • Instruction ID: 0eafa2b344f4c31c29ea56e8f67127e7454aba27ccdd3127dae97b7e95122232
            • Opcode Fuzzy Hash: 4b7b9eaf2cc22b5ff159dabf1909940ce03d6e3f0ee6594e1bb3ab9fb39c12f2
            • Instruction Fuzzy Hash: FB210975E00314ABDB50DFE9EC59A997FF4FB48B54F00806AF508BA6A0D7B14586CF90
            Function 009A3170 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 444 9a3170-9a3185 445 9a3187-9a318a 444->445 446 9a31e5-9a31e7 444->446 448 9a31eb 445->448 449 9a318c-9a3193 445->449 446->445 447 9a31e9 446->447 450 9a31d0-9a31d8 DefWindowProcW 447->450 451 9e2dfb-9e2e23 call 9a18e2 call 9be499 448->451 452 9a31f1-9a31f6 448->452 453 9a3199-9a319e 449->453 454 9a3265-9a326d PostQuitMessage 449->454 457 9a31de-9a31e4 450->457 487 9e2e28-9e2e2f 451->487 459 9a31f8-9a31fb 452->459 460 9a321d-9a3244 SetTimer RegisterWindowMessageW 452->460 455 9e2e7c-9e2e90 call a0bf30 453->455 456 9a31a4-9a31a8 453->456 458 9a3219-9a321b 454->458 455->458 481 9e2e96 455->481 463 9a31ae-9a31b3 456->463 464 9e2e68-9e2e77 call a0c161 456->464 458->457 467 9e2d9c-9e2d9f 459->467 468 9a3201-9a3214 KillTimer call 9a30f2 call 9a3c50 459->468 460->458 465 9a3246-9a3251 CreatePopupMenu 460->465 470 9e2e4d-9e2e54 463->470 471 9a31b9-9a31be 463->471 464->458 465->458 473 9e2dd7-9e2df6 MoveWindow 467->473 474 9e2da1-9e2da5 467->474 468->458 470->450 484 9e2e5a-9e2e63 call a00ad7 470->484 479 9a3253-9a3263 call 9a326f 471->479 480 9a31c4-9a31ca 471->480 473->458 482 9e2dc6-9e2dd2 SetFocus 474->482 483 9e2da7-9e2daa 474->483 479->458 480->450 480->487 481->450 482->458 483->480 488 9e2db0-9e2dc1 call 9a18e2 483->488 484->450 487->450 492 9e2e35-9e2e48 call 9a30f2 call 9a3837 487->492 488->458 492->450
            APIs
            • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,009A316A,?,?), ref: 009A31D8
            • KillTimer.USER32(?,00000001,?,?,?,?,?,009A316A,?,?), ref: 009A3204
            • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 009A3227
            • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,009A316A,?,?), ref: 009A3232
            • CreatePopupMenu.USER32 ref: 009A3246
            • PostQuitMessage.USER32(00000000), ref: 009A3267
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
            • String ID: TaskbarCreated
            • API String ID: 129472671-2362178303
            • Opcode ID: 29f3215b92330f08cdfc3b6d98c0db249d77bcdee33c01793e31692755f38102
            • Instruction ID: e4e5eb7f59b32aca661275046561acd714beaf6d5eecaee3b12a49f97a557293
            • Opcode Fuzzy Hash: 29f3215b92330f08cdfc3b6d98c0db249d77bcdee33c01793e31692755f38102
            • Instruction Fuzzy Hash: 4B417831244204ABDF159BBC9D0EB793A9DEB47350F04C125FE1A9A1E1DB748E8287E1
            Function 009D8D45 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 500 9d8d45-9d8d55 501 9d8d6f-9d8d71 500->501 502 9d8d57-9d8d6a call 9cf2c6 call 9cf2d9 500->502 504 9d90d9-9d90e6 call 9cf2c6 call 9cf2d9 501->504 505 9d8d77-9d8d7d 501->505 519 9d90f1 502->519 524 9d90ec call 9d27ec 504->524 505->504 508 9d8d83-9d8dae 505->508 508->504 511 9d8db4-9d8dbd 508->511 514 9d8dbf-9d8dd2 call 9cf2c6 call 9cf2d9 511->514 515 9d8dd7-9d8dd9 511->515 514->524 517 9d8ddf-9d8de3 515->517 518 9d90d5-9d90d7 515->518 517->518 523 9d8de9-9d8ded 517->523 521 9d90f4-9d90f9 518->521 519->521 523->514 526 9d8def-9d8e06 523->526 524->519 529 9d8e08-9d8e0b 526->529 530 9d8e23-9d8e2c 526->530 531 9d8e0d-9d8e13 529->531 532 9d8e15-9d8e1e 529->532 533 9d8e2e-9d8e45 call 9cf2c6 call 9cf2d9 call 9d27ec 530->533 534 9d8e4a-9d8e54 530->534 531->532 531->533 537 9d8ebf-9d8ed9 532->537 564 9d900c 533->564 535 9d8e5b-9d8e79 call 9d3820 call 9d29c8 * 2 534->535 536 9d8e56-9d8e58 534->536 573 9d8e7b-9d8e91 call 9cf2d9 call 9cf2c6 535->573 574 9d8e96-9d8ebc call 9d9424 535->574 536->535 539 9d8fad-9d8fb6 call 9df89b 537->539 540 9d8edf-9d8eef 537->540 551 9d9029 539->551 552 9d8fb8-9d8fca 539->552 540->539 543 9d8ef5-9d8ef7 540->543 543->539 549 9d8efd-9d8f23 543->549 549->539 554 9d8f29-9d8f3c 549->554 560 9d902d-9d9045 ReadFile 551->560 552->551 556 9d8fcc-9d8fdb GetConsoleMode 552->556 554->539 558 9d8f3e-9d8f40 554->558 556->551 563 9d8fdd-9d8fe1 556->563 558->539 565 9d8f42-9d8f6d 558->565 561 9d9047-9d904d 560->561 562 9d90a1-9d90ac GetLastError 560->562 561->562 569 9d904f 561->569 567 9d90ae-9d90c0 call 9cf2d9 call 9cf2c6 562->567 568 9d90c5-9d90c8 562->568 563->560 570 9d8fe3-9d8ffd ReadConsoleW 563->570 571 9d900f-9d9019 call 9d29c8 564->571 565->539 572 9d8f6f-9d8f82 565->572 567->564 580 9d90ce-9d90d0 568->580 581 9d9005-9d900b call 9cf2a3 568->581 576 9d9052-9d9064 569->576 578 9d8fff GetLastError 570->578 579 9d901e-9d9027 570->579 571->521 572->539 583 9d8f84-9d8f86 572->583 573->564 574->537 576->571 586 9d9066-9d906a 576->586 578->581 579->576 580->571 581->564 583->539 590 9d8f88-9d8fa8 583->590 593 9d906c-9d907c call 9d8a61 586->593 594 9d9083-9d908e 586->594 590->539 605 9d907f-9d9081 593->605 600 9d909a-9d909f call 9d88a1 594->600 601 9d9090 call 9d8bb1 594->601 606 9d9095-9d9098 600->606 601->606 605->571 606->605
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d8057ed59104bb48f2cb24b05c7d8cb0b9784b988cf5b1c695b7b78981f497fc
            • Instruction ID: fc2d978928b5d75ac175aaf0639bd599bf4e79686748b8e06014d135b454bd3e
            • Opcode Fuzzy Hash: d8057ed59104bb48f2cb24b05c7d8cb0b9784b988cf5b1c695b7b78981f497fc
            • Instruction Fuzzy Hash: 09C1F474E44249AFDB11EFECDC41BAEBBB5AF49310F04809AF418AB392C7349941CB61
            Function 00F22610 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 608 f22610-f226be call f20000 611 f226c5-f226eb call f23520 CreateFileW 608->611 614 f226f2-f22702 611->614 615 f226ed 611->615 620 f22704 614->620 621 f22709-f22723 VirtualAlloc 614->621 616 f2283d-f22841 615->616 617 f22883-f22886 616->617 618 f22843-f22847 616->618 622 f22889-f22890 617->622 623 f22853-f22857 618->623 624 f22849-f2284c 618->624 620->616 625 f22725 621->625 626 f2272a-f22741 ReadFile 621->626 627 f22892-f2289d 622->627 628 f228e5-f228fa 622->628 629 f22867-f2286b 623->629 630 f22859-f22863 623->630 624->623 625->616 633 f22743 626->633 634 f22748-f22788 VirtualAlloc 626->634 635 f228a1-f228ad 627->635 636 f2289f 627->636 637 f2290a-f22912 628->637 638 f228fc-f22907 VirtualFree 628->638 631 f2287b 629->631 632 f2286d-f22877 629->632 630->629 631->617 632->631 633->616 639 f2278a 634->639 640 f2278f-f227aa call f23770 634->640 641 f228c1-f228cd 635->641 642 f228af-f228bf 635->642 636->628 638->637 639->616 648 f227b5-f227bf 640->648 645 f228da-f228e0 641->645 646 f228cf-f228d8 641->646 644 f228e3 642->644 644->622 645->644 646->644 649 f227f2-f22806 call f23580 648->649 650 f227c1-f227f0 call f23770 648->650 655 f2280a-f2280e 649->655 656 f22808 649->656 650->648 658 f22810-f22814 FindCloseChangeNotification 655->658 659 f2281a-f2281e 655->659 656->616 658->659 660 f22820-f2282b VirtualFree 659->660 661 f2282e-f22837 659->661 660->661 661->611 661->616
            APIs
            • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F226E1
            • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F22907
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateFileFreeVirtual
            • String ID:
            • API String ID: 204039940-0
            • Opcode ID: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
            • Instruction ID: a5c976d278f0d1f07e2e7620c588a872896e9a123935b8d9d2df31c94bc717a8
            • Opcode Fuzzy Hash: e3e00bf9dbafeb2e33b0b1731302cb2fbf5584eb46f22b1b855d3d8c7a9348fe
            • Instruction Fuzzy Hash: 28A13775E00219EBDB54CFA4D894BEEBBB5FF48314F208159E501BB280D7799A80EF94
            Function 009A2C63 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 672 9a2c63-9a2cd3 CreateWindowExW * 2 ShowWindow * 2
            APIs
            • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 009A2C91
            • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 009A2CB2
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,009A1CAD,?), ref: 009A2CC6
            • ShowWindow.USER32(00000000,?,?,?,?,?,?,009A1CAD,?), ref: 009A2CCF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$CreateShow
            • String ID: AutoIt v3$edit
            • API String ID: 1584632944-3779509399
            • Opcode ID: 1269cfe907b1a10e20c54e90869eacd819009d1d9680f847d790b3cbe1896d0c
            • Instruction ID: 457397c8ad7a902fa2302733fe2d80db6df60af62b7ee8c253e1f89dcc60a80b
            • Opcode Fuzzy Hash: 1269cfe907b1a10e20c54e90869eacd819009d1d9680f847d790b3cbe1896d0c
            • Instruction Fuzzy Hash: 6FF030796403907AE770876B6C0DE773EBDD7C6F60F018059F908A6560D2610882DA70
            Function 00F223B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 156fileCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 787 f223b0-f2250b call f20000 call f222a0 CreateFileW 794 f22512-f22522 787->794 795 f2250d 787->795 798 f22524 794->798 799 f22529-f22543 VirtualAlloc 794->799 796 f225c2-f225c7 795->796 798->796 800 f22547-f2255e ReadFile 799->800 801 f22545 799->801 802 f22562-f2259c call f222e0 call f212a0 800->802 803 f22560 800->803 801->796 808 f225b8-f225c0 ExitProcess 802->808 809 f2259e-f225b3 call f22330 802->809 803->796 808->796 809->808
            APIs
              • Part of subcall function 00F222A0: Sleep.KERNELBASE(000001F4), ref: 00F222B1
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F22501
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateFileSleep
            • String ID: 5X807KQ6SFALJ57A8K6TIAD7XY89
            • API String ID: 2694422964-4137398608
            • Opcode ID: ffe35fc2701be30d75629b4fc07c5c48ddd533a946e2b55af1d18f15dddd369e
            • Instruction ID: b716bb4a91331df40f0717154a0e148ae72d99f8e912544e5f9bf37e9d02a3a9
            • Opcode Fuzzy Hash: ffe35fc2701be30d75629b4fc07c5c48ddd533a946e2b55af1d18f15dddd369e
            • Instruction Fuzzy Hash: D961C370D04298EAEF11DBF4D855BDEBBB89F15304F048189E209BB2C1D7BA0B49CB65
            Function 00A12947 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
            Download Yara Rule

            Control-flow Graph

            APIs
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A12C05
            • DeleteFileW.KERNEL32(?), ref: 00A12C87
            • CopyFileW.KERNELBASE(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A12C9D
            • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A12CAE
            • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00A12CC0
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: File$Delete$Copy
            • String ID:
            • API String ID: 3226157194-0
            • Opcode ID: e07155473c4c52c798227ae9a22d8b46a74e25e4b41043437700737935bf54a0
            • Instruction ID: 34f2ee802f70811a6546ac58168c40d7e143d3c516608aae7a96c9b41ec56950
            • Opcode Fuzzy Hash: e07155473c4c52c798227ae9a22d8b46a74e25e4b41043437700737935bf54a0
            • Instruction Fuzzy Hash: 8EB13E71E01129ABDF11DBA4CD85FDEB7BDEF49350F1040A6F609E6141EA30DA948FA1
            Function 009A3B1C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
            Download Yara Rule

            Control-flow Graph

            • Executed
            • Not Executed
            control_flow_graph 953 9a3b1c-9a3b27 954 9a3b99-9a3b9b 953->954 955 9a3b29-9a3b2e 953->955 956 9a3b8c-9a3b8f 954->956 955->954 957 9a3b30-9a3b48 RegOpenKeyExW 955->957 957->954 958 9a3b4a-9a3b69 RegQueryValueExW 957->958 959 9a3b6b-9a3b76 958->959 960 9a3b80-9a3b8b RegCloseKey 958->960 961 9a3b78-9a3b7a 959->961 962 9a3b90-9a3b97 959->962 960->956 963 9a3b7e 961->963 962->963 963->960
            APIs
            • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,009A3B0F,SwapMouseButtons,00000004,?), ref: 009A3B40
            • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,009A3B0F,SwapMouseButtons,00000004,?), ref: 009A3B61
            • RegCloseKey.KERNELBASE(00000000,?,?,?,80000001,80000001,?,009A3B0F,SwapMouseButtons,00000004,?), ref: 009A3B83
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseOpenQueryValue
            • String ID: Control Panel\Mouse
            • API String ID: 3677997916-824357125
            • Opcode ID: 8864f51c7774e1ad371ef238bb6548389b706f097d42b0b1e2ed9b9544731a92
            • Instruction ID: e9d17e9d44af956487ec9f004575fac7e2638d24004fa709819d3a3c428ac854
            • Opcode Fuzzy Hash: 8864f51c7774e1ad371ef238bb6548389b706f097d42b0b1e2ed9b9544731a92
            • Instruction Fuzzy Hash: BD112AB5511208FFDB20CFA5DC85ABEB7BDEF06754B108959B805E7110E3319E419BA0
            Function 00F212A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00F21A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F21AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F21B13
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
            • Instruction ID: 536d7528db24a2720bb9644b0e16cba00207ad5016425262750d9c696595a447
            • Opcode Fuzzy Hash: 75058a4f97cf2fcbd3f6bc15a6ffc08ef8895de4d25848071cc819695d886454
            • Instruction Fuzzy Hash: 22620930A14658DBEB24CFA4D850BDEB372FF68300F1091A9D10DEB294E7799E81DB59
            Function 009ADFD0 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
            Download Yara Rule
            Strings
            • Variable must be of type 'Object'., xrefs: 009F32B7
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: Variable must be of type 'Object'.
            • API String ID: 0-109567571
            • Opcode ID: 83a0b500d0fa23ce047f046f3a21446355a97f1893e1008a89eb30cb314dc462
            • Instruction ID: 331a0300a4bb6755fe97d805365815f4bdb24748fd0fd9d6133e4dd864717dfc
            • Opcode Fuzzy Hash: 83a0b500d0fa23ce047f046f3a21446355a97f1893e1008a89eb30cb314dc462
            • Instruction Fuzzy Hash: 3EC28A71A00215CFCB24CF98C890BADB7B5FF4A310F248569E916AB391D779ED81CB91
            Function 009A3923 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94windowCOMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 009E33A2
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            • Shell_NotifyIconW.SHELL32(00000001,?), ref: 009A3A04
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: IconLoadNotifyShell_String_wcslen
            • String ID: Line:
            • API String ID: 2289894680-1585850449
            • Opcode ID: 57007400c728df50dc9697d4e73770bdb49ccb568e7afaaf0f7787950ebe89c0
            • Instruction ID: 49e6f69a71bb4c99fcaeca7c076f9311a28fb8d4e056423dc93294c44a1521d4
            • Opcode Fuzzy Hash: 57007400c728df50dc9697d4e73770bdb49ccb568e7afaaf0f7787950ebe89c0
            • Instruction Fuzzy Hash: 8131CF71408300AED721EB64DC46FEBB7ECAB82710F00892AF59997191EF749A49C7D2
            Function 009BFDDB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            • __CxxThrowException@8.LIBVCRUNTIME ref: 009C0668
              • Part of subcall function 009C32A4: RaiseException.KERNEL32(?,?,?,009C068A,?,00A71444,?,?,?,?,?,?,009C068A,009A1129,00A68738,009A1129), ref: 009C3304
            • __CxxThrowException@8.LIBVCRUNTIME ref: 009C0685
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Exception@8Throw$ExceptionRaise
            • String ID: Unknown exception
            • API String ID: 3476068407-410509341
            • Opcode ID: 5db8f4456779d6badf4c186a3ecb93a3eb867bdadef93e6bf846f9836aa56d14
            • Instruction ID: 5cc927982dbe70196bddd1dc27ae874ba6a14970a48c421ff5af7b4f7fd6a021
            • Opcode Fuzzy Hash: 5db8f4456779d6badf4c186a3ecb93a3eb867bdadef93e6bf846f9836aa56d14
            • Instruction Fuzzy Hash: 99F0C234D0020DB78F00BA64DD5AF9E7B6C6EC0350F608A39B828D65D1EF71DB25C682
            Function 00A13017 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00A1302F
            • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 00A13044
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Temp$FileNamePath
            • String ID: aut
            • API String ID: 3285503233-3010740371
            • Opcode ID: e0592fa4fb369c7ae4e24f19816a86f612fe5cea97caf2db92614aadec32aaed
            • Instruction ID: e7ef5431b158bfc16800b7f597d1234095d056dc00dd32d01e31b57137e0604c
            • Opcode Fuzzy Hash: e0592fa4fb369c7ae4e24f19816a86f612fe5cea97caf2db92614aadec32aaed
            • Instruction Fuzzy Hash: 33D05E7250032877DA20E7E4AC0EFCB3A7CDB04760F0006A1BA55E2091DAB09985CBD0
            Function 00A27F59 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00A282F5
            • TerminateProcess.KERNEL32(00000000), ref: 00A282FC
            • FreeLibrary.KERNEL32(?,?,?,?), ref: 00A284DD
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$CurrentFreeLibraryTerminate
            • String ID:
            • API String ID: 146820519-0
            • Opcode ID: 24cdc4c69ce04e173f578729118d634d110155a56b41a065cba60bd28f7c016e
            • Instruction ID: bebb73f8989dafc74bb93d7f35b713c097f8a86134f88faa8de5d7b08f2d60fb
            • Opcode Fuzzy Hash: 24cdc4c69ce04e173f578729118d634d110155a56b41a065cba60bd28f7c016e
            • Instruction Fuzzy Hash: 14128C719083119FC714DF28D580B6ABBE1BF89328F04896DF8998B252DB35ED45CF92
            Function 009D5AA9 Relevance: 4.7, APIs: 3, Instructions: 186COMMONLIBRARYCODE
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1794a22d4c34211ad4a6cb70cd6d77c14505ce807369ebcfbb7de11af3fb983
            • Instruction ID: 1427ba6246dbbddf707b4ce4b2b50e4be6a494207ee4bc1795e587d27d8e42da
            • Opcode Fuzzy Hash: e1794a22d4c34211ad4a6cb70cd6d77c14505ce807369ebcfbb7de11af3fb983
            • Instruction Fuzzy Hash: 9251E071D90609AFDB20AFB8C845FAEBBB8AF45310F16801BF404B7391D7799901DB62
            Function 009A10F3 Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A1BF4
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(00000010,00000000), ref: 009A1BFC
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A1C07
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A1C12
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(00000011,00000000), ref: 009A1C1A
              • Part of subcall function 009A1BC3: MapVirtualKeyW.USER32(00000012,00000000), ref: 009A1C22
              • Part of subcall function 009A1B4A: RegisterWindowMessageW.USER32(00000004,?,009A12C4), ref: 009A1BA2
            • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 009A136A
            • OleInitialize.OLE32 ref: 009A1388
            • CloseHandle.KERNEL32(00000000,00000000), ref: 009E24AB
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
            • String ID:
            • API String ID: 1986988660-0
            • Opcode ID: 0403078841cf0b271dd9ad6c741e9330bd12fdd4d8885a6a11256d33599a3ebd
            • Instruction ID: e61fe78846aa1784e3a114684a58c9fe2989431b6e930d12d67fdc21fe656390
            • Opcode Fuzzy Hash: 0403078841cf0b271dd9ad6c741e9330bd12fdd4d8885a6a11256d33599a3ebd
            • Instruction Fuzzy Hash: 8F71ABB49212008FC388EFFDAD56A563BE5FB89354B54C22AE00ED7361EB304482CF95
            Function 009A54C6 Relevance: 4.6, APIs: 3, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000001,?,00000000), ref: 009A556D
            • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001), ref: 009A557D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FilePointer
            • String ID:
            • API String ID: 973152223-0
            • Opcode ID: e112ae5f0b0798aa2f7f66952db857e08b776c9e5b7dc56ac7859e385ebed4f0
            • Instruction ID: d8d139a092f815d5dc9c3437c81531ae291396aa459132fa1d16361ce94e7188
            • Opcode Fuzzy Hash: e112ae5f0b0798aa2f7f66952db857e08b776c9e5b7dc56ac7859e385ebed4f0
            • Instruction Fuzzy Hash: 52313A71A00A09EFDB14CF68C880B99B7B6FB48714F158629F91997240D775FE94CBD0
            Function 009D86AE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009D85CC,?,00A68CC8,0000000C), ref: 009D8704
            • GetLastError.KERNEL32(?,009D85CC,?,00A68CC8,0000000C), ref: 009D870E
            • __dosmaperr.LIBCMT ref: 009D8739
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
            • String ID:
            • API String ID: 490808831-0
            • Opcode ID: 37b58f49d38fe7cfe8a63b4dea2d07cd270fa3d0b4c42d066a82c802e4580587
            • Instruction ID: 50664025aca0d5365537206781772e6aec9fdfc89dfba8ae559eec6b4fc7e891
            • Opcode Fuzzy Hash: 37b58f49d38fe7cfe8a63b4dea2d07cd270fa3d0b4c42d066a82c802e4580587
            • Instruction Fuzzy Hash: FF014E32A8566066D664A7746C49F7FAB4D8BC1774F3AC11BF8189B3D3DEA1CC818350
            Function 00A12FD8 Relevance: 4.5, APIs: 3, Instructions: 27filetimeCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,00000000,?,?,00A12CD4,?,?,?,00000004,00000001), ref: 00A12FF2
            • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,00A12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A13006
            • CloseHandle.KERNEL32(00000000,?,00A12CD4,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00A1300D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: File$CloseCreateHandleTime
            • String ID:
            • API String ID: 3397143404-0
            • Opcode ID: 0f81027a8d9dddd78ad2e1f7149699a0aa9818f31513ef1b54008f8508e611d9
            • Instruction ID: 8d80571968ba920c00f0e5fe69c86570a492c7ddeea6a34fc1089d295b3bc5f9
            • Opcode Fuzzy Hash: 0f81027a8d9dddd78ad2e1f7149699a0aa9818f31513ef1b54008f8508e611d9
            • Instruction Fuzzy Hash: 90E0CD3228031077D6301795BC0DFCB7E5CD7CAF71F104310F719790D046A0550253A8
            Function 009B1310 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 009B17F6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID: CALL
            • API String ID: 1385522511-4196123274
            • Opcode ID: cafba5bb56360b7018de47d8de0c8f2a3a2200d6b33308a45760189be05d642d
            • Instruction ID: d97956e36a478c0b61622fbaf300fbfda13fa4c043f5e2e54a1034492422e622
            • Opcode Fuzzy Hash: cafba5bb56360b7018de47d8de0c8f2a3a2200d6b33308a45760189be05d642d
            • Instruction Fuzzy Hash: 54229A70608301DFC714DF14C9A0BAABBF6BF85324F64892DF5968B2A1D775E841CB92
            Function 00A16EF1 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 297COMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00A16F6B
              • Part of subcall function 009A4ECB: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4EFD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LibraryLoad_wcslen
            • String ID: >>>AUTOIT SCRIPT<<<
            • API String ID: 3312870042-2806939583
            • Opcode ID: e76fd7bd88afc1e19a180880d6f4858326b5400bb85a0002d26a51fa98c234c3
            • Instruction ID: fbf0ab5d4e036cd7842b75382718a9b335ee304be44e341ed6c529a5bb4eb4a7
            • Opcode Fuzzy Hash: e76fd7bd88afc1e19a180880d6f4858326b5400bb85a0002d26a51fa98c234c3
            • Instruction Fuzzy Hash: 3DB15F315082019FCB14EF24C891AAEB7F5BFD5350F14895DF496972A2EB30ED89CB92
            Function 009A2DE3 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
            Download Yara Rule
            APIs
            • GetOpenFileNameW.COMDLG32(?), ref: 009E2C8C
              • Part of subcall function 009A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009A3A97,?,?,009A2E7F,?,?,?,00000000), ref: 009A3AC2
              • Part of subcall function 009A2DA5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A2DC4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Name$Path$FileFullLongOpen
            • String ID: X
            • API String ID: 779396738-3081909835
            • Opcode ID: a439dbc7ef1bb0dbc47b830c58d27480d6b76fa6b52d3d5e622b3d60b31d9bcf
            • Instruction ID: 46a4da197410667ddfecc323298cc8e3256c7fe6547cf39146d03821b90bcbda
            • Opcode Fuzzy Hash: a439dbc7ef1bb0dbc47b830c58d27480d6b76fa6b52d3d5e622b3d60b31d9bcf
            • Instruction Fuzzy Hash: E0219371A002989BDB01DF98CC45BEE7BFCAF89314F108059E405A7241DBB89A898BA1
            Function 00A12557 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID: EA06
            • API String ID: 2638373210-3962188686
            • Opcode ID: 4493222d75bfdbe4b9f741b4dc33f894c00a7e0bd902a358e74765598bd809b9
            • Instruction ID: 55f64baf5eb8a6df77c48139cb12fcd17dd610330b11f8d938e5d752cd67dc36
            • Opcode Fuzzy Hash: 4493222d75bfdbe4b9f741b4dc33f894c00a7e0bd902a358e74765598bd809b9
            • Instruction Fuzzy Hash: B901B572D442587EDF28C7A8C856FEEBBF89B55311F00455EE193D2181E5B8E6188B60
            Function 009A3837 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
            Download Yara Rule
            APIs
            • Shell_NotifyIconW.SHELL32(00000000,?), ref: 009A3908
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: IconNotifyShell_
            • String ID:
            • API String ID: 1144537725-0
            • Opcode ID: ac6a56007c238ec34cf421cea0b9999a0246852420f476ba5905afccbdfca6db
            • Instruction ID: ae10e037eadbf0266030f3974f3ff49bc29a3e192474a45551fcf3289cf9ac41
            • Opcode Fuzzy Hash: ac6a56007c238ec34cf421cea0b9999a0246852420f476ba5905afccbdfca6db
            • Instruction Fuzzy Hash: 5631D270A04300DFD760DF68D885B97BBE8FB8A708F00492EF59987240E775AA44CB92
            Function 009A5745 Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,009A949C,?,00008000), ref: 009A5773
            • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,?,?,009A949C,?,00008000), ref: 009E4052
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 5ef6c18a029ac7c2c3b5d0adf4b5a22bddb55ae89a367a700bbcac8ffcb7c6c8
            • Instruction ID: 264669dae560079f5409eb01ef49cf949fe8696e4c7e812cfcf7986e8f2c3b77
            • Opcode Fuzzy Hash: 5ef6c18a029ac7c2c3b5d0adf4b5a22bddb55ae89a367a700bbcac8ffcb7c6c8
            • Instruction Fuzzy Hash: 7F019E30245325BAE3314A6ACC0EF977F98EF027B0F118310BAAC6A1E0CBB45855DBD0
            Function 009A6E14 Relevance: 2.6, APIs: 2, Instructions: 59COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,00000000,00000002,?,?,?,?,009A9879,?,?,?), ref: 009A6E33
            • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,?,?,00000000,?,?,?,009A9879,?,?,?), ref: 009A6E69
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide
            • String ID:
            • API String ID: 626452242-0
            • Opcode ID: fcaa2b62b0d7f94de1432ea5592001a2a726145bcbcecb1aa509768d720fe4d9
            • Instruction ID: 253cd4bf4ba220cd655a0c7f3e1c0a0de7e58d6e53f0ff9b18296f68b918a8da
            • Opcode Fuzzy Hash: fcaa2b62b0d7f94de1432ea5592001a2a726145bcbcecb1aa509768d720fe4d9
            • Instruction Fuzzy Hash: 8401D4713002007FEB19ABB9AD1BF7F7AADDB86710F14013DB106DA1E1E960AD009660
            Function 009AB710 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
            Download Yara Rule
            APIs
            • __Init_thread_footer.LIBCMT ref: 009ABB4E
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Init_thread_footer
            • String ID:
            • API String ID: 1385522511-0
            • Opcode ID: bbc586ddeebf896a4af1dbdac450f23624476cf67568fdfd9762bc34875582c6
            • Instruction ID: d05fbe14985908fc867984bfb9203944517b0935c1170ac9a9f97ff32b590280
            • Opcode Fuzzy Hash: bbc586ddeebf896a4af1dbdac450f23624476cf67568fdfd9762bc34875582c6
            • Instruction Fuzzy Hash: E632BD35A00209DFDB24CF58C894BBEB7BDEF86314F148059EA15AB252D778ED81CB91
            Function 00F2129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
            Download Yara Rule
            APIs
            • CreateProcessW.KERNELBASE(?,00000000), ref: 00F21A5B
            • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F21AF1
            • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F21B13
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$ContextCreateMemoryReadThreadWow64
            • String ID:
            • API String ID: 2438371351-0
            • Opcode ID: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
            • Instruction ID: a3cfbba9f00ff54a84b1d5c8913bd9b1b1aa2bc1f48c64cfd729bc64b9a84676
            • Opcode Fuzzy Hash: 935c44ad8318b3af66d252774f477c9026677184fbf87e93bc0843909b837ee7
            • Instruction Fuzzy Hash: E812BD24E18658C6EB24DF64D8507DEB232FF68300F1090E9910DEB7A5E77A5E81CF5A
            Function 009A4ECB Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A4E90: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009A4EDD,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E9C
              • Part of subcall function 009A4E90: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009A4EAE
              • Part of subcall function 009A4E90: FreeLibrary.KERNEL32(00000000,?,?,009A4EDD,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4EC0
            • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4EFD
              • Part of subcall function 009A4E59: LoadLibraryA.KERNEL32(kernel32.dll,?,?,009E3CDE,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E62
              • Part of subcall function 009A4E59: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009A4E74
              • Part of subcall function 009A4E59: FreeLibrary.KERNEL32(00000000,?,?,009E3CDE,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E87
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Library$Load$AddressFreeProc
            • String ID:
            • API String ID: 2632591731-0
            • Opcode ID: 96059dd5eb85c1bb57021745995a8c7c4e9a2ecc5345ae9323aae73cdd97dcda
            • Instruction ID: dc09385c2e370ef592a813a18dc1c1c1bd45aabe1a6c3722852895c2bbbac6e7
            • Opcode Fuzzy Hash: 96059dd5eb85c1bb57021745995a8c7c4e9a2ecc5345ae9323aae73cdd97dcda
            • Instruction Fuzzy Hash: 4511C132610205AACF14AB60DD06FAD77A5AFC1B10F20882DF552AA1C1EEB4EE459B90
            Function 009D8402 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __wsopen_s
            • String ID:
            • API String ID: 3347428461-0
            • Opcode ID: 7cec80610950ab4612c274eff745d396666053ce6ed878bdea975b4eeb9f85d3
            • Instruction ID: fd640b5cee6d0842e00a3040d8c36ff0889cd41331c877076bf89f867c1a74f2
            • Opcode Fuzzy Hash: 7cec80610950ab4612c274eff745d396666053ce6ed878bdea975b4eeb9f85d3
            • Instruction Fuzzy Hash: 8911187590410AAFCB05DF58E941A9B7BF9EF48314F10805AF808AB312DB31EA11CBA5
            Function 009A9A40 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
            Download Yara Rule
            APIs
            • ReadFile.KERNELBASE(?,?,00010000,00000000,00000000,?,?,00000000,?,009A543F,?,00010000,00000000,00000000,00000000,00000000), ref: 009A9A9C
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FileRead
            • String ID:
            • API String ID: 2738559852-0
            • Opcode ID: b58802f0eab0450345effe6f7f44da5dc1d7ee9988349b45ec54a29dd2e2ec37
            • Instruction ID: 178a5efdd7ab52128e4daf08b1ad0213248d66c3d0c447ca5468135fb3978b6c
            • Opcode Fuzzy Hash: b58802f0eab0450345effe6f7f44da5dc1d7ee9988349b45ec54a29dd2e2ec37
            • Instruction Fuzzy Hash: 30114832204B059FD720CF15C880B66B7F9FF45764F10C42EE99B8AA51C770A945CBA0
            Function 009CE602 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
            • Instruction ID: b9f7b3b571f47ee13cc64a1fb72c2240b88840ce07ebc3938c8f0b162bc02dbe
            • Opcode Fuzzy Hash: 4bdb02cb5d44b5d694786f455fb1b19b1376b5bca3dd6da9f9dc09084e2e4678
            • Instruction Fuzzy Hash: AAF0F432D21A1497D6313A798E05F5B339C9FE2330F104B2EF422922D2DB74E80186A7
            Function 009A9CB3 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen
            • String ID:
            • API String ID: 176396367-0
            • Opcode ID: e5ae0284a8e1c74d5c21a40028d27b23a0e0331802692773227312db900d97bb
            • Instruction ID: d2dd8a162d78591e33c4d33a448a47e0403df5319377de90d26b0c4b75c4a19e
            • Opcode Fuzzy Hash: e5ae0284a8e1c74d5c21a40028d27b23a0e0331802692773227312db900d97bb
            • Instruction Fuzzy Hash: A0F0C8B36006006ED7149F28DC06FA7BB98EB84770F10852EF619CB1D1DB31E51087E0
            Function 009D3820 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RtlAllocateHeap.NTDLL(00000000,?,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6,?,009A1129), ref: 009D3852
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AllocateHeap
            • String ID:
            • API String ID: 1279760036-0
            • Opcode ID: 0d8dcaabf08eb680af47db3b4daf8069cd2691cc10635057f915c31277bb6dcb
            • Instruction ID: ad7b3b83d79f6058d01db474f6de9c0221eb61208bc2ef6b3fc020a68a6615b3
            • Opcode Fuzzy Hash: 0d8dcaabf08eb680af47db3b4daf8069cd2691cc10635057f915c31277bb6dcb
            • Instruction Fuzzy Hash: 76E0E53168022456E62166A69C00F9A365EAB827B2F09C126BC1597A80CB50DE01A2E3
            Function 009D4D7A Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 009D4D9C
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorFreeHeapLast_free
            • String ID:
            • API String ID: 1353095263-0
            • Opcode ID: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
            • Instruction ID: 6b6f6b946cc175cc20f3c23ae630c7b7b3086e3a67d9d03476857dc91ac9ebf8
            • Opcode Fuzzy Hash: a7136b118dd25681eba1fac516c3f168631d39be7bcab1b26d5392532d0b3266
            • Instruction Fuzzy Hash: 4CE092361403059F8720CF6CD400A82B7F9EF94320720C52AE89DE7310D331F812CB80
            Function 009A4F39 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
            Download Yara Rule
            APIs
            • FreeLibrary.KERNEL32(?,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4F6D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FreeLibrary
            • String ID:
            • API String ID: 3664257935-0
            • Opcode ID: c4a5e6c2594ce2190d91e20bfb7930628c7f7ad2297840e2243390d731b72370
            • Instruction ID: 65ccf0f5d048f3e299e63c4ee60afe82d0420d19ee353f998a43304e33e3bdd1
            • Opcode Fuzzy Hash: c4a5e6c2594ce2190d91e20bfb7930628c7f7ad2297840e2243390d731b72370
            • Instruction Fuzzy Hash: F6F0A071005341CFCB348F60D890812B7E4AF413293209D7EE1DA82610C7B59844DF81
            Function 009A2DA5 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 009A2DC4
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LongNamePath_wcslen
            • String ID:
            • API String ID: 541455249-0
            • Opcode ID: 7f60d2b9dbfaed8d0aa11ff83beee5efc8b335b79fceed6752f5df24d4339ebd
            • Instruction ID: ff8879d7a8132f426e68589c7d8afdfa26e4a9de4b6c0272508cda8094e34f4c
            • Opcode Fuzzy Hash: 7f60d2b9dbfaed8d0aa11ff83beee5efc8b335b79fceed6752f5df24d4339ebd
            • Instruction Fuzzy Hash: 12E0CD726041245BC711E2989C05FDA77DDDFC8790F040071FD09E7248DA70ED808690
            Function 00A12693 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __fread_nolock
            • String ID:
            • API String ID: 2638373210-0
            • Opcode ID: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction ID: fab4d264209eab1a1d5f5190df301299ac6e9be3cc9d80a4d222a6090f1f021b
            • Opcode Fuzzy Hash: 62c4ae1466583100269b95fce18df2779376e23d7999e61a0ae1b5108404e028
            • Instruction Fuzzy Hash: 6DE04FB0609B005FDF399B28A851BF677E8DF49300F04086EF6AB82252E57268958B4D
            Function 009A2B3D Relevance: 1.5, APIs: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A3837: Shell_NotifyIconW.SHELL32(00000000,?), ref: 009A3908
              • Part of subcall function 009AD730: GetInputState.USER32 ref: 009AD807
            • SetCurrentDirectoryW.KERNEL32(?), ref: 009A2B6B
              • Part of subcall function 009A30F2: Shell_NotifyIconW.SHELL32(00000002,?), ref: 009A314E
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: IconNotifyShell_$CurrentDirectoryInputState
            • String ID:
            • API String ID: 3667716007-0
            • Opcode ID: 81fdc532dc4f345a80a73af064698b3ec59959e15c608c8b15279490a69b391e
            • Instruction ID: d206c2dd21c5e5454b3e9d50b4804b4c8bea97ce7df83f62ad27bd56df83bf98
            • Opcode Fuzzy Hash: 81fdc532dc4f345a80a73af064698b3ec59959e15c608c8b15279490a69b391e
            • Instruction Fuzzy Hash: 41E0866230425407C608BB78AC5667DA7999BD3351F40953EF14B971A2CE24454643D1
            Function 009E039A Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • CreateFileW.KERNELBASE(00000000,00000000,?,009E0704,?,?,00000000,?,009E0704,00000000,0000000C), ref: 009E03B7
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateFile
            • String ID:
            • API String ID: 823142352-0
            • Opcode ID: 13277b419bef579934fd99ef75625dbd9b6c6b9c46a6529912f06145666f87d0
            • Instruction ID: 4c1fad42060cae90e64c3d53c3b3425a7df81e9ffa8a0dff10b30d5e978b7597
            • Opcode Fuzzy Hash: 13277b419bef579934fd99ef75625dbd9b6c6b9c46a6529912f06145666f87d0
            • Instruction Fuzzy Hash: 3ED06C3204020DBBDF028F84DD06EDA3BAAFB48714F014100BE1866020C732E822AB90
            Function 009A1CAD Relevance: 1.5, APIs: 1, Instructions: 8COMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 009A1CBC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: InfoParametersSystem
            • String ID:
            • API String ID: 3098949447-0
            • Opcode ID: 2b72e56849b5a29aa318f7e66cfa572ef6375f2fde0132cd29b14e708fa159b2
            • Instruction ID: 147b6c6890312247ac415dcdf29035a068e656ec72a74853099c2de092a8c5a6
            • Opcode Fuzzy Hash: 2b72e56849b5a29aa318f7e66cfa572ef6375f2fde0132cd29b14e708fa159b2
            • Instruction Fuzzy Hash: A2C092362C0304EFF214CBD4BC4EF1077A4A348B15F04C002F64DA95E3C3A228A2EB60
            Function 00A1744A Relevance: 1.5, APIs: 1, Instructions: 220COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A5745: CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,009A949C,?,00008000), ref: 009A5773
            • GetLastError.KERNEL32(00000002,00000000), ref: 00A176DE
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateErrorFileLast
            • String ID:
            • API String ID: 1214770103-0
            • Opcode ID: baf48f53933576f454f730f4b3475d6a577448f35a9d2223246eb92628555d6a
            • Instruction ID: 2dc7fd69f988b7f99f70aeeb85abf97dd0cd7891baf4594afae7a0d02c795f57
            • Opcode Fuzzy Hash: baf48f53933576f454f730f4b3475d6a577448f35a9d2223246eb92628555d6a
            • Instruction Fuzzy Hash: 7D815C306087019FCB14EF28C491BAEB7F1BF8A354F04555DF8965B292DB34AD85CB92
            Function 009BFC70 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AllocVirtual
            • String ID:
            • API String ID: 4275171209-0
            • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction ID: 3ebc9e963e9afff060cb853ea1f52198d29f2ea1e63f8445ddebd09af1a5b940
            • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
            • Instruction Fuzzy Hash: 7B31EC75A00109DBC718CF59D9A09A9FBA5FF89320B2486A5E849CF656D731EDC1CBC0
            Function 00F2229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 00F222B1
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
            • Instruction ID: 36b8a4508af70fb3100e369f37152c9b916f46eafdf1e6d69b4e7f63f9c364e5
            • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
            • Instruction Fuzzy Hash: 0FE0BF7494110EEFDB00EFA8D5496DE7BB4EF04311F1005A1FD05D7690DB319E549A62
            Function 00F222A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNELBASE(000001F4), ref: 00F222B1
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Sleep
            • String ID:
            • API String ID: 3472027048-0
            • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction ID: 77ae67489619a5a8d5454c43c1ae0d0d9daf59ca1d16302bd87cf064c64ac661
            • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
            • Instruction Fuzzy Hash: 06E0E67494110EEFDB00EFB8D54969E7FB4EF04301F100161FD01D2280D6319D509A72

            Non-executed Functions

            Function 00A39576 Relevance: 72.4, APIs: 39, Strings: 2, Instructions: 625windowkeyboardCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00A3961A
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A3965B
            • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00A3969F
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A396C9
            • SendMessageW.USER32 ref: 00A396F2
            • GetKeyState.USER32(00000011), ref: 00A3978B
            • GetKeyState.USER32(00000009), ref: 00A39798
            • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00A397AE
            • GetKeyState.USER32(00000010), ref: 00A397B8
            • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A397E9
            • SendMessageW.USER32 ref: 00A39810
            • SendMessageW.USER32(?,00001030,?,00A37E95), ref: 00A39918
            • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00A3992E
            • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00A39941
            • SetCapture.USER32(?), ref: 00A3994A
            • ClientToScreen.USER32(?,?), ref: 00A399AF
            • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00A399BC
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A399D6
            • ReleaseCapture.USER32 ref: 00A399E1
            • GetCursorPos.USER32(?), ref: 00A39A19
            • ScreenToClient.USER32(?,?), ref: 00A39A26
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A39A80
            • SendMessageW.USER32 ref: 00A39AAE
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A39AEB
            • SendMessageW.USER32 ref: 00A39B1A
            • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00A39B3B
            • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00A39B4A
            • GetCursorPos.USER32(?), ref: 00A39B68
            • ScreenToClient.USER32(?,?), ref: 00A39B75
            • GetParent.USER32(?), ref: 00A39B93
            • SendMessageW.USER32(?,00001012,00000000,?), ref: 00A39BFA
            • SendMessageW.USER32 ref: 00A39C2B
            • ClientToScreen.USER32(?,?), ref: 00A39C84
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00A39CB4
            • SendMessageW.USER32(?,00001111,00000000,?), ref: 00A39CDE
            • SendMessageW.USER32 ref: 00A39D01
            • ClientToScreen.USER32(?,?), ref: 00A39D4E
            • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00A39D82
              • Part of subcall function 009B9944: GetWindowLongW.USER32(?,000000EB), ref: 009B9952
            • GetWindowLongW.USER32(?,000000F0), ref: 00A39E05
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease
            • String ID: @GUI_DRAGID$F
            • API String ID: 3429851547-4164748364
            • Opcode ID: a72bee158cd1400f70dc5c235c322468ae795033f7dddf1a9bdb2bcfbc4f67f5
            • Instruction ID: 6017aea652d371ffa779c876139ceabeecdbad322eb3509b7f202d356f0054a5
            • Opcode Fuzzy Hash: a72bee158cd1400f70dc5c235c322468ae795033f7dddf1a9bdb2bcfbc4f67f5
            • Instruction Fuzzy Hash: 81428A35205201AFDB24CF68CC85FABBBE5FF89320F104619F699972A1D7B1E851CB51
            Function 00A34873 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 566windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000408,00000000,00000000), ref: 00A348F3
            • SendMessageW.USER32(00000000,00000188,00000000,00000000), ref: 00A34908
            • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00A34927
            • SendMessageW.USER32(?,00000148,00000000,00000000), ref: 00A3494B
            • SendMessageW.USER32(00000000,00000147,00000000,00000000), ref: 00A3495C
            • SendMessageW.USER32(00000000,00000149,00000000,00000000), ref: 00A3497B
            • SendMessageW.USER32(00000000,0000130B,00000000,00000000), ref: 00A349AE
            • SendMessageW.USER32(00000000,0000133C,00000000,?), ref: 00A349D4
            • SendMessageW.USER32(00000000,0000110A,00000009,00000000), ref: 00A34A0F
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A34A56
            • SendMessageW.USER32(00000000,0000113E,00000000,00000004), ref: 00A34A7E
            • IsMenu.USER32(?), ref: 00A34A97
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A34AF2
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A34B20
            • GetWindowLongW.USER32(?,000000F0), ref: 00A34B94
            • SendMessageW.USER32(?,0000113E,00000000,00000008), ref: 00A34BE3
            • SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00A34C82
            • wsprintfW.USER32 ref: 00A34CAE
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A34CC9
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A34CF1
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A34D13
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A34D33
            • GetWindowTextW.USER32(?,00000000,00000001), ref: 00A34D5A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$MenuWindow$InfoItemText$Longwsprintf
            • String ID: %d/%02d/%02d
            • API String ID: 4054740463-328681919
            • Opcode ID: eb02648f2098135967b3085028826bfded97738e7f8de96ef443eccbd46fc9fe
            • Instruction ID: bc6f1900b8b135f50d72b34a93ebb80a9a38d8a9e52bf8e20ff0232aa7416bf7
            • Opcode Fuzzy Hash: eb02648f2098135967b3085028826bfded97738e7f8de96ef443eccbd46fc9fe
            • Instruction Fuzzy Hash: 5C120471600214ABEB258F68CC4AFBE7BF8EF89750F144129F515EB2E1DB78A941CB50
            Function 009BF98E Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 009BF998
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 009FF474
            • IsIconic.USER32(00000000), ref: 009FF47D
            • ShowWindow.USER32(00000000,00000009), ref: 009FF48A
            • SetForegroundWindow.USER32(00000000), ref: 009FF494
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009FF4AA
            • GetCurrentThreadId.KERNEL32 ref: 009FF4B1
            • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 009FF4BD
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 009FF4CE
            • AttachThreadInput.USER32(?,00000000,00000001), ref: 009FF4D6
            • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 009FF4DE
            • SetForegroundWindow.USER32(00000000), ref: 009FF4E1
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 009FF4F6
            • keybd_event.USER32(00000012,00000000), ref: 009FF501
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 009FF50B
            • keybd_event.USER32(00000012,00000000), ref: 009FF510
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 009FF519
            • keybd_event.USER32(00000012,00000000), ref: 009FF51E
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 009FF528
            • keybd_event.USER32(00000012,00000000), ref: 009FF52D
            • SetForegroundWindow.USER32(00000000), ref: 009FF530
            • AttachThreadInput.USER32(?,000000FF,00000000), ref: 009FF557
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
            • String ID: Shell_TrayWnd
            • API String ID: 4125248594-2988720461
            • Opcode ID: 715f171c9f0e01bcd9159e0667e724a2b7bcd1bf5235a67e1ad92b85595f7a0f
            • Instruction ID: 8e87c363ccbf2ff0b70af1e24e013bc8f2bfcc6bd38e6434733723fd5f883d8c
            • Opcode Fuzzy Hash: 715f171c9f0e01bcd9159e0667e724a2b7bcd1bf5235a67e1ad92b85595f7a0f
            • Instruction Fuzzy Hash: C6311071A8021CBAEB21ABF55C4AFBF7E6DEB44B60F100465FA01F61D1D6B19901AB60
            Function 00A01201 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A0170D
              • Part of subcall function 00A016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A0173A
              • Part of subcall function 00A016C3: GetLastError.KERNEL32 ref: 00A0174A
            • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00A01286
            • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00A012A8
            • CloseHandle.KERNEL32(?), ref: 00A012B9
            • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00A012D1
            • GetProcessWindowStation.USER32 ref: 00A012EA
            • SetProcessWindowStation.USER32(00000000), ref: 00A012F4
            • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00A01310
              • Part of subcall function 00A010BF: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A011FC), ref: 00A010D4
              • Part of subcall function 00A010BF: CloseHandle.KERNEL32(?,?,00A011FC), ref: 00A010E9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
            • String ID: $default$winsta0
            • API String ID: 22674027-1027155976
            • Opcode ID: c9ba4cc72a7071f16cb53cebc98fdcc16a507daa4a09e8f57a53f6eb8b9f6f9f
            • Instruction ID: 980b807f6eb624c148088fdd27ab1c17f48ec8eeddbfe629c4a5df0dc7a4a4da
            • Opcode Fuzzy Hash: c9ba4cc72a7071f16cb53cebc98fdcc16a507daa4a09e8f57a53f6eb8b9f6f9f
            • Instruction Fuzzy Hash: 4A8199B1A0020DABDF21DFA4EC49FEE7BB9EF08714F144129F911B61A0C7328A55CB21
            Function 00A00B62 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A01114
              • Part of subcall function 00A010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01120
              • Part of subcall function 00A010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A0112F
              • Part of subcall function 00A010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01136
              • Part of subcall function 00A010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A0114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A00BCC
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A00C00
            • GetLengthSid.ADVAPI32(?), ref: 00A00C17
            • GetAce.ADVAPI32(?,00000000,?), ref: 00A00C51
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A00C6D
            • GetLengthSid.ADVAPI32(?), ref: 00A00C84
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A00C8C
            • HeapAlloc.KERNEL32(00000000), ref: 00A00C93
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A00CB4
            • CopySid.ADVAPI32(00000000), ref: 00A00CBB
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A00CEA
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A00D0C
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A00D1E
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00D45
            • HeapFree.KERNEL32(00000000), ref: 00A00D4C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00D55
            • HeapFree.KERNEL32(00000000), ref: 00A00D5C
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00D65
            • HeapFree.KERNEL32(00000000), ref: 00A00D6C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00A00D78
            • HeapFree.KERNEL32(00000000), ref: 00A00D7F
              • Part of subcall function 00A01193: GetProcessHeap.KERNEL32(00000008,00A00BB1,?,00000000,?,00A00BB1,?), ref: 00A011A1
              • Part of subcall function 00A01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A00BB1,?), ref: 00A011A8
              • Part of subcall function 00A01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A00BB1,?), ref: 00A011B7
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 1d925093758b9ddb5f58626f7e6ef568ad0ef45f86e6874ee0f4c69bc2960716
            • Instruction ID: 33f88b2516134c74d147323dc941d0106624dd021d36967c7c983dd63f882382
            • Opcode Fuzzy Hash: 1d925093758b9ddb5f58626f7e6ef568ad0ef45f86e6874ee0f4c69bc2960716
            • Instruction Fuzzy Hash: 9471587290021AABDF10DFE4EC44FAEBBB8BF05310F044615F915B6291D771AA06CBB0
            Function 00A1EAFF Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
            Download Yara Rule
            APIs
            • OpenClipboard.USER32(00A3CC08), ref: 00A1EB29
            • IsClipboardFormatAvailable.USER32(0000000D), ref: 00A1EB37
            • GetClipboardData.USER32(0000000D), ref: 00A1EB43
            • CloseClipboard.USER32 ref: 00A1EB4F
            • GlobalLock.KERNEL32(00000000), ref: 00A1EB87
            • CloseClipboard.USER32 ref: 00A1EB91
            • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00A1EBBC
            • IsClipboardFormatAvailable.USER32(00000001), ref: 00A1EBC9
            • GetClipboardData.USER32(00000001), ref: 00A1EBD1
            • GlobalLock.KERNEL32(00000000), ref: 00A1EBE2
            • GlobalUnlock.KERNEL32(00000000,?), ref: 00A1EC22
            • IsClipboardFormatAvailable.USER32(0000000F), ref: 00A1EC38
            • GetClipboardData.USER32(0000000F), ref: 00A1EC44
            • GlobalLock.KERNEL32(00000000), ref: 00A1EC55
            • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00A1EC77
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A1EC94
            • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00A1ECD2
            • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00A1ECF3
            • CountClipboardFormats.USER32 ref: 00A1ED14
            • CloseClipboard.USER32 ref: 00A1ED59
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
            • String ID:
            • API String ID: 420908878-0
            • Opcode ID: 530f67fe15ceeac999ddb0d672196be568944e08a2f0f36d2a2a739f0d03f5b2
            • Instruction ID: 5f9a1f9971171e54323d2c4fb2aef9381ba82d39ff61bf8e958a143b94bc7e28
            • Opcode Fuzzy Hash: 530f67fe15ceeac999ddb0d672196be568944e08a2f0f36d2a2a739f0d03f5b2
            • Instruction Fuzzy Hash: B561C0352083019FD300EF64DC89FAAB7E8AF85754F18951DF856972A1CB31DD86CBA2
            Function 00A1698F Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00A169BE
            • FindClose.KERNEL32(00000000), ref: 00A16A12
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A16A4E
            • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00A16A75
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A16AB2
            • FileTimeToSystemTime.KERNEL32(?,?), ref: 00A16ADF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
            • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
            • API String ID: 3830820486-3289030164
            • Opcode ID: 47928784bed24cd652258fa326a02e74137bf31914d0a852415470a72f1cdccf
            • Instruction ID: dcc77289195037cc2046ce782ae1840d9c2ec6a6cd02ce8c60ac0ab602a38fa7
            • Opcode Fuzzy Hash: 47928784bed24cd652258fa326a02e74137bf31914d0a852415470a72f1cdccf
            • Instruction Fuzzy Hash: C4D13E72508310AEC710EBA4CD96EABB7FCBF89704F04491DF589D6191EB74DA44CBA2
            Function 00A19642 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 118fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A19663
            • GetFileAttributesW.KERNEL32(?), ref: 00A196A1
            • SetFileAttributesW.KERNEL32(?,?), ref: 00A196BB
            • FindNextFileW.KERNEL32(00000000,?), ref: 00A196D3
            • FindClose.KERNEL32(00000000), ref: 00A196DE
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00A196FA
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A1974A
            • SetCurrentDirectoryW.KERNEL32(00A66B7C), ref: 00A19768
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A19772
            • FindClose.KERNEL32(00000000), ref: 00A1977F
            • FindClose.KERNEL32(00000000), ref: 00A1978F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
            • String ID: *.*
            • API String ID: 1409584000-438819550
            • Opcode ID: 3c828353bb052e39b3620d0a40cacb75c166c3b869ad8b60833fe4c643c0c4aa
            • Instruction ID: 6148ee9596e5b5f072045abd6d39df5d9415ca184d4b8c001185aa6a7abdf2fa
            • Opcode Fuzzy Hash: 3c828353bb052e39b3620d0a40cacb75c166c3b869ad8b60833fe4c643c0c4aa
            • Instruction Fuzzy Hash: 2931AD32940619BADB14EFF4DC59ADF77ACAF49320F104566F815E20A0EB30DA85CB24
            Function 00A1979D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 111fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00A197BE
            • FindNextFileW.KERNEL32(00000000,?), ref: 00A19819
            • FindClose.KERNEL32(00000000), ref: 00A19824
            • FindFirstFileW.KERNEL32(*.*,?), ref: 00A19840
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A19890
            • SetCurrentDirectoryW.KERNEL32(00A66B7C), ref: 00A198AE
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A198B8
            • FindClose.KERNEL32(00000000), ref: 00A198C5
            • FindClose.KERNEL32(00000000), ref: 00A198D5
              • Part of subcall function 00A0DAE5: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00A0DB00
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
            • String ID: *.*
            • API String ID: 2640511053-438819550
            • Opcode ID: 819c64bfe0002ba79c25277244b6ffa95d1ae394d8fce6fb28411bc8531d5902
            • Instruction ID: be7672a177ebadaa7bad50d6b5aadd41fe330674a7417bcbba4e2fdc9d9c788d
            • Opcode Fuzzy Hash: 819c64bfe0002ba79c25277244b6ffa95d1ae394d8fce6fb28411bc8531d5902
            • Instruction Fuzzy Hash: 06319E32540619BEDB10EFE4EC59ADF77ACAF4A370F144566F814A21A0EB30DA85CB60
            Function 00A18195 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
            Download Yara Rule
            APIs
            • GetLocalTime.KERNEL32(?), ref: 00A18257
            • SystemTimeToFileTime.KERNEL32(?,?), ref: 00A18267
            • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00A18273
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A18310
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A18324
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A18356
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A1838C
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A18395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CurrentDirectoryTime$File$Local$System
            • String ID: *.*
            • API String ID: 1464919966-438819550
            • Opcode ID: 1147deee973fe15c46ecac4ee59d427f62a08a71656a0cb09a3f34b687e78688
            • Instruction ID: cea09196cea986b0a5ff0bd12e905f040213c9165b1ee5103dc31e58e686960a
            • Opcode Fuzzy Hash: 1147deee973fe15c46ecac4ee59d427f62a08a71656a0cb09a3f34b687e78688
            • Instruction Fuzzy Hash: 216169B25043459FCB10EF64C844AEEB3E8FF89310F04891EF99997251EB35E945CB92
            Function 00A0D076 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009A3A97,?,?,009A2E7F,?,?,?,00000000), ref: 009A3AC2
              • Part of subcall function 00A0E199: GetFileAttributesW.KERNEL32(?,00A0CF95), ref: 00A0E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 00A0D122
            • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00A0D1DD
            • MoveFileW.KERNEL32(?,?), ref: 00A0D1F0
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A0D20D
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0D237
              • Part of subcall function 00A0D29C: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00A0D21C,?,?), ref: 00A0D2B2
            • FindClose.KERNEL32(00000000,?,?,?), ref: 00A0D253
            • FindClose.KERNEL32(00000000), ref: 00A0D264
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
            • String ID: \*.*
            • API String ID: 1946585618-1173974218
            • Opcode ID: bf80aceec5fe59a560ad5d355d6ae488f161034fe115cbc9091ea12c24859bf7
            • Instruction ID: 0b9424f6a0a987deb7323d9940a6c6453da46b34efd2bca0431ff66cb2f04431
            • Opcode Fuzzy Hash: bf80aceec5fe59a560ad5d355d6ae488f161034fe115cbc9091ea12c24859bf7
            • Instruction Fuzzy Hash: 77613C3280511DAFCF05EBE0EE52AEEB775AF95340F248169E40277191EB356F09DBA0
            Function 00A1ED6A Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Clipboard$AllocCloseEmptyGlobalOpen
            • String ID:
            • API String ID: 1737998785-0
            • Opcode ID: 468a676c5430f54f896d110afa3d28befd1029eca9d0af34e9e5839c81cae059
            • Instruction ID: 7bbde4b0aa83957e29c00f8a7c187b399fbf05783956fcee2de738ff8bcbc0d0
            • Opcode Fuzzy Hash: 468a676c5430f54f896d110afa3d28befd1029eca9d0af34e9e5839c81cae059
            • Instruction Fuzzy Hash: 31419D35604611AFD310DF65E889B5ABBE5EF44328F14C099F8199F6A2C735EC82CB90
            Function 00A0E8F6 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A016C3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A0170D
              • Part of subcall function 00A016C3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A0173A
              • Part of subcall function 00A016C3: GetLastError.KERNEL32 ref: 00A0174A
            • ExitWindowsEx.USER32(?,00000000), ref: 00A0E932
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
            • String ID: $ $@$SeShutdownPrivilege
            • API String ID: 2234035333-3163812486
            • Opcode ID: 55b0efea65f98e473eeeb8a6c2100d2c70d40ccc84a4e02963ee42c554ffc000
            • Instruction ID: 218293ffad4449ed264fe9eff4fc3850c0e84532ff4825f64a8d7e1748040a61
            • Opcode Fuzzy Hash: 55b0efea65f98e473eeeb8a6c2100d2c70d40ccc84a4e02963ee42c554ffc000
            • Instruction Fuzzy Hash: 0901D673A10219ABEB54A7B4BD86BBBB26CA714790F154D21FC12F21D1D5A15C40A290
            Function 00A21204 Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00A21276
            • WSAGetLastError.WSOCK32 ref: 00A21283
            • bind.WSOCK32(00000000,?,00000010), ref: 00A212BA
            • WSAGetLastError.WSOCK32 ref: 00A212C5
            • closesocket.WSOCK32(00000000), ref: 00A212F4
            • listen.WSOCK32(00000000,00000005), ref: 00A21303
            • WSAGetLastError.WSOCK32 ref: 00A2130D
            • closesocket.WSOCK32(00000000), ref: 00A2133C
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$closesocket$bindlistensocket
            • String ID:
            • API String ID: 540024437-0
            • Opcode ID: 691a53cc25010a52e05b086015642f59c53885b6f3ff41f2bf97fed7397e8043
            • Instruction ID: dc0501c2b0dc4debc13695e115316e3d7274bb943bdbe8526ee047a71de4d50f
            • Opcode Fuzzy Hash: 691a53cc25010a52e05b086015642f59c53885b6f3ff41f2bf97fed7397e8043
            • Instruction Fuzzy Hash: 62418631600110DFD710DF68D884B69B7E6AF96328F1881A8E8569F292C771ED82CBE1
            Function 00A0D3A9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009A3A97,?,?,009A2E7F,?,?,?,00000000), ref: 009A3AC2
              • Part of subcall function 00A0E199: GetFileAttributesW.KERNEL32(?,00A0CF95), ref: 00A0E19A
            • FindFirstFileW.KERNEL32(?,?), ref: 00A0D420
            • DeleteFileW.KERNEL32(?,?,?,?), ref: 00A0D470
            • FindNextFileW.KERNEL32(00000000,00000010), ref: 00A0D481
            • FindClose.KERNEL32(00000000), ref: 00A0D498
            • FindClose.KERNEL32(00000000), ref: 00A0D4A1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
            • String ID: \*.*
            • API String ID: 2649000838-1173974218
            • Opcode ID: dde35163375e211e742e38e5b5763674ee33e6e349b2a42a60dbebd39903ae20
            • Instruction ID: 4884b9690e62470670f3044a8656624e506e52c08a262e8240d14215ea9550a6
            • Opcode Fuzzy Hash: dde35163375e211e742e38e5b5763674ee33e6e349b2a42a60dbebd39903ae20
            • Instruction Fuzzy Hash: 16315E72018355AFC304EFA4DC919AFB7A8BED2354F448A1DF4D193191EB35AA09C7A3
            Function 009DE4FF Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __floor_pentium4
            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
            • API String ID: 4168288129-2761157908
            • Opcode ID: 833a46afc1a833a674fb3fe7b79744326a46552fe875c9e6ca72771b1796ec79
            • Instruction ID: faeafb8d9c9db85a053159070b9f91752e1cd2f9687735d2917f2a25406f4365
            • Opcode Fuzzy Hash: 833a46afc1a833a674fb3fe7b79744326a46552fe875c9e6ca72771b1796ec79
            • Instruction Fuzzy Hash: 9BC24A71E446288BDB25DF28DD517EAB7B9EB84304F1485EBD44EE7240E778AE818F40
            Function 00A1648E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00A164DC
            • CoInitialize.OLE32(00000000), ref: 00A16639
            • CoCreateInstance.OLE32(00A3FCF8,00000000,00000001,00A3FB68,?), ref: 00A16650
            • CoUninitialize.OLE32 ref: 00A168D4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateInitializeInstanceUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 886957087-24824748
            • Opcode ID: a24f396ab6ebb6ad37bc3e0520981cce455fcf9b5053475459712ae309c619f4
            • Instruction ID: f8377a767ee706c57ffb170674d335408ca7321007b1b7cd8c18a4e5d8d7d1aa
            • Opcode Fuzzy Hash: a24f396ab6ebb6ad37bc3e0520981cce455fcf9b5053475459712ae309c619f4
            • Instruction Fuzzy Hash: 1CD14871508201AFC304EF24C881EABB7E9FFD9714F04896DF5958B2A1EB71E945CB92
            Function 00A222DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32(?,?,00000000), ref: 00A222E8
              • Part of subcall function 00A1E4EC: GetWindowRect.USER32(?,?), ref: 00A1E504
            • GetDesktopWindow.USER32 ref: 00A22312
            • GetWindowRect.USER32(00000000), ref: 00A22319
            • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00A22355
            • GetCursorPos.USER32(?), ref: 00A22381
            • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00A223DF
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Rectmouse_event$CursorDesktopForeground
            • String ID:
            • API String ID: 2387181109-0
            • Opcode ID: 457a566bbef591bc3101b575718a1ea8c1d1250d396ef7428474047b70370f7c
            • Instruction ID: c1a655771fca5088e40fab2b7658492b635ac476c09d8fcf03a285595218d416
            • Opcode Fuzzy Hash: 457a566bbef591bc3101b575718a1ea8c1d1250d396ef7428474047b70370f7c
            • Instruction Fuzzy Hash: D531E372504315AFD720DF58DC45F5BB7A9FF84720F000A29F985AB191DB34E909CB92
            Function 00A19B2B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00A19B78
            • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00A19C8B
              • Part of subcall function 00A13874: GetInputState.USER32 ref: 00A138CB
              • Part of subcall function 00A13874: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A13966
            • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00A19BA8
            • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00A19C75
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
            • String ID: *.*
            • API String ID: 1972594611-438819550
            • Opcode ID: d005b2908e534d7c29bbf7f557e470a903e837e1695f6cb3d4ebcc2d79bd1526
            • Instruction ID: 17c82b1d698a8c1b6babb16f9bacf057dbc5861ea4011390144b3365d298b915
            • Opcode Fuzzy Hash: d005b2908e534d7c29bbf7f557e470a903e837e1695f6cb3d4ebcc2d79bd1526
            • Instruction Fuzzy Hash: 94416F7190421AAFCF54DFA4CD55AEEBBB8FF45310F144155F845A2191EB309E84CFA1
            Function 009B997D Relevance: 7.9, APIs: 5, Instructions: 375COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            • DefDlgProcW.USER32(?,?,?,?,?), ref: 009B9A4E
            • GetSysColor.USER32(0000000F), ref: 009B9B23
            • SetBkColor.GDI32(?,00000000), ref: 009B9B36
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Color$LongProcWindow
            • String ID:
            • API String ID: 3131106179-0
            • Opcode ID: 83ae5dbd1ed6ec2f0c3f87bc743e2f9c5bb9c713fa99d4a049a705932cfec7cc
            • Instruction ID: adbaf59fe87cb07988e268debaf3e46b9f34fa6153e8915c663ead30d1c734c5
            • Opcode Fuzzy Hash: 83ae5dbd1ed6ec2f0c3f87bc743e2f9c5bb9c713fa99d4a049a705932cfec7cc
            • Instruction Fuzzy Hash: E3A15E70128518BEE728EA7C8E89EFB769DDF82360F154509F302C6691CA299D42C372
            Function 00A21806 Relevance: 7.7, APIs: 5, Instructions: 153networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A2307A
              • Part of subcall function 00A2304E: _wcslen.LIBCMT ref: 00A2309B
            • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00A2185D
            • WSAGetLastError.WSOCK32 ref: 00A21884
            • bind.WSOCK32(00000000,?,00000010), ref: 00A218DB
            • WSAGetLastError.WSOCK32 ref: 00A218E6
            • closesocket.WSOCK32(00000000), ref: 00A21915
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenbindclosesocketinet_addrsocket
            • String ID:
            • API String ID: 1601658205-0
            • Opcode ID: ca2fbf771f1c1baded5cafbc2687f363d59fb687c94fe39303585846d5f83ca3
            • Instruction ID: 1d01f4d71343a29bb4aa95fd38a7a5e0c57611fc1106baa80d2db185597ffbe9
            • Opcode Fuzzy Hash: ca2fbf771f1c1baded5cafbc2687f363d59fb687c94fe39303585846d5f83ca3
            • Instruction Fuzzy Hash: E251C471A00210AFDB10EF64D886F6A77E5AB85718F088458F915AF3D3D771ED418BE1
            Function 00A31C41 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$EnabledForegroundIconicVisibleZoomed
            • String ID:
            • API String ID: 292994002-0
            • Opcode ID: b65cb92004c56ef8a208ff48742fc791131f9bb2e268e22da53969def47624f2
            • Instruction ID: e653010dc79e75153959f81ecc6a9bb409fbded4bf4a20731a52360bdaa5198f
            • Opcode Fuzzy Hash: b65cb92004c56ef8a208ff48742fc791131f9bb2e268e22da53969def47624f2
            • Instruction Fuzzy Hash: FB21AE317402109FD7208F2ACC94B6A7BE5EF85365F19A068F84A9B351DB71EC42CB90
            Function 009A8060 Relevance: 7.4, Strings: 5, Instructions: 1151COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
            • API String ID: 0-1546025612
            • Opcode ID: dbcc6a2a295c7cdfa71b8c08855c8e5d7ed0ebc2f5eebefc7007427ffed2ca09
            • Instruction ID: c66a190d6646d906982b14b7623c9a2c97bd127dbd91a04f4d5ed317fcf90783
            • Opcode Fuzzy Hash: dbcc6a2a295c7cdfa71b8c08855c8e5d7ed0ebc2f5eebefc7007427ffed2ca09
            • Instruction Fuzzy Hash: EDA2CE70E0025ACBDF25CF59C8407AEB7B5FF55314F2585AAE816AB281EB349D81CF90
            Function 00A2A67C Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00A2A6AC
            • Process32FirstW.KERNEL32(00000000,?), ref: 00A2A6BA
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • Process32NextW.KERNEL32(00000000,?), ref: 00A2A79C
            • CloseHandle.KERNEL32(00000000), ref: 00A2A7AB
              • Part of subcall function 009BCE60: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,009E3303,?), ref: 009BCE8A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
            • String ID:
            • API String ID: 1991900642-0
            • Opcode ID: e38e3f0cbcb5f18d31a8800509351521e2aa9f65a74e410298ca9491e6c58e6e
            • Instruction ID: 984adfd68e1207903e9b1e6ef50874ac1b64f5d51d5446f2b5d347689e0c83a6
            • Opcode Fuzzy Hash: e38e3f0cbcb5f18d31a8800509351521e2aa9f65a74e410298ca9491e6c58e6e
            • Instruction Fuzzy Hash: F1514EB15083109FD710EF28D886A6BBBE8FFC9754F00892DF59997251EB30D905CB92
            Function 00A0AA57 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00A0AAAC
            • SetKeyboardState.USER32(00000080), ref: 00A0AAC8
            • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00A0AB36
            • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00A0AB88
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: 966ce58603ba5164ff5e299ce7842ef0464d18c7e96875cb2adfc651ab9565ae
            • Instruction ID: e59b39205540de2a4617ed65622e397f60c08be6b9f0d392f81928ecf1214bca
            • Opcode Fuzzy Hash: 966ce58603ba5164ff5e299ce7842ef0464d18c7e96875cb2adfc651ab9565ae
            • Instruction Fuzzy Hash: AD311431A4030CAEFB35CB68EC05BFA7BA6EB66320F04421AF085961D1D374CD81C762
            Function 009DBB6F Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 009DBB7F
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • GetTimeZoneInformation.KERNEL32 ref: 009DBB91
            • WideCharToMultiByte.KERNEL32(00000000,?,00A7121C,000000FF,?,0000003F,?,?), ref: 009DBC09
            • WideCharToMultiByte.KERNEL32(00000000,?,00A71270,000000FF,?,0000003F,?,?,?,00A7121C,000000FF,?,0000003F,?,?), ref: 009DBC36
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
            • String ID:
            • API String ID: 806657224-0
            • Opcode ID: 824380c304df97fcdbcd19a22746a47f48685a4cbf7ae75454930e2c6f91fb20
            • Instruction ID: 8584ba4eb17499a83ca3044a92f664bbc26798738beb550b9a43a7508f1e3b56
            • Opcode Fuzzy Hash: 824380c304df97fcdbcd19a22746a47f48685a4cbf7ae75454930e2c6f91fb20
            • Instruction Fuzzy Hash: B131AD70944205EFCB10DFAC8C819A9BBF8BF55750715C6ABE054EB3A2D7309941DB90
            Function 00A1CE44 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
            Download Yara Rule
            APIs
            • InternetReadFile.WININET(?,?,00000400,?), ref: 00A1CE89
            • GetLastError.KERNEL32(?,00000000), ref: 00A1CEEA
            • SetEvent.KERNEL32(?,?,00000000), ref: 00A1CEFE
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorEventFileInternetLastRead
            • String ID:
            • API String ID: 234945975-0
            • Opcode ID: 0cba2616ca3b4a5d991068c136b8fcab97542a29a61b7df28ad38526e7a5891a
            • Instruction ID: 6a614ed4269371a947a94d580419798845d149872f8a01e0c413ceddeb3a47c1
            • Opcode Fuzzy Hash: 0cba2616ca3b4a5d991068c136b8fcab97542a29a61b7df28ad38526e7a5891a
            • Instruction Fuzzy Hash: 2121BAB1940305ABEB20DFA5CD48BA7B7F8EB40364F10442EE546A2191E774EE858BA4
            Function 00A08298 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 568stringCOMMON
            Download Yara Rule
            APIs
            • lstrlenW.KERNEL32(?,?,?,00000000), ref: 00A082AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: lstrlen
            • String ID: ($|
            • API String ID: 1659193697-1631851259
            • Opcode ID: 4a901e294907a3143f2a951acf3900565297cc35b48efb6c128a1d9734bbf7b8
            • Instruction ID: 3e381d33d1fa40295c340a064c8a7fa32d4c469cdcf6ca318a6b6d8f9a4d97e1
            • Opcode Fuzzy Hash: 4a901e294907a3143f2a951acf3900565297cc35b48efb6c128a1d9734bbf7b8
            • Instruction Fuzzy Hash: B1323675A007059FCB28CF29D481AAAB7F0FF48710B15C56EE49ADB3A1EB74E941CB44
            Function 00A15C97 Relevance: 4.6, APIs: 3, Instructions: 138fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00A15CC1
            • FindNextFileW.KERNEL32(00000000,?), ref: 00A15D17
            • FindClose.KERNEL32(?), ref: 00A15D5F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Find$File$CloseFirstNext
            • String ID:
            • API String ID: 3541575487-0
            • Opcode ID: 0617fb6e00ddf780f626c1e86828d0ffbc41b8c872ae2f46c43be4e902795a98
            • Instruction ID: d97af6cbbe38e2781ceb2a02ec6bf43ab031b6436c275ea4d8ceb75f3215ec98
            • Opcode Fuzzy Hash: 0617fb6e00ddf780f626c1e86828d0ffbc41b8c872ae2f46c43be4e902795a98
            • Instruction Fuzzy Hash: CB51AA74A04A01DFC714DF28D894E96B7E4FF8A324F14855DE95A8B3A1DB30EC44CB91
            Function 009D2622 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • IsDebuggerPresent.KERNEL32 ref: 009D271A
            • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 009D2724
            • UnhandledExceptionFilter.KERNEL32(?), ref: 009D2731
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled$DebuggerPresent
            • String ID:
            • API String ID: 3906539128-0
            • Opcode ID: 7c4022414215571501e1be5ed9dfc06021201108777eb1a101290d18135197a2
            • Instruction ID: 053b98b6c3f70eb9fde3ceabf805967b5cd1dede840f8d070476b0886706e2ef
            • Opcode Fuzzy Hash: 7c4022414215571501e1be5ed9dfc06021201108777eb1a101290d18135197a2
            • Instruction Fuzzy Hash: 5131F57094121CABCB21DF64DC88BDCBBB8AF48310F5041EAE81CA7261E7349F818F45
            Function 00A151CD Relevance: 4.6, APIs: 3, Instructions: 76COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00A151DA
            • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 00A15238
            • SetErrorMode.KERNEL32(00000000), ref: 00A152A1
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorMode$DiskFreeSpace
            • String ID:
            • API String ID: 1682464887-0
            • Opcode ID: 784c40b96facff827d5ae398d4ba9394c753600ee79c8fb0b3d3626f4bab7b0d
            • Instruction ID: efa15d4c4194ad83e83e8cc00757dacb923848c9174bbdeee11a1d41ca0c33dd
            • Opcode Fuzzy Hash: 784c40b96facff827d5ae398d4ba9394c753600ee79c8fb0b3d3626f4bab7b0d
            • Instruction Fuzzy Hash: AE312975A00518DFDB00DFA4D884EEDBBB5FF49314F088099E805AB3A2DB35E856CB90
            Function 00A016C3 Relevance: 4.6, APIs: 3, Instructions: 68COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009C0668
              • Part of subcall function 009BFDDB: __CxxThrowException@8.LIBVCRUNTIME ref: 009C0685
            • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00A0170D
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00A0173A
            • GetLastError.KERNEL32 ref: 00A0174A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Exception@8Throw$AdjustErrorLastLookupPrivilegePrivilegesTokenValue
            • String ID:
            • API String ID: 577356006-0
            • Opcode ID: 09351c395776cfd6e383d34000b6fe9c947b5f0ea7a39e75bed5b40b62ceab58
            • Instruction ID: 990d4f4beb90e4dcacf52938e545757f1495fb88ce175dbfcca614e3f64ed1dd
            • Opcode Fuzzy Hash: 09351c395776cfd6e383d34000b6fe9c947b5f0ea7a39e75bed5b40b62ceab58
            • Instruction Fuzzy Hash: 471191B2504308AFD718DF54ED86EAAB7B9EB44724B20852EF05657681EB70FC418B60
            Function 00A0D5EB Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A0D608
            • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00A0D645
            • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00A0D650
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseControlCreateDeviceFileHandle
            • String ID:
            • API String ID: 33631002-0
            • Opcode ID: 1aba454cb4b8a5bb6b898a03a20a452fc2e5264069d1ac5abf16dedede7f283b
            • Instruction ID: 0ad8b11741520c3af70d218f9b26003ba8276a8d2536c799b3e51333396f6d3b
            • Opcode Fuzzy Hash: 1aba454cb4b8a5bb6b898a03a20a452fc2e5264069d1ac5abf16dedede7f283b
            • Instruction Fuzzy Hash: 8E113C76E05228BBDB108FD5AC45FAFBBBCEB45B60F108115F904E7290D6704A058BA1
            Function 00A01663 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
            Download Yara Rule
            APIs
            • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00A0168C
            • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00A016A1
            • FreeSid.ADVAPI32(?), ref: 00A016B1
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AllocateCheckFreeInitializeMembershipToken
            • String ID:
            • API String ID: 3429775523-0
            • Opcode ID: 68b9d3083409c0f96ad7e02c7af9bd78994d7fd9aed22485748d66640c5499c4
            • Instruction ID: 3b8a1a6e53f1950157a4a730411488f7b80b1ac89f9f9263c7891368192bc28d
            • Opcode Fuzzy Hash: 68b9d3083409c0f96ad7e02c7af9bd78994d7fd9aed22485748d66640c5499c4
            • Instruction Fuzzy Hash: CEF0F47195030DFBDB00DFE49D89AAEBBBCEB08714F504565E501E2181E774AA448B50
            Function 009C4CE8 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(009D28E9,?,009C4CBE,009D28E9,00A688B8,0000000C,009C4E15,009D28E9,00000002,00000000,?,009D28E9), ref: 009C4D09
            • TerminateProcess.KERNEL32(00000000,?,009C4CBE,009D28E9,00A688B8,0000000C,009C4E15,009D28E9,00000002,00000000,?,009D28E9), ref: 009C4D10
            • ExitProcess.KERNEL32 ref: 009C4D22
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$CurrentExitTerminate
            • String ID:
            • API String ID: 1703294689-0
            • Opcode ID: f6563768f49ea9d41b7744f1edd115b52c05a6bb726b38d86f8699a3fc148c61
            • Instruction ID: d7571cdfb447ad270d7a7c2855d904c8b2de453bb3480310984f80a65afa4c59
            • Opcode Fuzzy Hash: f6563768f49ea9d41b7744f1edd115b52c05a6bb726b38d86f8699a3fc148c61
            • Instruction Fuzzy Hash: CDE0B631500148ABCF11BFA4DE1AF987B69EB817A1B108418FC0A9A262CB35ED52DB81
            Function 009FD27A Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
            Download Yara Rule
            APIs
            • GetUserNameW.ADVAPI32(?,?), ref: 009FD28C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: NameUser
            • String ID: X64
            • API String ID: 2645101109-893830106
            • Opcode ID: f5f988d883b73c5ec084b926cb5cb27cdcfaffbe87b366c894d1ef029e257814
            • Instruction ID: 302d3e8bce339a8cbda9b54a651f02c781d17a174ee9a53e26a104e0c8bfea9e
            • Opcode Fuzzy Hash: f5f988d883b73c5ec084b926cb5cb27cdcfaffbe87b366c894d1ef029e257814
            • Instruction Fuzzy Hash: C6D0C9B480212DEACB94DB90DC88DD9B37CBB04325F100551F106B2000D73495498F10
            Function 009CCAA0 Relevance: 3.5, APIs: 2, Instructions: 464COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction ID: b5c6f6186e097b494e0b00dd9ad242803e1a173a276c891d0f0e06b5d3461562
            • Opcode Fuzzy Hash: 2fbdbeface8d474e65e3d830227d731b015bc4fe83c76ff0107a9da6199ccf29
            • Instruction Fuzzy Hash: 66021CB1E002199BDF14CFA9C880BADBBF5EF88314F25456DD819E7380D731AE418B95
            Function 00A168EE Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
            Download Yara Rule
            APIs
            • FindFirstFileW.KERNEL32(?,?), ref: 00A16918
            • FindClose.KERNEL32(00000000), ref: 00A16961
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Find$CloseFileFirst
            • String ID:
            • API String ID: 2295610775-0
            • Opcode ID: 50708f3753a27822670c245836b646e6ce359edf63f810050cc36c8c22c54e22
            • Instruction ID: d08acd712b0336f343776fc7c97d800d7a300b234da2eda47431e3c5db0e02f5
            • Opcode Fuzzy Hash: 50708f3753a27822670c245836b646e6ce359edf63f810050cc36c8c22c54e22
            • Instruction Fuzzy Hash: 88118E716042109FC710DF69D885A56BBE5EF85328F14C699F8698F2A2C730EC45CBD1
            Function 00A137B5 Relevance: 3.0, APIs: 2, Instructions: 33windowCOMMON
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,?,00A24891,?,?,00000035,?), ref: 00A137E4
            • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,?,00000FFF,00000000,?,?,?,00A24891,?,?,00000035,?), ref: 00A137F4
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorFormatLastMessage
            • String ID:
            • API String ID: 3479602957-0
            • Opcode ID: c50c0a5a651b0475dbf00d099ee1610aaf5bf5c1540fd199f7d486dbb8a2b72e
            • Instruction ID: d079a6a7022c7dd074ca72070626d4aa4ccb84960dbe4a5e99a9529657562cf3
            • Opcode Fuzzy Hash: c50c0a5a651b0475dbf00d099ee1610aaf5bf5c1540fd199f7d486dbb8a2b72e
            • Instruction Fuzzy Hash: D1F0E5B16043282AEB20A7A68C4DFEB7AAEEFC5771F000175F509E22C1DA609D44C7F0
            Function 00A0B226 Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
            Download Yara Rule
            APIs
            • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00A0B25D
            • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00A0B270
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: InputSendkeybd_event
            • String ID:
            • API String ID: 3536248340-0
            • Opcode ID: 4e114266e5ad10ae8a5ba954ad567174babcefd9822eef2c1d6255754a07fd50
            • Instruction ID: df3761734c60ba6a9177c7de0c5a948f39ad9a08912d71d35d39ea1f1bf57f95
            • Opcode Fuzzy Hash: 4e114266e5ad10ae8a5ba954ad567174babcefd9822eef2c1d6255754a07fd50
            • Instruction Fuzzy Hash: A9F01D7185424DABDB05DFA0DC05BEE7BB4FF08315F00800AF955A5191C37986119FA4
            Function 00A010BF Relevance: 3.0, APIs: 2, Instructions: 24COMMON
            Download Yara Rule
            APIs
            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00A011FC), ref: 00A010D4
            • CloseHandle.KERNEL32(?,?,00A011FC), ref: 00A010E9
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AdjustCloseHandlePrivilegesToken
            • String ID:
            • API String ID: 81990902-0
            • Opcode ID: 824e2fd702058a2339971da277849672d8d2350c1f828449ebf3d3856115de58
            • Instruction ID: ea48c13a0ea0cdbcbf3034c2e552d876c05c41d21e412abcd878948f3e59e133
            • Opcode Fuzzy Hash: 824e2fd702058a2339971da277849672d8d2350c1f828449ebf3d3856115de58
            • Instruction Fuzzy Hash: C1E04F32004600AEE7252B51FD05FB377E9EB04320F10882DF4A5804B1DB62ACA0DB10
            Function 009ACAF0 Relevance: 1.9, Strings: 1, Instructions: 659COMMON
            Download Yara Rule
            Strings
            • Variable is not of type 'Object'., xrefs: 009F0C40
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: Variable is not of type 'Object'.
            • API String ID: 0-1840281001
            • Opcode ID: 371cd047508a613022f3e011baf53a6f6497ccb430dd97da026d899ebbaa6abe
            • Instruction ID: 50066d96f364867249af2f58549999d90e64b78a6b44d6c3c8ac1f6ac4ca3f7b
            • Opcode Fuzzy Hash: 371cd047508a613022f3e011baf53a6f6497ccb430dd97da026d899ebbaa6abe
            • Instruction Fuzzy Hash: A5326AB0900218DFCF14DF94C985BEDB7B9BF86318F248459E906AF292D735AD45CBA0
            Function 009D676B Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,009D6766,?,?,00000008,?,?,009DFEFE,00000000), ref: 009D6998
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ExceptionRaise
            • String ID:
            • API String ID: 3997070919-0
            • Opcode ID: e5445e6277fa9926067ba9598e2558cc684087368c27a30f23054de9b2757719
            • Instruction ID: 19a6281461b583783f89cca6cfd6e9e614dc6137faff2b5e1ec5dcc6188b4346
            • Opcode Fuzzy Hash: e5445e6277fa9926067ba9598e2558cc684087368c27a30f23054de9b2757719
            • Instruction Fuzzy Hash: 9AB128316506099FD719CF28C48AB657BA0FF45364F29C65AE8D9CF3A2C339E991CB40
            Function 009BB119 Relevance: 1.8, Strings: 1, Instructions: 511COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID: 0-3916222277
            • Opcode ID: 85120841eb21ba4af2b407a7766e7849edf8de168080a56a1a651014bb78b655
            • Instruction ID: f639fa57e503205eb3f6082718789a415e5b059e15c30c53b09c195b43b5c66f
            • Opcode Fuzzy Hash: 85120841eb21ba4af2b407a7766e7849edf8de168080a56a1a651014bb78b655
            • Instruction Fuzzy Hash: 8A126E759002299FCB64CF58C9807FEB7F5FF48710F14819AE949EB291EB749A81CB90
            Function 00A1EAA2 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
            Download Yara Rule
            APIs
            • BlockInput.USER32(00000001), ref: 00A1EABD
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: BlockInput
            • String ID:
            • API String ID: 3456056419-0
            • Opcode ID: 516212c2b8d43f0c25ebc0f829ab12d123075fa1e0d3fff7d02cdd3a54a55984
            • Instruction ID: 5c437e36eefc2f86cb3df6c74432c8b7469d39deb408dabf4af411dfbbda3c0d
            • Opcode Fuzzy Hash: 516212c2b8d43f0c25ebc0f829ab12d123075fa1e0d3fff7d02cdd3a54a55984
            • Instruction Fuzzy Hash: AFE04F322002049FC710EF69D905E9AF7E9AF997B0F008416FC4ADB351DB70E8818BD1
            Function 009C09D5 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
            Download Yara Rule
            APIs
            • SetUnhandledExceptionFilter.KERNEL32(Function_000209E1,009C03EE), ref: 009C09DA
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ExceptionFilterUnhandled
            • String ID:
            • API String ID: 3192549508-0
            • Opcode ID: bb209b28b143d14d7cde1bb5549ae2e85604e5a83c9e587f6e65e1438f51c890
            • Instruction ID: 76c551e81fa9f2946658618857f992fae52031b1fa563635d05775ffdc163e0e
            • Opcode Fuzzy Hash: bb209b28b143d14d7cde1bb5549ae2e85604e5a83c9e587f6e65e1438f51c890
            • Instruction Fuzzy Hash:
            Function 009C781B Relevance: 1.5, Strings: 1, Instructions: 214COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: 0
            • API String ID: 0-4108050209
            • Opcode ID: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction ID: 71780cd517b49e42927a0beda88b27cbd10a7fad76c105791b463e5ab0de6505
            • Opcode Fuzzy Hash: 9084b4e029052128895840c3c28e948f6724b1d83b91d22a18243ac96ad56844
            • Instruction Fuzzy Hash: 09516961E0C6056BDF3885E888D9FBFE79D9B52340F18090DEA82D7282C625DE01DF53
            Function 009D6DD9 Relevance: .6, Instructions: 637COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: d5bb2cb182f96c97a41577abe011bd9185a3a19a917dbad224dfef993e7c58bb
            • Instruction ID: 9d701cf5c12ac8b0ef5c90c330841461b294e9ad47d03d2e039e0077d393924d
            • Opcode Fuzzy Hash: d5bb2cb182f96c97a41577abe011bd9185a3a19a917dbad224dfef993e7c58bb
            • Instruction Fuzzy Hash: FF32322AD68F014DD7239674D822335A64DAFF73C5F55C737F81AB5AA6EB2AC4834200
            Function 009BCC39 Relevance: .6, Instructions: 635COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e45d454b110f159f15a8681d732f2593279d7d7856c9492de00f5643939e4491
            • Instruction ID: bac3c325f770df3fa4ed1a75ddded7cd2b7d21eb5a63ea1925ccc78ebdc2d466
            • Opcode Fuzzy Hash: e45d454b110f159f15a8681d732f2593279d7d7856c9492de00f5643939e4491
            • Instruction Fuzzy Hash: 8D3239F2A0410D8BDF28CF28C6906BD7BA5EB45311F28C96AD69ADB295D334DD81DB40
            Function 009A7920 Relevance: .6, Instructions: 563COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: fd889b64f35bd4097279b5e668a8783077ea4e4f0b7fbb0f51eeff6074d4b21f
            • Instruction ID: 3fd18455c3f28f5d7faac266b6a4d89bc577e1a186a74ed1d1e802d9fc23bd6c
            • Opcode Fuzzy Hash: fd889b64f35bd4097279b5e668a8783077ea4e4f0b7fbb0f51eeff6074d4b21f
            • Instruction Fuzzy Hash: CC22A0B0A0460AEFDF14CFA5C982BAEF3B5FF45304F104529E816A7291EB399D11CB90
            Function 009A91C0 Relevance: .5, Instructions: 475COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 1f92d1dc21d7b20f2fddbff6ac0c047ec8d806408a46263b4769b9af6c15e42f
            • Instruction ID: 8c24d5093cb75de24a48fbb15d4f841bd8c3664da2e8423cd5128e6a2ca904a7
            • Opcode Fuzzy Hash: 1f92d1dc21d7b20f2fddbff6ac0c047ec8d806408a46263b4769b9af6c15e42f
            • Instruction Fuzzy Hash: A602B3B1E0010AEBCF05DF65D981BAEB7B5FF44300F208569E8169B291EB35AE11CBD1
            Function 009C1C77 Relevance: .3, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction ID: b5e2df07672110819022d441fcbc0d212051efc2ab2ea840c1544feefc21e720
            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
            • Instruction Fuzzy Hash: C09199729080A34ADB2D463E8574A3DFFE55A533A131A079DE4F3CB1C2FE24C964D625
            Function 009C19B0 Relevance: .2, Instructions: 240COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction ID: 40a34194e21b1035b22f3ee0d887f1fd68069954147deddf1415a6c6b042a0fd
            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
            • Instruction Fuzzy Hash: FB91C932A090E34EDB2D427A847493DFFE54A933A1319079DD4F2CA1C7FD24CA64DA25
            Function 009C7A4A Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: f50710b0374cc4058883857c636dd98fd51f8094d73d1b316f9fcb32888f5f15
            • Instruction ID: 55c66f5e026ecaa1493d4a43c21e0a11ffbda25878e3410f005ee5622fac5dc9
            • Opcode Fuzzy Hash: f50710b0374cc4058883857c636dd98fd51f8094d73d1b316f9fcb32888f5f15
            • Instruction Fuzzy Hash: 6D615871E4870967DB349AE88995FBFE39CDF81710F100D1EE882DB281D6159E428F17
            Function 009C7CA7 Relevance: .2, Instructions: 237COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 93b8afa9fccf412d1056dd66e786b8226ee43d6d29a65661ec2ac74e0946eda8
            • Instruction ID: e6d7b5fff039e736fbfa7ccef868e63d8aa918a983e4f6ab260f0eef46cc2e54
            • Opcode Fuzzy Hash: 93b8afa9fccf412d1056dd66e786b8226ee43d6d29a65661ec2ac74e0946eda8
            • Instruction Fuzzy Hash: E4616932E0870967DA385AE84856FBFE39CAF82740F100D5DE843CB2D1D6159D42CE57
            Function 009C1706 Relevance: .2, Instructions: 232COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction ID: 4f487661bc97215155fad7f049daba6dace57028acf66838e334ad76dbc5750b
            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
            • Instruction Fuzzy Hash: 0F81887690C0A34ADB2D42398534A3EFFE55E933A131A079ED4F2CB1C3EE24C654E625
            Function 00F23630 Relevance: .1, Instructions: 92COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction ID: 5e581ea6be6179bb1adc29ac0015fcb6bd861fbbd380dd625ff86cd04d1c5729
            • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
            • Instruction Fuzzy Hash: 9541D5B1D1051CEBCF48CFADC991AEEBBF1AF88201F548299D516AB345D734AB41DB40
            Function 00A12046 Relevance: .1, Instructions: 72COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6840c909bbc6c4d87ca249d0c9c3db13d5ea77c1221b346cc4fc683f0c2c52e9
            • Instruction ID: bc06f2b23f61bac633d92f11eb999771b8e766f1d292785f29d09116f075b877
            • Opcode Fuzzy Hash: 6840c909bbc6c4d87ca249d0c9c3db13d5ea77c1221b346cc4fc683f0c2c52e9
            • Instruction Fuzzy Hash: D82193326206118BD728CF79C8227BA73E5E754310F15862EE4A7C37D1DE39AD44CB80
            Function 00F234C0 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction ID: ad60e064bbe8d5567ea70d9fedb473d8a62c21d0551d0c5191c51e212fffe9f4
            • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
            • Instruction Fuzzy Hash: 2E018078A00119EFCB44DF98D5909AEF7B5FB48310B208599E809A7701D735AE41EB80
            Function 00F23520 Relevance: .0, Instructions: 35COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction ID: d906f74fa3f5dd695c7b81a9056da000b30c7a63712f4cc7cb6c345db241b3d3
            • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
            • Instruction Fuzzy Hash: C70180B8E00119EFCB44DF98D5919AEF7B5FB48310F248599E909A7701D734AF41EB80
            Function 00F21E70 Relevance: .0, Instructions: 6COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660466081.0000000000F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 00F20000, based on PE: false
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_f20000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
            • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
            • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
            Function 00A22ADE Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00A22B30
            • DeleteObject.GDI32(00000000), ref: 00A22B43
            • DestroyWindow.USER32 ref: 00A22B52
            • GetDesktopWindow.USER32 ref: 00A22B6D
            • GetWindowRect.USER32(00000000), ref: 00A22B74
            • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00A22CA3
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00A22CB1
            • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22CF8
            • GetClientRect.USER32(00000000,?), ref: 00A22D04
            • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00A22D40
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22D62
            • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22D75
            • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22D80
            • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22D89
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22D98
            • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22DA1
            • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22DA8
            • GlobalFree.KERNEL32(00000000), ref: 00A22DB3
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22DC5
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A3FC38,00000000), ref: 00A22DDB
            • GlobalFree.KERNEL32(00000000), ref: 00A22DEB
            • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00A22E11
            • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00A22E30
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A22E52
            • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00A2303F
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
            • String ID: $AutoIt v3$DISPLAY$static
            • API String ID: 2211948467-2373415609
            • Opcode ID: b1089d1edf20a57d4adee477c77c18a5a79e24ca996226b5ae57fdb29a43c6b7
            • Instruction ID: 466a2ed8d354e4e964197a58a7ffcafa0fd8426e2f6c8b28b17a45af39a2928e
            • Opcode Fuzzy Hash: b1089d1edf20a57d4adee477c77c18a5a79e24ca996226b5ae57fdb29a43c6b7
            • Instruction Fuzzy Hash: EA027C75A00214AFDB14DFA8DD89EAE7BB9FF49320F048158F915AB2A1D774AD01CB60
            Function 00A370D5 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
            Download Yara Rule
            APIs
            • SetTextColor.GDI32(?,00000000), ref: 00A3712F
            • GetSysColorBrush.USER32(0000000F), ref: 00A37160
            • GetSysColor.USER32(0000000F), ref: 00A3716C
            • SetBkColor.GDI32(?,000000FF), ref: 00A37186
            • SelectObject.GDI32(?,?), ref: 00A37195
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00A371C0
            • GetSysColor.USER32(00000010), ref: 00A371C8
            • CreateSolidBrush.GDI32(00000000), ref: 00A371CF
            • FrameRect.USER32(?,?,00000000), ref: 00A371DE
            • DeleteObject.GDI32(00000000), ref: 00A371E5
            • InflateRect.USER32(?,000000FE,000000FE), ref: 00A37230
            • FillRect.USER32(?,?,?), ref: 00A37262
            • GetWindowLongW.USER32(?,000000F0), ref: 00A37284
              • Part of subcall function 00A373E8: GetSysColor.USER32(00000012), ref: 00A37421
              • Part of subcall function 00A373E8: SetTextColor.GDI32(?,?), ref: 00A37425
              • Part of subcall function 00A373E8: GetSysColorBrush.USER32(0000000F), ref: 00A3743B
              • Part of subcall function 00A373E8: GetSysColor.USER32(0000000F), ref: 00A37446
              • Part of subcall function 00A373E8: GetSysColor.USER32(00000011), ref: 00A37463
              • Part of subcall function 00A373E8: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A37471
              • Part of subcall function 00A373E8: SelectObject.GDI32(?,00000000), ref: 00A37482
              • Part of subcall function 00A373E8: SetBkColor.GDI32(?,00000000), ref: 00A3748B
              • Part of subcall function 00A373E8: SelectObject.GDI32(?,?), ref: 00A37498
              • Part of subcall function 00A373E8: InflateRect.USER32(?,000000FF,000000FF), ref: 00A374B7
              • Part of subcall function 00A373E8: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A374CE
              • Part of subcall function 00A373E8: GetWindowLongW.USER32(00000000,000000F0), ref: 00A374DB
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
            • String ID:
            • API String ID: 4124339563-0
            • Opcode ID: 8c80dd7617a68904c02bb27850c325dbcd91d8a01054d927772c15f5029d0b1e
            • Instruction ID: 6890191eeee746d7da4fcb9bb3505a74a8bc393d5db4d3e4478039c003a76baf
            • Opcode Fuzzy Hash: 8c80dd7617a68904c02bb27850c325dbcd91d8a01054d927772c15f5029d0b1e
            • Instruction Fuzzy Hash: 3EA19EB2008301AFDB10DFA0DC48A6FBBA9FB89331F100B19F962A61E1D771E945DB51
            Function 009B8D85 Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 009B8E14
            • SendMessageW.USER32(?,00001308,?,00000000), ref: 009F6AC5
            • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 009F6AFE
            • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 009F6F43
              • Part of subcall function 009B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009B8BE8,?,00000000,?,?,?,?,009B8BBA,00000000,?), ref: 009B8FC5
            • SendMessageW.USER32(?,00001053), ref: 009F6F7F
            • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 009F6F96
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 009F6FAC
            • ImageList_Destroy.COMCTL32(00000000,?), ref: 009F6FB7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
            • String ID: 0
            • API String ID: 2760611726-4108050209
            • Opcode ID: 31a040479e00223cb4b9daa20661053d947707c81f8e76b6b46123bf1f4c757e
            • Instruction ID: 29dc458b450908a947afebf5b6381be04a23e546d168274576ea4d75b755252a
            • Opcode Fuzzy Hash: 31a040479e00223cb4b9daa20661053d947707c81f8e76b6b46123bf1f4c757e
            • Instruction Fuzzy Hash: 2312AC31204205DFDB25DF28CD44BB6B7E9FB49320F148469F6899B261CB35EC92DB91
            Function 00A22711 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(00000000), ref: 00A2273E
            • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00A2286A
            • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00A228A9
            • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00A228B9
            • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00A22900
            • GetClientRect.USER32(00000000,?), ref: 00A2290C
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00A22955
            • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00A22964
            • GetStockObject.GDI32(00000011), ref: 00A22974
            • SelectObject.GDI32(00000000,00000000), ref: 00A22978
            • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00A22988
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A22991
            • DeleteDC.GDI32(00000000), ref: 00A2299A
            • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00A229C6
            • SendMessageW.USER32(00000030,00000000,00000001), ref: 00A229DD
            • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00A22A1D
            • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00A22A31
            • SendMessageW.USER32(00000404,00000001,00000000), ref: 00A22A42
            • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00A22A77
            • GetStockObject.GDI32(00000011), ref: 00A22A82
            • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00A22A8D
            • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00A22A97
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
            • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
            • API String ID: 2910397461-517079104
            • Opcode ID: 725de93e29c5cd4e9d539dc1fe3e699e6fa5da0777fd6ca0cf6f69419c6b206a
            • Instruction ID: 43cd24659539f723a907a06863d3ca90495e54564210b7c5f9c81ade36cca6cf
            • Opcode Fuzzy Hash: 725de93e29c5cd4e9d539dc1fe3e699e6fa5da0777fd6ca0cf6f69419c6b206a
            • Instruction Fuzzy Hash: 9FB15B71A40215BFEB14DFA8DC8AFAE7BA9EB49710F008114F915EB291D774ED41CBA0
            Function 00A14ADF Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00A14AED
            • GetDriveTypeW.KERNEL32(?,00A3CB68,?,\\.\,00A3CC08), ref: 00A14BCA
            • SetErrorMode.KERNEL32(00000000,00A3CB68,?,\\.\,00A3CC08), ref: 00A14D36
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorMode$DriveType
            • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
            • API String ID: 2907320926-4222207086
            • Opcode ID: a888bbde36d938feb293e7f620b8391f9d73610081084c9faa833b3ad66e21e7
            • Instruction ID: 559431475b3ed5fe4343c55af9714d38365cc03215e0ea245ed90d2e0e2f28a9
            • Opcode Fuzzy Hash: a888bbde36d938feb293e7f620b8391f9d73610081084c9faa833b3ad66e21e7
            • Instruction Fuzzy Hash: 9E617F30705505EBCB04DF6CCA82DE9B7B1BB8E744B248415F806AB691DB36ED81DBC1
            Function 00A373E8 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000012), ref: 00A37421
            • SetTextColor.GDI32(?,?), ref: 00A37425
            • GetSysColorBrush.USER32(0000000F), ref: 00A3743B
            • GetSysColor.USER32(0000000F), ref: 00A37446
            • CreateSolidBrush.GDI32(?), ref: 00A3744B
            • GetSysColor.USER32(00000011), ref: 00A37463
            • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00A37471
            • SelectObject.GDI32(?,00000000), ref: 00A37482
            • SetBkColor.GDI32(?,00000000), ref: 00A3748B
            • SelectObject.GDI32(?,?), ref: 00A37498
            • InflateRect.USER32(?,000000FF,000000FF), ref: 00A374B7
            • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00A374CE
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00A374DB
            • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00A3752A
            • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00A37554
            • InflateRect.USER32(?,000000FD,000000FD), ref: 00A37572
            • DrawFocusRect.USER32(?,?), ref: 00A3757D
            • GetSysColor.USER32(00000011), ref: 00A3758E
            • SetTextColor.GDI32(?,00000000), ref: 00A37596
            • DrawTextW.USER32(?,00A370F5,000000FF,?,00000000), ref: 00A375A8
            • SelectObject.GDI32(?,?), ref: 00A375BF
            • DeleteObject.GDI32(?), ref: 00A375CA
            • SelectObject.GDI32(?,?), ref: 00A375D0
            • DeleteObject.GDI32(?), ref: 00A375D5
            • SetTextColor.GDI32(?,?), ref: 00A375DB
            • SetBkColor.GDI32(?,?), ref: 00A375E5
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
            • String ID:
            • API String ID: 1996641542-0
            • Opcode ID: 7384482e8bec9392f03c7da3a51916a6cd4fdabe880c7d71d9455b7937732d46
            • Instruction ID: f45aade9f90a4006614004b925ad73e0aadd9eab23afb60c9fec3851c7ccaaf9
            • Opcode Fuzzy Hash: 7384482e8bec9392f03c7da3a51916a6cd4fdabe880c7d71d9455b7937732d46
            • Instruction Fuzzy Hash: BC615972900218AFDF11DFA4EC49EAEBFB9EB08330F114215F915BB2A1D775A941DB90
            Function 00A30FF3 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 00A31128
            • GetDesktopWindow.USER32 ref: 00A3113D
            • GetWindowRect.USER32(00000000), ref: 00A31144
            • GetWindowLongW.USER32(?,000000F0), ref: 00A31199
            • DestroyWindow.USER32(?), ref: 00A311B9
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00A311ED
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A3120B
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A3121D
            • SendMessageW.USER32(00000000,00000421,?,?), ref: 00A31232
            • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00A31245
            • IsWindowVisible.USER32(00000000), ref: 00A312A1
            • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00A312BC
            • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00A312D0
            • GetWindowRect.USER32(00000000,?), ref: 00A312E8
            • MonitorFromPoint.USER32(?,?,00000002), ref: 00A3130E
            • GetMonitorInfoW.USER32(00000000,?), ref: 00A31328
            • CopyRect.USER32(?,?), ref: 00A3133F
            • SendMessageW.USER32(00000000,00000412,00000000), ref: 00A313AA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
            • String ID: ($0$tooltips_class32
            • API String ID: 698492251-4156429822
            • Opcode ID: 5be07c46b937f60260521cd895cac42e2217eaa484f45dca766418165ab1514a
            • Instruction ID: 9e9294daa584b1bf34e5adcdbcc52140961b3b272f2d9082c11299e9005f6a3d
            • Opcode Fuzzy Hash: 5be07c46b937f60260521cd895cac42e2217eaa484f45dca766418165ab1514a
            • Instruction Fuzzy Hash: 4EB18B71608341AFD744DF64CC85BAABBE4FF85350F00891CF999AB2A1C731E845CB91
            Function 009B8891 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
            Download Yara Rule
            APIs
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009B8968
            • GetSystemMetrics.USER32(00000007), ref: 009B8970
            • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 009B899B
            • GetSystemMetrics.USER32(00000008), ref: 009B89A3
            • GetSystemMetrics.USER32(00000004), ref: 009B89C8
            • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 009B89E5
            • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 009B89F5
            • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 009B8A28
            • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 009B8A3C
            • GetClientRect.USER32(00000000,000000FF), ref: 009B8A5A
            • GetStockObject.GDI32(00000011), ref: 009B8A76
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 009B8A81
              • Part of subcall function 009B912D: GetCursorPos.USER32(?), ref: 009B9141
              • Part of subcall function 009B912D: ScreenToClient.USER32(00000000,?), ref: 009B915E
              • Part of subcall function 009B912D: GetAsyncKeyState.USER32(00000001), ref: 009B9183
              • Part of subcall function 009B912D: GetAsyncKeyState.USER32(00000002), ref: 009B919D
            • SetTimer.USER32(00000000,00000000,00000028,009B90FC), ref: 009B8AA8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
            • String ID: AutoIt v3 GUI
            • API String ID: 1458621304-248962490
            • Opcode ID: ac194b46fe1b0d2ff64fba863db1c0bb09bafd76d4c6664c68b78fde74220e7f
            • Instruction ID: 08df6c3787cef1ed08807060f941d8ddee1571416084a76f3f90f00fd0da21fc
            • Opcode Fuzzy Hash: ac194b46fe1b0d2ff64fba863db1c0bb09bafd76d4c6664c68b78fde74220e7f
            • Instruction Fuzzy Hash: D0B15D75A00209AFDF14DFA8DD45BEE7BB9FB48324F108229FA15A7290DB74A841CB51
            Function 00A00D8B Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A010F9: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A01114
              • Part of subcall function 00A010F9: GetLastError.KERNEL32(?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01120
              • Part of subcall function 00A010F9: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A0112F
              • Part of subcall function 00A010F9: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01136
              • Part of subcall function 00A010F9: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A0114D
            • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00A00DF5
            • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00A00E29
            • GetLengthSid.ADVAPI32(?), ref: 00A00E40
            • GetAce.ADVAPI32(?,00000000,?), ref: 00A00E7A
            • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00A00E96
            • GetLengthSid.ADVAPI32(?), ref: 00A00EAD
            • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00A00EB5
            • HeapAlloc.KERNEL32(00000000), ref: 00A00EBC
            • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00A00EDD
            • CopySid.ADVAPI32(00000000), ref: 00A00EE4
            • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00A00F13
            • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00A00F35
            • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00A00F47
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00F6E
            • HeapFree.KERNEL32(00000000), ref: 00A00F75
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00F7E
            • HeapFree.KERNEL32(00000000), ref: 00A00F85
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A00F8E
            • HeapFree.KERNEL32(00000000), ref: 00A00F95
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00A00FA1
            • HeapFree.KERNEL32(00000000), ref: 00A00FA8
              • Part of subcall function 00A01193: GetProcessHeap.KERNEL32(00000008,00A00BB1,?,00000000,?,00A00BB1,?), ref: 00A011A1
              • Part of subcall function 00A01193: HeapAlloc.KERNEL32(00000000,?,00000000,?,00A00BB1,?), ref: 00A011A8
              • Part of subcall function 00A01193: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00A00BB1,?), ref: 00A011B7
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
            • String ID:
            • API String ID: 4175595110-0
            • Opcode ID: 5d64c6741ff67626d429bd36b2b63231fce5d8cbd2550251a86061ae4a3372f9
            • Instruction ID: bb6bdc94084b6de3ff058a9ee20499e73470f02e57fcdc5711738ef2e142bdbe
            • Opcode Fuzzy Hash: 5d64c6741ff67626d429bd36b2b63231fce5d8cbd2550251a86061ae4a3372f9
            • Instruction Fuzzy Hash: 91716A7290021AABDF20DFA4ED49FEEBBB8BF05311F044215FA59F6191D7319A06DB60
            Function 00A2C3B7 Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
            Download Yara Rule
            APIs
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2C4BD
            • RegCreateKeyExW.ADVAPI32(?,?,00000000,00A3CC08,00000000,?,00000000,?,?), ref: 00A2C544
            • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00A2C5A4
            • _wcslen.LIBCMT ref: 00A2C5F4
            • _wcslen.LIBCMT ref: 00A2C66F
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00A2C6B2
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00A2C7C1
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00A2C84D
            • RegCloseKey.ADVAPI32(?), ref: 00A2C881
            • RegCloseKey.ADVAPI32(00000000), ref: 00A2C88E
            • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00A2C960
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Value$Close$_wcslen$ConnectCreateRegistry
            • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
            • API String ID: 9721498-966354055
            • Opcode ID: 539912497253f65a29269634539feba0a2d5b2d4a773a614785cb4d5a827f8fc
            • Instruction ID: a53df75d7c518be44b53ec3dc87f971b7a01ead6b29ac0db78948c0d40a55d20
            • Opcode Fuzzy Hash: 539912497253f65a29269634539feba0a2d5b2d4a773a614785cb4d5a827f8fc
            • Instruction Fuzzy Hash: 851238356042119FDB14EF18D891B2EB7E5EF89724F14886CF84A9B3A2DB31ED41CB81
            Function 00A3091E Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?), ref: 00A309C6
            • _wcslen.LIBCMT ref: 00A30A01
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A30A54
            • _wcslen.LIBCMT ref: 00A30A8A
            • _wcslen.LIBCMT ref: 00A30B06
            • _wcslen.LIBCMT ref: 00A30B81
              • Part of subcall function 009BF9F2: _wcslen.LIBCMT ref: 009BF9FD
              • Part of subcall function 00A02BE8: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00A02BFA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$MessageSend$BuffCharUpper
            • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
            • API String ID: 1103490817-4258414348
            • Opcode ID: b4df34d32c52f9dee9bf067d2142fd405462b16695d938dbcf4399d7e62fa7db
            • Instruction ID: 8ca7d4fa3c17c0d2b0c47f66a72daf0d0e49aea6e66f3a5afa9cb4f3f594e910
            • Opcode Fuzzy Hash: b4df34d32c52f9dee9bf067d2142fd405462b16695d938dbcf4399d7e62fa7db
            • Instruction Fuzzy Hash: E5E188316083019FCB14EF24C461E2AB7E1BF99758F14895CF8969B3A2D731ED45CB81
            Function 00A2C998 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 242COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
            • API String ID: 1256254125-909552448
            • Opcode ID: 644efa0f95818e5523ad3196e9c27b534e60ad96039a8f45dbce817debfa2667
            • Instruction ID: 74041d39c8c66701150a615541d20edfe976d3612887e8d0a8067a5be5596744
            • Opcode Fuzzy Hash: 644efa0f95818e5523ad3196e9c27b534e60ad96039a8f45dbce817debfa2667
            • Instruction Fuzzy Hash: 1671E732A1053A8BCB20DF7CED516BF33A2AFA17B4B254538F8569B284E635CD45C391
            Function 00A3833C Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00A3835A
            • _wcslen.LIBCMT ref: 00A3836E
            • _wcslen.LIBCMT ref: 00A38391
            • _wcslen.LIBCMT ref: 00A383B4
            • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00A383F2
            • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00A3361A,?), ref: 00A3844E
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A38487
            • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00A384CA
            • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00A38501
            • FreeLibrary.KERNEL32(?), ref: 00A3850D
            • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00A3851D
            • DestroyIcon.USER32(?), ref: 00A3852C
            • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00A38549
            • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00A38555
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
            • String ID: .dll$.exe$.icl
            • API String ID: 799131459-1154884017
            • Opcode ID: 718276cc7310d3b698a31cb67112638f6093a4de7f0ec27cbdbb0142dfea58ec
            • Instruction ID: d6241f9758dade57683646daea973cda5118cb454f58594dfb67fab300037014
            • Opcode Fuzzy Hash: 718276cc7310d3b698a31cb67112638f6093a4de7f0ec27cbdbb0142dfea58ec
            • Instruction Fuzzy Hash: 8B61C171A40315BEEB14DF64DC45FBE77A8BB48B21F104609F815EA1D1DB78A981C7A0
            Function 009A7778 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
            • API String ID: 0-1645009161
            • Opcode ID: 1a16f84a92aa243025253116618a221e0c211e6a2afa802075c6c008303450db
            • Instruction ID: 5029ec720a341d7d5b728bbda0cbd699ffcd26501053f5f45e101aaeb70a6164
            • Opcode Fuzzy Hash: 1a16f84a92aa243025253116618a221e0c211e6a2afa802075c6c008303450db
            • Instruction Fuzzy Hash: 3881CD71A04205BBDB21BFA4DC43FABB7A8AF96300F044424F905AB196EB74DA01D7E1
            Function 00A05A1B Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000063), ref: 00A05A2E
            • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00A05A40
            • SetWindowTextW.USER32(?,?), ref: 00A05A57
            • GetDlgItem.USER32(?,000003EA), ref: 00A05A6C
            • SetWindowTextW.USER32(00000000,?), ref: 00A05A72
            • GetDlgItem.USER32(?,000003E9), ref: 00A05A82
            • SetWindowTextW.USER32(00000000,?), ref: 00A05A88
            • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00A05AA9
            • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00A05AC3
            • GetWindowRect.USER32(?,?), ref: 00A05ACC
            • _wcslen.LIBCMT ref: 00A05B33
            • SetWindowTextW.USER32(?,?), ref: 00A05B6F
            • GetDesktopWindow.USER32 ref: 00A05B75
            • GetWindowRect.USER32(00000000), ref: 00A05B7C
            • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00A05BD3
            • GetClientRect.USER32(?,?), ref: 00A05BE0
            • PostMessageW.USER32(?,00000005,00000000,?), ref: 00A05C05
            • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00A05C2F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
            • String ID:
            • API String ID: 895679908-0
            • Opcode ID: d5667a47468525d8ce58469373a4e25d8cf2f3b011c640d92e02a225d20b0b80
            • Instruction ID: 87d67c6e8d89e7295bf57a27317a8e1ea96352b14685591cfbc385c502e57f88
            • Opcode Fuzzy Hash: d5667a47468525d8ce58469373a4e25d8cf2f3b011c640d92e02a225d20b0b80
            • Instruction Fuzzy Hash: DB713931A00A09AFDB20DFB8DE8AAAFBBF5FF48714F104518E542A25A0D775E945CF50
            Function 009C00C6 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
            Download Yara Rule
            APIs
            • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 009C00C6
              • Part of subcall function 009C00ED: InitializeCriticalSectionAndSpinCount.KERNEL32(00A7070C,00000FA0,7502D6F4,?,?,?,?,009E23B3,000000FF), ref: 009C011C
              • Part of subcall function 009C00ED: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,009E23B3,000000FF), ref: 009C0127
              • Part of subcall function 009C00ED: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,009E23B3,000000FF), ref: 009C0138
              • Part of subcall function 009C00ED: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 009C014E
              • Part of subcall function 009C00ED: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 009C015C
              • Part of subcall function 009C00ED: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 009C016A
              • Part of subcall function 009C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009C0195
              • Part of subcall function 009C00ED: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 009C01A0
            • ___scrt_fastfail.LIBCMT ref: 009C00E7
              • Part of subcall function 009C00A3: __onexit.LIBCMT ref: 009C00A9
            Strings
            • WakeAllConditionVariable, xrefs: 009C0162
            • api-ms-win-core-synch-l1-2-0.dll, xrefs: 009C0122
            • kernel32.dll, xrefs: 009C0133
            • SleepConditionVariableCS, xrefs: 009C0154
            • InitializeConditionVariable, xrefs: 009C0148
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
            • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
            • API String ID: 66158676-1714406822
            • Opcode ID: 8a8c0cfd3e0f10c99c7d6fb338c52e749f4fb92f21c410d016e0304c52ea3bac
            • Instruction ID: c5a1f150d01331e04ddec4b027bd857207477625beaf7ad27ba6dc188f5bdaae
            • Opcode Fuzzy Hash: 8a8c0cfd3e0f10c99c7d6fb338c52e749f4fb92f21c410d016e0304c52ea3bac
            • Instruction Fuzzy Hash: 1621DA32E44710FFE7119BE4AC09F6977A8EB85FA5F04452DF805A3691DB749C008B51
            Function 00A030F7 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
            • API String ID: 176396367-1603158881
            • Opcode ID: a97b8ecb28113726305fd2e8a5151475ed1be4433ae849a596006ee19cbdf857
            • Instruction ID: e43ad1d38c7e22060b1e7c630f46f2dc318d24c36db524ec5ed2cd0db89b332d
            • Opcode Fuzzy Hash: a97b8ecb28113726305fd2e8a5151475ed1be4433ae849a596006ee19cbdf857
            • Instruction Fuzzy Hash: 4CE1A533E0051AAFCF149F78D891BEEBBB8BF54750F548119E456B7290DB30AE458790
            Function 00A144C0 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
            Download Yara Rule
            APIs
            • CharLowerBuffW.USER32(00000000,00000000,00A3CC08), ref: 00A14527
            • _wcslen.LIBCMT ref: 00A1453B
            • _wcslen.LIBCMT ref: 00A14599
            • _wcslen.LIBCMT ref: 00A145F4
            • _wcslen.LIBCMT ref: 00A1463F
            • _wcslen.LIBCMT ref: 00A146A7
              • Part of subcall function 009BF9F2: _wcslen.LIBCMT ref: 009BF9FD
            • GetDriveTypeW.KERNEL32(?,00A66BF0,00000061), ref: 00A14743
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$BuffCharDriveLowerType
            • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
            • API String ID: 2055661098-1000479233
            • Opcode ID: 766a069d58ebb89ee785841105db695ce084507f7ce9169315844138f75e0fbf
            • Instruction ID: fbb80558d18adca32af590a591310929a1cb57e7c56e580fb8d74ea1b7738b75
            • Opcode Fuzzy Hash: 766a069d58ebb89ee785841105db695ce084507f7ce9169315844138f75e0fbf
            • Instruction Fuzzy Hash: FFB1BD716083129FC710DF2CC890AAAB7E5AFEA764F50491DF4A6C7291D730DC85CBA2
            Function 00A2AFF9 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00A2B198
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A2B1B0
            • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00A2B1D4
            • _wcslen.LIBCMT ref: 00A2B200
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A2B214
            • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00A2B236
            • _wcslen.LIBCMT ref: 00A2B332
              • Part of subcall function 00A105A7: GetStdHandle.KERNEL32(000000F6), ref: 00A105C6
            • _wcslen.LIBCMT ref: 00A2B34B
            • _wcslen.LIBCMT ref: 00A2B366
            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A2B3B6
            • GetLastError.KERNEL32(00000000), ref: 00A2B407
            • CloseHandle.KERNEL32(?), ref: 00A2B439
            • CloseHandle.KERNEL32(00000000), ref: 00A2B44A
            • CloseHandle.KERNEL32(00000000), ref: 00A2B45C
            • CloseHandle.KERNEL32(00000000), ref: 00A2B46E
            • CloseHandle.KERNEL32(?), ref: 00A2B4E3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
            • String ID:
            • API String ID: 2178637699-0
            • Opcode ID: e60d63d301feef011ef407bf23019ea2e32da9c0707a6e520ef7632223c85304
            • Instruction ID: a553e90b227645c39315c47edd951adc06b96bdc55e22de95dd04807a0a59223
            • Opcode Fuzzy Hash: e60d63d301feef011ef407bf23019ea2e32da9c0707a6e520ef7632223c85304
            • Instruction Fuzzy Hash: C8F19F31518310DFC714EF28D891B6EBBE5AF85710F14856DF8959B2A2DB31EC40CBA2
            Function 009A326F Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemCount.USER32(00A71990), ref: 009E2F8D
            • GetMenuItemCount.USER32(00A71990), ref: 009E303D
            • GetCursorPos.USER32(?), ref: 009E3081
            • SetForegroundWindow.USER32(00000000), ref: 009E308A
            • TrackPopupMenuEx.USER32(00A71990,00000000,?,00000000,00000000,00000000), ref: 009E309D
            • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 009E30A9
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
            • String ID: 0
            • API String ID: 36266755-4108050209
            • Opcode ID: 579ea66ae6a2eccdca0daaf006cd54b48b23fd5efae8f485e3091eabc2d12418
            • Instruction ID: be36fdc786203eb5e15338878a74b728a8d3474330cc6614802da50408b50f09
            • Opcode Fuzzy Hash: 579ea66ae6a2eccdca0daaf006cd54b48b23fd5efae8f485e3091eabc2d12418
            • Instruction Fuzzy Hash: A9711731640255BEEB228F65CC49FAABF6CFF05324F208216F9246A1E1C7B1AD50CB90
            Function 00A36CD9 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?), ref: 00A36DEB
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00A36E5F
            • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00A36E81
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A36E94
            • DestroyWindow.USER32(?), ref: 00A36EB5
            • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,009A0000,00000000), ref: 00A36EE4
            • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00A36EFD
            • GetDesktopWindow.USER32 ref: 00A36F16
            • GetWindowRect.USER32(00000000), ref: 00A36F1D
            • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00A36F35
            • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00A36F4D
              • Part of subcall function 009B9944: GetWindowLongW.USER32(?,000000EB), ref: 009B9952
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
            • String ID: 0$tooltips_class32
            • API String ID: 2429346358-3619404913
            • Opcode ID: 082e4404919c2bb01894310325b7cb734dc54139fb4e468bcdccae2c07831d93
            • Instruction ID: 4683bd54592ecd5ec86dd3dc043a50e1f7ff01758ce67f73ba35fdce001f96ea
            • Opcode Fuzzy Hash: 082e4404919c2bb01894310325b7cb734dc54139fb4e468bcdccae2c07831d93
            • Instruction Fuzzy Hash: 74717874104240AFDB21CF58DC44FAABBF9FB89314F14881DFA9997261C774E94ACB21
            Function 00A3911E Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            • DragQueryPoint.SHELL32(?,?), ref: 00A39147
              • Part of subcall function 00A37674: ClientToScreen.USER32(?,?), ref: 00A3769A
              • Part of subcall function 00A37674: GetWindowRect.USER32(?,?), ref: 00A37710
              • Part of subcall function 00A37674: PtInRect.USER32(?,?,00A38B89), ref: 00A37720
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00A391B0
            • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00A391BB
            • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00A391DE
            • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00A39225
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00A3923E
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00A39255
            • SendMessageW.USER32(?,000000B1,?,?), ref: 00A39277
            • DragFinish.SHELL32(?), ref: 00A3927E
            • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00A39371
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
            • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
            • API String ID: 221274066-3440237614
            • Opcode ID: 82a48639827c682d271ff0de5af43ced3a5961b25fbc7b2da16d0070ad3d1d3c
            • Instruction ID: 2a8f66402ed9f66f250678fe049c1a8f00f475e6fbe5816d4bf5a99437f5abaa
            • Opcode Fuzzy Hash: 82a48639827c682d271ff0de5af43ced3a5961b25fbc7b2da16d0070ad3d1d3c
            • Instruction Fuzzy Hash: B4612871108301AFD701DFA4DC89EAFBBE8FBC9760F00491DF595962A1DB709A49CB92
            Function 00A1C476 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A1C4B0
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A1C4C3
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A1C4D7
            • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00A1C4F0
            • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00A1C533
            • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00A1C549
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A1C554
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A1C584
            • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00A1C5DC
            • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00A1C5F0
            • InternetCloseHandle.WININET(00000000), ref: 00A1C5FB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
            • String ID:
            • API String ID: 3800310941-3916222277
            • Opcode ID: 6c3722ea59885ed8b018a5397f488842996aca929c30548c20f99c709f5dac00
            • Instruction ID: 4787bdf0654d4940ff3daec11707b98aafc7d2587a1478de5d5a643e9bcdc9b4
            • Opcode Fuzzy Hash: 6c3722ea59885ed8b018a5397f488842996aca929c30548c20f99c709f5dac00
            • Instruction Fuzzy Hash: 145139B5580308BFDB21DFA4CD88ABB7BBDFB08764F004419F946A6250DB34E9859B60
            Function 00A3856F Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
            Download Yara Rule
            APIs
            • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 00A38592
            • GetFileSize.KERNEL32(00000000,00000000), ref: 00A385A2
            • GlobalAlloc.KERNEL32(00000002,00000000), ref: 00A385AD
            • CloseHandle.KERNEL32(00000000), ref: 00A385BA
            • GlobalLock.KERNEL32(00000000), ref: 00A385C8
            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00A385D7
            • GlobalUnlock.KERNEL32(00000000), ref: 00A385E0
            • CloseHandle.KERNEL32(00000000), ref: 00A385E7
            • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 00A385F8
            • OleLoadPicture.OLEAUT32(?,00000000,00000000,00A3FC38,?), ref: 00A38611
            • GlobalFree.KERNEL32(00000000), ref: 00A38621
            • GetObjectW.GDI32(?,00000018,000000FF), ref: 00A38641
            • CopyImage.USER32(?,00000000,00000000,?,00002000), ref: 00A38671
            • DeleteObject.GDI32(00000000), ref: 00A38699
            • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00A386AF
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
            • String ID:
            • API String ID: 3840717409-0
            • Opcode ID: 892485ab1e69d8fe445b4818b2317b71bcd3fa105b996f41b0f237e9ca8cd39a
            • Instruction ID: 96fb0a8a0292b952b4d625d9cb6ad5efcd53e80fcc07b4cf718c8f531e455caf
            • Opcode Fuzzy Hash: 892485ab1e69d8fe445b4818b2317b71bcd3fa105b996f41b0f237e9ca8cd39a
            • Instruction Fuzzy Hash: 8E41F975600204AFDB11DFA5DC89EABBBBCFF89721F108159F905EB260DB349902DB60
            Function 00A114BD Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000000), ref: 00A11502
            • VariantCopy.OLEAUT32(?,?), ref: 00A1150B
            • VariantClear.OLEAUT32(?), ref: 00A11517
            • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00A115FB
            • VarR8FromDec.OLEAUT32(?,?), ref: 00A11657
            • VariantInit.OLEAUT32(?), ref: 00A11708
            • SysFreeString.OLEAUT32(?), ref: 00A1178C
            • VariantClear.OLEAUT32(?), ref: 00A117D8
            • VariantClear.OLEAUT32(?), ref: 00A117E7
            • VariantInit.OLEAUT32(00000000), ref: 00A11823
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
            • String ID: %4d%02d%02d%02d%02d%02d$Default
            • API String ID: 1234038744-3931177956
            • Opcode ID: 155acab5791f11be65d30dd03b2edc8d10ad9751e3c1dcfc6335019110947c59
            • Instruction ID: 3a4b04f77d49f25abf83e86ab4e3d05f842ac84729800a44dc54ec277ac89096
            • Opcode Fuzzy Hash: 155acab5791f11be65d30dd03b2edc8d10ad9751e3c1dcfc6335019110947c59
            • Instruction Fuzzy Hash: 5CD1F031A00515EBDB10DFA5D885BFDB7B6BF85720F108156F646AB280DB30ED81DBA2
            Function 00A2B60E Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 285registrylibraryloaderCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A2B6AE,?,?), ref: 00A2C9B5
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2C9F1
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA68
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2B6F4
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A2B772
            • RegDeleteValueW.ADVAPI32(?,?), ref: 00A2B80A
            • RegCloseKey.ADVAPI32(?), ref: 00A2B87E
            • RegCloseKey.ADVAPI32(?), ref: 00A2B89C
            • LoadLibraryA.KERNEL32(advapi32.dll), ref: 00A2B8F2
            • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A2B904
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A2B922
            • FreeLibrary.KERNEL32(00000000), ref: 00A2B983
            • RegCloseKey.ADVAPI32(00000000), ref: 00A2B994
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$Close$DeleteLibrary$AddressBuffCharConnectFreeLoadOpenProcRegistryUpperValue
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 146587525-4033151799
            • Opcode ID: 0df833079c6b5c5cefd4943c759454813d77ed24bbc721a03ab51a2066f2649f
            • Instruction ID: 89db6cef1781d1baf23fd2e688580ae91fe0ccfec362f8ecac50a7aab4e5f591
            • Opcode Fuzzy Hash: 0df833079c6b5c5cefd4943c759454813d77ed24bbc721a03ab51a2066f2649f
            • Instruction Fuzzy Hash: 17C1AE34214211AFD714DF18D895F2ABBE5FF85318F14846CF59A8B2A2CB35EC46CBA1
            Function 00A2255C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00A225D8
            • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00A225E8
            • CreateCompatibleDC.GDI32(?), ref: 00A225F4
            • SelectObject.GDI32(00000000,?), ref: 00A22601
            • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00A2266D
            • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00A226AC
            • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00A226D0
            • SelectObject.GDI32(?,?), ref: 00A226D8
            • DeleteObject.GDI32(?), ref: 00A226E1
            • DeleteDC.GDI32(?), ref: 00A226E8
            • ReleaseDC.USER32(00000000,?), ref: 00A226F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
            • String ID: (
            • API String ID: 2598888154-3887548279
            • Opcode ID: 12fd56910c70bde6b1017cfcc790d2998375f012ca53527b6d827a87c29164b9
            • Instruction ID: 896486713280deacd5843097665711d5933accc3ffc20f6a8dee7cd5fba705d3
            • Opcode Fuzzy Hash: 12fd56910c70bde6b1017cfcc790d2998375f012ca53527b6d827a87c29164b9
            • Instruction Fuzzy Hash: BA61F276D00219EFCB14CFE8DD84AAEBBB5FF48310F208529E955A7250E774A941DF60
            Function 009DDA5D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___free_lconv_mon.LIBCMT ref: 009DDAA1
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD659
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD66B
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD67D
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD68F
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6A1
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6B3
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6C5
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6D7
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6E9
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD6FB
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD70D
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD71F
              • Part of subcall function 009DD63C: _free.LIBCMT ref: 009DD731
            • _free.LIBCMT ref: 009DDA96
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • _free.LIBCMT ref: 009DDAB8
            • _free.LIBCMT ref: 009DDACD
            • _free.LIBCMT ref: 009DDAD8
            • _free.LIBCMT ref: 009DDAFA
            • _free.LIBCMT ref: 009DDB0D
            • _free.LIBCMT ref: 009DDB1B
            • _free.LIBCMT ref: 009DDB26
            • _free.LIBCMT ref: 009DDB5E
            • _free.LIBCMT ref: 009DDB65
            • _free.LIBCMT ref: 009DDB82
            • _free.LIBCMT ref: 009DDB9A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
            • String ID:
            • API String ID: 161543041-0
            • Opcode ID: ebadd978fcc2dcef5af39adafd227e42d1bab7592f879da0f819501166af620c
            • Instruction ID: 1303dbffbdaa4e6cbbf2c7ed81e860320a47ba8df90d05e08379119813075dd7
            • Opcode Fuzzy Hash: ebadd978fcc2dcef5af39adafd227e42d1bab7592f879da0f819501166af620c
            • Instruction Fuzzy Hash: 59315A316856049FEB21AB78E945B6A77ECFF50314F15C41BE449D7391DB34EC409B20
            Function 00A0365B Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 267windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000100), ref: 00A0369C
            • _wcslen.LIBCMT ref: 00A036A7
            • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00A03797
            • GetClassNameW.USER32(?,?,00000400), ref: 00A0380C
            • GetDlgCtrlID.USER32(?), ref: 00A0385D
            • GetWindowRect.USER32(?,?), ref: 00A03882
            • GetParent.USER32(?), ref: 00A038A0
            • ScreenToClient.USER32(00000000), ref: 00A038A7
            • GetClassNameW.USER32(?,?,00000100), ref: 00A03921
            • GetWindowTextW.USER32(?,?,00000400), ref: 00A0395D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout_wcslen
            • String ID: %s%u
            • API String ID: 4010501982-679674701
            • Opcode ID: 72cf39e1bc59d81558c769c97c17a3127f187863d2a3f7d8e2aa573a06335e84
            • Instruction ID: 5903c4d3c3229ae90dc3ac60194ab2159630168ae786e1f915915a9621af7282
            • Opcode Fuzzy Hash: 72cf39e1bc59d81558c769c97c17a3127f187863d2a3f7d8e2aa573a06335e84
            • Instruction Fuzzy Hash: DB91B17220470AAFDB19DF64D895FAAB7ACFF44350F008629F999D21D0DB30EA45CB91
            Function 00A04954 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 253COMMON
            Download Yara Rule
            APIs
            • GetClassNameW.USER32(?,?,00000400), ref: 00A04994
            • GetWindowTextW.USER32(?,?,00000400), ref: 00A049DA
            • _wcslen.LIBCMT ref: 00A049EB
            • CharUpperBuffW.USER32(?,00000000), ref: 00A049F7
            • _wcsstr.LIBVCRUNTIME ref: 00A04A2C
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00A04A64
            • GetWindowTextW.USER32(?,?,00000400), ref: 00A04A9D
            • GetClassNameW.USER32(00000018,?,00000400), ref: 00A04AE6
            • GetClassNameW.USER32(?,?,00000400), ref: 00A04B20
            • GetWindowRect.USER32(?,?), ref: 00A04B8B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
            • String ID: ThumbnailClass
            • API String ID: 1311036022-1241985126
            • Opcode ID: 4d80bea6bafeb1adcff8f1dcacf1f86a28478e917a04a5999d72ed248422960b
            • Instruction ID: a730a97748fe454927c9d16d33ea84d36dd3f0ef1313183640479e7636862658
            • Opcode Fuzzy Hash: 4d80bea6bafeb1adcff8f1dcacf1f86a28478e917a04a5999d72ed248422960b
            • Instruction Fuzzy Hash: 7D91BEB21042099FDB04DF14E985FAA77E8FF89354F048469FE859A0D6EB30ED45CBA1
            Function 00A2CC34 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
            Download Yara Rule
            APIs
            • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A2CC64
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00A2CC8D
            • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A2CD48
              • Part of subcall function 00A2CC34: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00A2CCAA
              • Part of subcall function 00A2CC34: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00A2CCBD
              • Part of subcall function 00A2CC34: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00A2CCCF
              • Part of subcall function 00A2CC34: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00A2CD05
              • Part of subcall function 00A2CC34: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00A2CD28
            • RegDeleteKeyW.ADVAPI32(?,?), ref: 00A2CCF3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
            • String ID: RegDeleteKeyExW$advapi32.dll
            • API String ID: 2734957052-4033151799
            • Opcode ID: cac696decd835d5d985ac010a3b69c06030ebf4ab82f54c31c96aa5ea5d76678
            • Instruction ID: 0b739722168c9659ec436787680fa88766786704ae263a199f614967c2e14572
            • Opcode Fuzzy Hash: cac696decd835d5d985ac010a3b69c06030ebf4ab82f54c31c96aa5ea5d76678
            • Instruction Fuzzy Hash: 9B315E75901129BBD720CBA5EC88EFFBB7CEF46760F000175B905E3140D6749A469BA0
            Function 00A13D1E Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
            Download Yara Rule
            APIs
            • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A13D40
            • _wcslen.LIBCMT ref: 00A13D6D
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A13D9D
            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00A13DBE
            • RemoveDirectoryW.KERNEL32(?), ref: 00A13DCE
            • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00A13E55
            • CloseHandle.KERNEL32(00000000), ref: 00A13E60
            • CloseHandle.KERNEL32(00000000), ref: 00A13E6B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
            • String ID: :$\$\??\%s
            • API String ID: 1149970189-3457252023
            • Opcode ID: c7251e7d627676ef1fb3e5cd229e78911f1b4f5b5eb34a6088942280d2615585
            • Instruction ID: 2ca7d57dd6cab3981de5cb3c63e8c3da4a2c34f8efd252d1ffac67ef08249ac1
            • Opcode Fuzzy Hash: c7251e7d627676ef1fb3e5cd229e78911f1b4f5b5eb34a6088942280d2615585
            • Instruction Fuzzy Hash: 3A319072900219AADF21DFA0EC49FEB77BDEF88750F1041A5F509E60A0EB7497858B64
            Function 00A0E6B0 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
            Download Yara Rule
            APIs
            • timeGetTime.WINMM ref: 00A0E6B4
              • Part of subcall function 009BE551: timeGetTime.WINMM(?,?,00A0E6D4), ref: 009BE555
            • Sleep.KERNEL32(0000000A), ref: 00A0E6E1
            • EnumThreadWindows.USER32(?,Function_0006E665,00000000), ref: 00A0E705
            • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00A0E727
            • SetActiveWindow.USER32 ref: 00A0E746
            • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00A0E754
            • SendMessageW.USER32(00000010,00000000,00000000), ref: 00A0E773
            • Sleep.KERNEL32(000000FA), ref: 00A0E77E
            • IsWindow.USER32 ref: 00A0E78A
            • EndDialog.USER32(00000000), ref: 00A0E79B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
            • String ID: BUTTON
            • API String ID: 1194449130-3405671355
            • Opcode ID: eeea7a4655ffc59ffbde5e626fdb1efc0b4b3a9c98c96758bdb08e75749a91d5
            • Instruction ID: 034429e8daf51012ca3e9219827715ec3e30f2942fe62884ef02c77f0695a8e8
            • Opcode Fuzzy Hash: eeea7a4655ffc59ffbde5e626fdb1efc0b4b3a9c98c96758bdb08e75749a91d5
            • Instruction Fuzzy Hash: 9321A571200208AFEB00EFE4FC89B253B69F754759F149835F50A921F1DB72AC52AB24
            Function 00A0E9FC Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00A0EA5D
            • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00A0EA73
            • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00A0EA84
            • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00A0EA96
            • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00A0EAA7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: SendString$_wcslen
            • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
            • API String ID: 2420728520-1007645807
            • Opcode ID: c4f49a47f058b1d44c36ca28decc6459abe48a54a83e35ef72f83500b40a06c2
            • Instruction ID: 3ac2115f1f3ffdf36fcbb2f94cac18e5d48814a6a31fb1b043ac2bec1a60cb88
            • Opcode Fuzzy Hash: c4f49a47f058b1d44c36ca28decc6459abe48a54a83e35ef72f83500b40a06c2
            • Instruction Fuzzy Hash: 57115131A5021979D720E7A1DC4AEFF6A7CFBD6F40F4408297811A20D1EEB00915C9F0
            Function 00A05CC6 Relevance: 18.2, APIs: 12, Instructions: 173COMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,00000001), ref: 00A05CE2
            • GetWindowRect.USER32(00000000,?), ref: 00A05CFB
            • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00A05D59
            • GetDlgItem.USER32(?,00000002), ref: 00A05D69
            • GetWindowRect.USER32(00000000,?), ref: 00A05D7B
            • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00A05DCF
            • GetDlgItem.USER32(?,000003E9), ref: 00A05DDD
            • GetWindowRect.USER32(00000000,?), ref: 00A05DEF
            • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00A05E31
            • GetDlgItem.USER32(?,000003EA), ref: 00A05E44
            • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00A05E5A
            • InvalidateRect.USER32(?,00000000,00000001), ref: 00A05E67
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ItemMoveRect$Invalidate
            • String ID:
            • API String ID: 3096461208-0
            • Opcode ID: f7f2d2e16fcf5496d88bf648b6d968d5db43aadddcf3b6ba06f210ac202b7389
            • Instruction ID: 0a50f5f31315873ee95aad2c388b58a418c8f9734c1252859057500ed512fcbd
            • Opcode Fuzzy Hash: f7f2d2e16fcf5496d88bf648b6d968d5db43aadddcf3b6ba06f210ac202b7389
            • Instruction Fuzzy Hash: 7151FCB1E00619AFDF18CFA8DD89AAEBBB5EB48310F148129F915E6290D7709E05CF50
            Function 009B8BCD Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B8F62: InvalidateRect.USER32(?,00000000,00000001,?,?,?,009B8BE8,?,00000000,?,?,?,?,009B8BBA,00000000,?), ref: 009B8FC5
            • DestroyWindow.USER32(?), ref: 009B8C81
            • KillTimer.USER32(00000000,?,?,?,?,009B8BBA,00000000,?), ref: 009B8D1B
            • DestroyAcceleratorTable.USER32(00000000), ref: 009F6973
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,009B8BBA,00000000,?), ref: 009F69A1
            • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,009B8BBA,00000000,?), ref: 009F69B8
            • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,009B8BBA,00000000), ref: 009F69D4
            • DeleteObject.GDI32(00000000), ref: 009F69E6
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
            • String ID:
            • API String ID: 641708696-0
            • Opcode ID: 70d6509ab0a2539d09d6db8a2f179224d6a25848773db2b097e3379112fe8bb2
            • Instruction ID: 6bea6f79a076ee02e4e374519059f3fd6fb9d5991c286684c38a263d93f1bf78
            • Opcode Fuzzy Hash: 70d6509ab0a2539d09d6db8a2f179224d6a25848773db2b097e3379112fe8bb2
            • Instruction Fuzzy Hash: FA61BC71101705DFCB25DF68CE49BB67BF9FB48322F148918E1869A960CB75A8C2DB90
            Function 009B9838 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9944: GetWindowLongW.USER32(?,000000EB), ref: 009B9952
            • GetSysColor.USER32(0000000F), ref: 009B9862
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ColorLongWindow
            • String ID:
            • API String ID: 259745315-0
            • Opcode ID: c1254ac3077ae7146ccac947258593e9072882d811940dc86347d584da25e503
            • Instruction ID: 94e054659a2c28fb5480fc4e97c1310fa522240b0ef340e82bf959487fc88a3a
            • Opcode Fuzzy Hash: c1254ac3077ae7146ccac947258593e9072882d811940dc86347d584da25e503
            • Instruction Fuzzy Hash: 1241B131114644AFDB219FB89D89BF93BB9EB06330F144619FBA29B2E1D7359C42DB10
            Function 00A096E2 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000001,00000000,?,?,009EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?), ref: 00A09717
            • LoadStringW.USER32(00000000,?,009EF7F8,00000001), ref: 00A09720
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • GetModuleHandleW.KERNEL32(00000000,00000001,?,00000FFF,?,?,009EF7F8,00000001,0000138C,00000001,?,00000001,00000000,?,?,00000000), ref: 00A09742
            • LoadStringW.USER32(00000000,?,009EF7F8,00000001), ref: 00A09745
            • MessageBoxW.USER32(00000000,00000000,?,00011010), ref: 00A09866
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message_wcslen
            • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
            • API String ID: 747408836-2268648507
            • Opcode ID: 5ff40900595a236228c578f2f057d44499147c8d3b3a11bc2d5b853c8ce56959
            • Instruction ID: 30f439c35a77e4865fd8e63845d14477722aec3000b548846c0eab53f30a5eec
            • Opcode Fuzzy Hash: 5ff40900595a236228c578f2f057d44499147c8d3b3a11bc2d5b853c8ce56959
            • Instruction Fuzzy Hash: F8411E72804219ABCF04EBE0DE46EEEB778AF96340F504465F50572092EF356F49CBA1
            Function 00A006DE Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00A007A2
            • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00A007BE
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00A007DA
            • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00A00804
            • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00A0082C
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A00837
            • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00A0083C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
            • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
            • API String ID: 323675364-22481851
            • Opcode ID: 578fe0d7041d1dfa6dff83dc21c5fefc0223b98e9a4332bb9909f6f3ab16d787
            • Instruction ID: b1d8889453820ea174301042ebe8c39377b12d7c55629432f76d67aa280e4e39
            • Opcode Fuzzy Hash: 578fe0d7041d1dfa6dff83dc21c5fefc0223b98e9a4332bb9909f6f3ab16d787
            • Instruction Fuzzy Hash: 4941E772C10229ABDF15EBA4DC95EEEB778BF45350F444529F901B31A1EB349E04CBA0
            Function 00A23C30 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00A23C5C
            • CoInitialize.OLE32(00000000), ref: 00A23C8A
            • CoUninitialize.OLE32 ref: 00A23C94
            • _wcslen.LIBCMT ref: 00A23D2D
            • GetRunningObjectTable.OLE32(00000000,?), ref: 00A23DB1
            • SetErrorMode.KERNEL32(00000001,00000029), ref: 00A23ED5
            • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00A23F0E
            • CoGetObject.OLE32(?,00000000,00A3FB98,?), ref: 00A23F2D
            • SetErrorMode.KERNEL32(00000000), ref: 00A23F40
            • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00A23FC4
            • VariantClear.OLEAUT32(?), ref: 00A23FD8
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
            • String ID:
            • API String ID: 429561992-0
            • Opcode ID: 996e01aa564547b0584c3b10fa74ba607060c75c3c1db76c4dc78ed432ac41ed
            • Instruction ID: a41892d16f1726804d91691908c42e2c3ea0477fcb3130cc545ed863d109ceaf
            • Opcode Fuzzy Hash: 996e01aa564547b0584c3b10fa74ba607060c75c3c1db76c4dc78ed432ac41ed
            • Instruction Fuzzy Hash: 98C147726083159FCB00DF68D98492BB7E9FF8A744F10492DF98A9B211D735EE05CB52
            Function 00A17A96 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32(00000000), ref: 00A17AF3
            • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00A17B8F
            • SHGetDesktopFolder.SHELL32(?), ref: 00A17BA3
            • CoCreateInstance.OLE32(00A3FD08,00000000,00000001,00A66E6C,?), ref: 00A17BEF
            • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00A17C74
            • CoTaskMemFree.OLE32(?,?), ref: 00A17CCC
            • SHBrowseForFolderW.SHELL32(?), ref: 00A17D57
            • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00A17D7A
            • CoTaskMemFree.OLE32(00000000), ref: 00A17D81
            • CoTaskMemFree.OLE32(00000000), ref: 00A17DD6
            • CoUninitialize.OLE32 ref: 00A17DDC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
            • String ID:
            • API String ID: 2762341140-0
            • Opcode ID: 443ac36767763c7abcbf2c2c81d83af805a3deccb52bce2e2a7a67c876f6a698
            • Instruction ID: 80c2527186fd48e45a811617979258fd5179f8bd0af86e243e0ec658dbbb18e5
            • Opcode Fuzzy Hash: 443ac36767763c7abcbf2c2c81d83af805a3deccb52bce2e2a7a67c876f6a698
            • Instruction Fuzzy Hash: FEC11C75A04119AFCB14DFA4C884DAEBBF9FF48314B149499F41ADB261D730EE85CB90
            Function 00A3541D Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00A35504
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A35515
            • CharNextW.USER32(00000158), ref: 00A35544
            • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00A35585
            • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00A3559B
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A355AC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$CharNext
            • String ID:
            • API String ID: 1350042424-0
            • Opcode ID: c283489032d617e72904fb0eea9af5553bce31e659e96d9f4a58c1944a44bb9f
            • Instruction ID: 8f5b497eb3ebece8602eabeeb552c9f094c1ffba8edb556e11e03d19f3d90e7f
            • Opcode Fuzzy Hash: c283489032d617e72904fb0eea9af5553bce31e659e96d9f4a58c1944a44bb9f
            • Instruction Fuzzy Hash: 5F618E71D00608AFDF14DFA8CC85AFE7BB9EB09720F108145F925A7291D7749A81DBA0
            Function 009FFA88 Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
            Download Yara Rule
            APIs
            • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 009FFAAF
            • SafeArrayAllocData.OLEAUT32(?), ref: 009FFB08
            • VariantInit.OLEAUT32(?), ref: 009FFB1A
            • SafeArrayAccessData.OLEAUT32(?,?), ref: 009FFB3A
            • VariantCopy.OLEAUT32(?,?), ref: 009FFB8D
            • SafeArrayUnaccessData.OLEAUT32(?), ref: 009FFBA1
            • VariantClear.OLEAUT32(?), ref: 009FFBB6
            • SafeArrayDestroyData.OLEAUT32(?), ref: 009FFBC3
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009FFBCC
            • VariantClear.OLEAUT32(?), ref: 009FFBDE
            • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 009FFBE9
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
            • String ID:
            • API String ID: 2706829360-0
            • Opcode ID: 22d8166808d40c29f26e8f6ce2b78531174a79c349de719544b69b0751c5621d
            • Instruction ID: 3684f98fff135e429ed7c63fdff990b0b5e026e8595e89f8bebbc9be3030c7f2
            • Opcode Fuzzy Hash: 22d8166808d40c29f26e8f6ce2b78531174a79c349de719544b69b0751c5621d
            • Instruction Fuzzy Hash: A0414175A0021D9FCB00DFA4DC689BDBBB9EF48355F008065F956A7261DB30E946CB90
            Function 00A09C79 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?), ref: 00A09CA1
            • GetAsyncKeyState.USER32(000000A0), ref: 00A09D22
            • GetKeyState.USER32(000000A0), ref: 00A09D3D
            • GetAsyncKeyState.USER32(000000A1), ref: 00A09D57
            • GetKeyState.USER32(000000A1), ref: 00A09D6C
            • GetAsyncKeyState.USER32(00000011), ref: 00A09D84
            • GetKeyState.USER32(00000011), ref: 00A09D96
            • GetAsyncKeyState.USER32(00000012), ref: 00A09DAE
            • GetKeyState.USER32(00000012), ref: 00A09DC0
            • GetAsyncKeyState.USER32(0000005B), ref: 00A09DD8
            • GetKeyState.USER32(0000005B), ref: 00A09DEA
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: State$Async$Keyboard
            • String ID:
            • API String ID: 541375521-0
            • Opcode ID: e65cca4195fa35105f85a046d4a7d28aa2eab22cbc986237095cf1cb9b346dcf
            • Instruction ID: 15367d114fc6f4c2e16b9d7fbc17d22ca00d2620e71998d83506b03a71a8d3ae
            • Opcode Fuzzy Hash: e65cca4195fa35105f85a046d4a7d28aa2eab22cbc986237095cf1cb9b346dcf
            • Instruction Fuzzy Hash: 4D41C6349447CE6DFF319760E8143B7BEA06F11344F08805ADAC6565C3EBA59DC8C7A2
            Function 00A2055B Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
            Download Yara Rule
            APIs
            • WSAStartup.WSOCK32(00000101,?), ref: 00A205BC
            • inet_addr.WSOCK32(?), ref: 00A2061C
            • gethostbyname.WSOCK32(?), ref: 00A20628
            • IcmpCreateFile.IPHLPAPI ref: 00A20636
            • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00A206C6
            • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00A206E5
            • IcmpCloseHandle.IPHLPAPI(?), ref: 00A207B9
            • WSACleanup.WSOCK32 ref: 00A207BF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
            • String ID: Ping
            • API String ID: 1028309954-2246546115
            • Opcode ID: c1b3e8addaa82aecb42e0fb0abb4ae6c80b018d22e936c9c9f5e65fcc7d52343
            • Instruction ID: 8f3806dca9ff316f8c45a2cf6d83f8acd8cc528fabb89ed1cf49344b8835197e
            • Opcode Fuzzy Hash: c1b3e8addaa82aecb42e0fb0abb4ae6c80b018d22e936c9c9f5e65fcc7d52343
            • Instruction Fuzzy Hash: 8B91AC356086119FD320CF19E888F1ABBE1AF84328F1485A9F4699B6A3C770ED41CF91
            Function 00A28CD3 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$BuffCharLower
            • String ID: cdecl$none$stdcall$winapi
            • API String ID: 707087890-567219261
            • Opcode ID: 013d506184d01a8451f21db1fd6ad7308b45fd3a56523b324334719b4af237d6
            • Instruction ID: dc22e5bd724f6a0ff83835ac418d9f7989fae5aceaed5216ade285338184c49c
            • Opcode Fuzzy Hash: 013d506184d01a8451f21db1fd6ad7308b45fd3a56523b324334719b4af237d6
            • Instruction Fuzzy Hash: 8E51AD32A011269BCB14DF6CD9509BEB3B5BF65764B214239F826E72C4DB38DD44C790
            Function 00A2372C Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 187comCOMMON
            Download Yara Rule
            APIs
            • CoInitialize.OLE32 ref: 00A23774
            • CoUninitialize.OLE32 ref: 00A2377F
            • CoCreateInstance.OLE32(?,00000000,00000017,00A3FB78,?), ref: 00A237D9
            • IIDFromString.OLE32(?,?), ref: 00A2384C
            • VariantInit.OLEAUT32(?), ref: 00A238E4
            • VariantClear.OLEAUT32(?), ref: 00A23936
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize
            • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
            • API String ID: 636576611-1287834457
            • Opcode ID: 4d40146431df8f8f6e75f7445f5f5e2e052b8dbca0289bc4adfadae1fa9aff51
            • Instruction ID: fefdf3b069dfd429b86721b368a0479f357a09cc29eec1675acfb2851bd0009e
            • Opcode Fuzzy Hash: 4d40146431df8f8f6e75f7445f5f5e2e052b8dbca0289bc4adfadae1fa9aff51
            • Instruction Fuzzy Hash: 5D61B272608321AFDB10DF68D949F6AB7F4EF86714F000829F5859B291D774EE48CB92
            Function 00A13388 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00A133CF
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00A133F0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-3080491070
            • Opcode ID: 4eded3e840ec3871347ade8fa440ae21791b016125cdfacfbe14ae1ca1867804
            • Instruction ID: 73df3b6ba91288ca305b83cf0a8e23c4d8fd6df5ec491f83b22cb438cd9aa2bb
            • Opcode Fuzzy Hash: 4eded3e840ec3871347ade8fa440ae21791b016125cdfacfbe14ae1ca1867804
            • Instruction Fuzzy Hash: E1518E32900219BADF15EBE0DE46EEEB779BF45740F108465F40972092EF212F98CBA0
            Function 00A0B5C8 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 142COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: APPEND$EXISTS$KEYS$REMOVE
            • API String ID: 1256254125-769500911
            • Opcode ID: 02cd6fab163ebc9ec6fd3f0041b9bc70ad857f633f67cf17b87411a80eda3564
            • Instruction ID: 2312dfce650a99a5305a4c3a0c65e4794487cc52566b1e4415557df739b23e5d
            • Opcode Fuzzy Hash: 02cd6fab163ebc9ec6fd3f0041b9bc70ad857f633f67cf17b87411a80eda3564
            • Instruction Fuzzy Hash: FD41C532A1112B9BCB105F7DDE905BE77B5ABA1B94F244629E421DB2C4E732CD81C7A0
            Function 00A15393 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00A153A0
            • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00A15416
            • GetLastError.KERNEL32 ref: 00A15420
            • SetErrorMode.KERNEL32(00000000,READY), ref: 00A154A7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Error$Mode$DiskFreeLastSpace
            • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
            • API String ID: 4194297153-14809454
            • Opcode ID: c5937081706eba174908ecdb2c6b0163bf01ad374a6bb77738891cdb583cbfb3
            • Instruction ID: 5595a9fca681314c4e00994edea45bf9cc0c1844b66d60d57f6bf336e771a247
            • Opcode Fuzzy Hash: c5937081706eba174908ecdb2c6b0163bf01ad374a6bb77738891cdb583cbfb3
            • Instruction Fuzzy Hash: 9C314B39E00604DFD710DF68D884BEABBB9EF95315F148065E4059B292DB71DDC6CB90
            Function 00A33C46 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • CreateMenu.USER32 ref: 00A33C79
            • SetMenu.USER32(?,00000000), ref: 00A33C88
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A33D10
            • IsMenu.USER32(?), ref: 00A33D24
            • CreatePopupMenu.USER32 ref: 00A33D2E
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A33D5B
            • DrawMenuBar.USER32 ref: 00A33D63
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$CreateItem$DrawInfoInsertPopup
            • String ID: 0$F
            • API String ID: 161812096-3044882817
            • Opcode ID: ac0f7814f7f986b0ada385433f0596bab850dfbd15fd4a7f2869e33bc2111d82
            • Instruction ID: 2685999517d73c4670ad53dfe6287a92e5af9f24ec5fbea5c21d65baafcd1e11
            • Opcode Fuzzy Hash: ac0f7814f7f986b0ada385433f0596bab850dfbd15fd4a7f2869e33bc2111d82
            • Instruction Fuzzy Hash: 6E41577AA05209AFDF14CFA4DC84BAA7BB5FF49350F144429FA46A7360D730AA11CF94
            Function 00A33A23 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00A33A9D
            • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00A33AA0
            • GetWindowLongW.USER32(?,000000F0), ref: 00A33AC7
            • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00A33AEA
            • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00A33B62
            • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00A33BAC
            • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00A33BC7
            • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00A33BE2
            • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00A33BF6
            • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00A33C13
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$LongWindow
            • String ID:
            • API String ID: 312131281-0
            • Opcode ID: a9e7767686eb7340d8689a546106cf4e5e474c04e9b6aa4442286e248851b5a1
            • Instruction ID: b6cc9c5cd4770fe20be29bc7c8102c96eaa2f10fe4df97b46438d72e4e146ef5
            • Opcode Fuzzy Hash: a9e7767686eb7340d8689a546106cf4e5e474c04e9b6aa4442286e248851b5a1
            • Instruction Fuzzy Hash: 5B616C76900248AFDB10DFA8CC81EEE77F8EB49710F104199FA15E72A1D774AE46DB50
            Function 00A0B12F Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00A0B151
            • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B165
            • GetWindowThreadProcessId.USER32(00000000), ref: 00A0B16C
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B17B
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A0B18D
            • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B1A6
            • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B1B8
            • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B1FD
            • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B212
            • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00A0A1E1,?,00000001), ref: 00A0B21D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Thread$AttachInput$Window$Process$CurrentForeground
            • String ID:
            • API String ID: 2156557900-0
            • Opcode ID: 2884f3930e3429d2a7488c70f922844088aa1f33e7676216e53d64d9fb1b7c15
            • Instruction ID: 4c1b309ebfbe42c00bbbb4fdb7f2004fd20efdbd8dfdb3fad2f6bd7c4725606c
            • Opcode Fuzzy Hash: 2884f3930e3429d2a7488c70f922844088aa1f33e7676216e53d64d9fb1b7c15
            • Instruction Fuzzy Hash: A6319372510208BFDF10DFA4EE45BAD7BA9BB65321F118505F905D61E0D7B49A828F70
            Function 009D2C80 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 009D2C94
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • _free.LIBCMT ref: 009D2CA0
            • _free.LIBCMT ref: 009D2CAB
            • _free.LIBCMT ref: 009D2CB6
            • _free.LIBCMT ref: 009D2CC1
            • _free.LIBCMT ref: 009D2CCC
            • _free.LIBCMT ref: 009D2CD7
            • _free.LIBCMT ref: 009D2CE2
            • _free.LIBCMT ref: 009D2CED
            • _free.LIBCMT ref: 009D2CFB
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 326c43ed218a0ea2b20a7c63b73e1d1e9dbcf78116bf44e8be7a3b86c37da700
            • Instruction ID: 3c9ca2093af12bc9bff92253eed418f95e1e2d0f17d204dfb0c5d33fecebc3e9
            • Opcode Fuzzy Hash: 326c43ed218a0ea2b20a7c63b73e1d1e9dbcf78116bf44e8be7a3b86c37da700
            • Instruction Fuzzy Hash: D011B976140108BFCB02EF54D952DDD3BA5FF55350F4184A6F9485F322D631EE50AB90
            Function 009A1410 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
            Download Yara Rule
            APIs
            • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 009A1459
            • OleUninitialize.OLE32(?,00000000), ref: 009A14F8
            • UnregisterHotKey.USER32(?), ref: 009A16DD
            • DestroyWindow.USER32(?), ref: 009E24B9
            • FreeLibrary.KERNEL32(?), ref: 009E251E
            • VirtualFree.KERNEL32(?,00000000,00008000), ref: 009E254B
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
            • String ID: close all
            • API String ID: 469580280-3243417748
            • Opcode ID: 8a27c04faebfcb51e0ff5c640c715718ab73d0b98eb03de6de72449ebc4866c8
            • Instruction ID: 9f388cac3ec29e2781a2a5565e0d23e87dec2b3012548e28d5f006b84e290f41
            • Opcode Fuzzy Hash: 8a27c04faebfcb51e0ff5c640c715718ab73d0b98eb03de6de72449ebc4866c8
            • Instruction Fuzzy Hash: 81D15931701212CFCB1AEF15C999B69F7A8BF46710F1542ADF44AAB261DB30AD12CF90
            Function 00A17DF0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A17FAD
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A17FC1
            • GetFileAttributesW.KERNEL32(?), ref: 00A17FEB
            • SetFileAttributesW.KERNEL32(?,00000000), ref: 00A18005
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A18017
            • SetCurrentDirectoryW.KERNEL32(?), ref: 00A18060
            • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00A180B0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CurrentDirectory$AttributesFile
            • String ID: *.*
            • API String ID: 769691225-438819550
            • Opcode ID: 50b63c4259af9e9dda19a6282acde6efcda51e5a491e0f9024d7e1545e8321e8
            • Instruction ID: 8fc1fba72fbe4d19fb6fff319bd5354937c6243be183ab0bcdca79df4cde78a8
            • Opcode Fuzzy Hash: 50b63c4259af9e9dda19a6282acde6efcda51e5a491e0f9024d7e1545e8321e8
            • Instruction Fuzzy Hash: D9818D725082459BCB20EF54C844AEEB3F8BF89310F54585EF885DB290EB35DD85CB92
            Function 009A5BEA Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(?,000000EB), ref: 009A5C7A
              • Part of subcall function 009A5D0A: GetClientRect.USER32(?,?), ref: 009A5D30
              • Part of subcall function 009A5D0A: GetWindowRect.USER32(?,?), ref: 009A5D71
              • Part of subcall function 009A5D0A: ScreenToClient.USER32(?,?), ref: 009A5D99
            • GetDC.USER32 ref: 009E46F5
            • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 009E4708
            • SelectObject.GDI32(00000000,00000000), ref: 009E4716
            • SelectObject.GDI32(00000000,00000000), ref: 009E472B
            • ReleaseDC.USER32(?,00000000), ref: 009E4733
            • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 009E47C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
            • String ID: U
            • API String ID: 4009187628-3372436214
            • Opcode ID: 02903e43d168c45386b63d0f78c36b1676d9fdf4632c5889ccf363b8d6dbcf0e
            • Instruction ID: 43c15c2d64a4d72153106a20d863fa953c280cce0553bdf5cbc5717cf1b491dc
            • Opcode Fuzzy Hash: 02903e43d168c45386b63d0f78c36b1676d9fdf4632c5889ccf363b8d6dbcf0e
            • Instruction Fuzzy Hash: 1871E030500245EFCF22CF65CD84AAA7BB9FF4A360F144269FD955A1AAC3318C82DF90
            Function 00A1359C Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 150COMMON
            Download Yara Rule
            APIs
            • LoadStringW.USER32(00000066,?,00000FFF,00000000), ref: 00A135E4
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • LoadStringW.USER32(00A72390,?,00000FFF,?), ref: 00A1360A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LoadString$_wcslen
            • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
            • API String ID: 4099089115-2391861430
            • Opcode ID: 4483487ec37b73018afb35d294c5c4025935a7c5d7a5be57d648cb5b87f35eef
            • Instruction ID: 504e94605161e2d743888f8cc0e720aee91f985247c34db8168dbb71c3e3487e
            • Opcode Fuzzy Hash: 4483487ec37b73018afb35d294c5c4025935a7c5d7a5be57d648cb5b87f35eef
            • Instruction Fuzzy Hash: C1515A72800219BADF15EBE0DD46EEEBB78FF45350F148125F109721A2EB311A99DBA0
            Function 00A1C253 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A1C272
            • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00A1C29A
            • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00A1C2CA
            • GetLastError.KERNEL32 ref: 00A1C322
            • SetEvent.KERNEL32(?), ref: 00A1C336
            • InternetCloseHandle.WININET(00000000), ref: 00A1C341
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
            • String ID:
            • API String ID: 3113390036-3916222277
            • Opcode ID: 7ca9e1a86541eb17ccbc4b8ceae7659315eb66ee04eb533f72972a071d81bead
            • Instruction ID: 348d91637a643fd92ad4d947ed8848def653a51c44ede2bff6daa975c3e13232
            • Opcode Fuzzy Hash: 7ca9e1a86541eb17ccbc4b8ceae7659315eb66ee04eb533f72972a071d81bead
            • Instruction Fuzzy Hash: 2A319CB1640308AFD721DFA58C88AEBBBFCEB49760B10851EF456E7200DB30DD858B61
            Function 00A0989B Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 74windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,009E3AAF,?,?,Bad directive syntax error,00A3CC08,00000000,00000010,?,?,>>>AUTOIT SCRIPT<<<), ref: 00A098BC
            • LoadStringW.USER32(00000000,?,009E3AAF,?), ref: 00A098C3
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 00A09987
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HandleLoadMessageModuleString_wcslen
            • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
            • API String ID: 858772685-4153970271
            • Opcode ID: 92e6009043ed941161d59e4b194e2d0499eff9bb0db3bc8caf00949754306086
            • Instruction ID: 96cc49f7d2de481051fe4fb4bc8c3fcabab06ce59793201d4c8eecda24e1a9e3
            • Opcode Fuzzy Hash: 92e6009043ed941161d59e4b194e2d0499eff9bb0db3bc8caf00949754306086
            • Instruction Fuzzy Hash: F2215E3280021EBBCF15AF90DC0AFEE7775FF59750F048855F519660A2EB719A18DB90
            Function 00A0209F Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32 ref: 00A020AB
            • GetClassNameW.USER32(00000000,?,00000100), ref: 00A020C0
            • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00A0214D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassMessageNameParentSend
            • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
            • API String ID: 1290815626-3381328864
            • Opcode ID: 7cebcfc61c1a7f3534ad06546cf53bc9c8bed775490db28397ffb8ed1d789716
            • Instruction ID: ec5480b96ba095239378cf34aa45ea4913e9ecee284d714a8a20c87b0b3e2a97
            • Opcode Fuzzy Hash: 7cebcfc61c1a7f3534ad06546cf53bc9c8bed775490db28397ffb8ed1d789716
            • Instruction Fuzzy Hash: 1F110676A8870AB9FA156730EC0BFA677ACDF05324F20021AFB04A50D2FB6168525714
            Function 009DCE90 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
            • String ID:
            • API String ID: 1282221369-0
            • Opcode ID: 1cde20703d7b62c260f3e49ca1541e00df9cf19f49d1338143b13aa379d501cc
            • Instruction ID: fa9551e5d71f5c7b446afcbecf8532bf6d25afb5a81c374dacb7d7c4d4954536
            • Opcode Fuzzy Hash: 1cde20703d7b62c260f3e49ca1541e00df9cf19f49d1338143b13aa379d501cc
            • Instruction Fuzzy Hash: 386116B1A84302AFDB21AFB8DC95BAA7BA9EF45310F04C16FF944A7382D6319D41D750
            Function 00A350D4 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00A35186
            • ShowWindow.USER32(?,00000000), ref: 00A351C7
            • ShowWindow.USER32(?,00000005,?,00000000), ref: 00A351CD
            • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00A351D1
              • Part of subcall function 00A36FBA: DeleteObject.GDI32(00000000), ref: 00A36FE6
            • GetWindowLongW.USER32(?,000000F0), ref: 00A3520D
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A3521A
            • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00A3524D
            • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00A35287
            • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00A35296
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
            • String ID:
            • API String ID: 3210457359-0
            • Opcode ID: 2ec9a92a083257c76b5c026025f717f46ee21c511a6e1f1aa76e498cc451fcc3
            • Instruction ID: 986e9c68af255ecaf555b48ab965b4c230d42c3da057af32bc4d79daba8b8e6e
            • Opcode Fuzzy Hash: 2ec9a92a083257c76b5c026025f717f46ee21c511a6e1f1aa76e498cc451fcc3
            • Instruction Fuzzy Hash: 1C518130E50A08BFEF20AFBCCC46BD97BB5EB05721F148611FA15962E1C775A990DB41
            Function 009B8B06 Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
            Download Yara Rule
            APIs
            • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 009F6890
            • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 009F68A9
            • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 009F68B9
            • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 009F68D1
            • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 009F68F2
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009B8874,00000000,00000000,00000000,000000FF,00000000), ref: 009F6901
            • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 009F691E
            • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,009B8874,00000000,00000000,00000000,000000FF,00000000), ref: 009F692D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Icon$DestroyExtractImageLoadMessageSend
            • String ID:
            • API String ID: 1268354404-0
            • Opcode ID: 01db94e7c2b6247e2e0fea1acf247eb4bd8e74f4940d231689fe499b26f59069
            • Instruction ID: 0063f3eb74abcc9668442919d866813599df57b5553dbf41e36c6f4908994ef3
            • Opcode Fuzzy Hash: 01db94e7c2b6247e2e0fea1acf247eb4bd8e74f4940d231689fe499b26f59069
            • Instruction Fuzzy Hash: DB517B70600309EFDB20CF64CD55FAA7BB9FB48760F104518FA56A72A0DB74E991DB50
            Function 00A1C143 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
            Download Yara Rule
            APIs
            • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00A1C182
            • GetLastError.KERNEL32 ref: 00A1C195
            • SetEvent.KERNEL32(?), ref: 00A1C1A9
              • Part of subcall function 00A1C253: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00A1C272
              • Part of subcall function 00A1C253: GetLastError.KERNEL32 ref: 00A1C322
              • Part of subcall function 00A1C253: SetEvent.KERNEL32(?), ref: 00A1C336
              • Part of subcall function 00A1C253: InternetCloseHandle.WININET(00000000), ref: 00A1C341
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
            • String ID:
            • API String ID: 337547030-0
            • Opcode ID: eedea510066a9779c3fb9aa7e36a415ad067509c8f14726f5c52abca2aaa8d15
            • Instruction ID: 14d79ef7905963ce8186146ea5c698b9b6263601f6f79605f870feadf09c17a1
            • Opcode Fuzzy Hash: eedea510066a9779c3fb9aa7e36a415ad067509c8f14726f5c52abca2aaa8d15
            • Instruction Fuzzy Hash: EF31AC71280701BFDB21AFE5DD08AEBBBF8FF18320B00451DF95696610D730E8959BA0
            Function 00A025A2 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A03A57
              • Part of subcall function 00A03A3D: GetCurrentThreadId.KERNEL32 ref: 00A03A5E
              • Part of subcall function 00A03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A025B3), ref: 00A03A65
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A025BD
            • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00A025DB
            • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00A025DF
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A025E9
            • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00A02601
            • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00A02605
            • MapVirtualKeyW.USER32(00000025,00000000), ref: 00A0260F
            • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00A02623
            • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00A02627
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
            • String ID:
            • API String ID: 2014098862-0
            • Opcode ID: f5fc4c2a4d2cacb09fde515c783c773ec01470c14a3771ad3068200eb42e4673
            • Instruction ID: ab7ec1c9c153d2d9dfb5b83d77f83854def5b1150ab9dc458c539a45f8547e28
            • Opcode Fuzzy Hash: f5fc4c2a4d2cacb09fde515c783c773ec01470c14a3771ad3068200eb42e4673
            • Instruction Fuzzy Hash: 7B01D431390324BBFB10A7A89C8EF593F59DB4EB62F100011F318BE0D1C9E224459B69
            Function 00A01803 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
            Download Yara Rule
            APIs
            • GetProcessHeap.KERNEL32(00000008,0000000C,?,00000000,?,00A01449,?,?,00000000), ref: 00A0180C
            • HeapAlloc.KERNEL32(00000000,?,00A01449,?,?,00000000), ref: 00A01813
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A01449,?,?,00000000), ref: 00A01828
            • GetCurrentProcess.KERNEL32(?,00000000,?,00A01449,?,?,00000000), ref: 00A01830
            • DuplicateHandle.KERNEL32(00000000,?,00A01449,?,?,00000000), ref: 00A01833
            • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00A01449,?,?,00000000), ref: 00A01843
            • GetCurrentProcess.KERNEL32(00A01449,00000000,?,00A01449,?,?,00000000), ref: 00A0184B
            • DuplicateHandle.KERNEL32(00000000,?,00A01449,?,?,00000000), ref: 00A0184E
            • CreateThread.KERNEL32(00000000,00000000,00A01874,00000000,00000000,00000000), ref: 00A01868
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
            • String ID:
            • API String ID: 1957940570-0
            • Opcode ID: ae942e935c58f69a8d79e6edf9585baec7c2f1f13731f0ccdc61e5099978ad02
            • Instruction ID: ecd668bbfdbd3e2f0d8af9d8dcc1246b3300288bf70acfe4f49b8e9e20680dc6
            • Opcode Fuzzy Hash: ae942e935c58f69a8d79e6edf9585baec7c2f1f13731f0ccdc61e5099978ad02
            • Instruction Fuzzy Hash: 4B01BBB5240308BFE750EBA5DC8DF6B7BACEB89B11F008511FA05EB1A1CA70D811DB20
            Function 00A2A0E2 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A0D4DC: CreateToolhelp32Snapshot.KERNEL32 ref: 00A0D501
              • Part of subcall function 00A0D4DC: Process32FirstW.KERNEL32(00000000,?), ref: 00A0D50F
              • Part of subcall function 00A0D4DC: CloseHandle.KERNEL32(00000000), ref: 00A0D5DC
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A2A16D
            • GetLastError.KERNEL32 ref: 00A2A180
            • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00A2A1B3
            • TerminateProcess.KERNEL32(00000000,00000000), ref: 00A2A268
            • GetLastError.KERNEL32(00000000), ref: 00A2A273
            • CloseHandle.KERNEL32(00000000), ref: 00A2A2C4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
            • String ID: SeDebugPrivilege
            • API String ID: 2533919879-2896544425
            • Opcode ID: 7b1d0697e086dbcb8dee47f6c8422ed729446ec50e34c75a9d5a346e40d427ca
            • Instruction ID: 5a0a4ddcf33989ca041fc5a12fb822453e3278db56ac0e6370b74b040c508d8d
            • Opcode Fuzzy Hash: 7b1d0697e086dbcb8dee47f6c8422ed729446ec50e34c75a9d5a346e40d427ca
            • Instruction Fuzzy Hash: E3618D712042529FD720DF18D894F59BBE1AF55318F1884ACE4668F7A3C772EC46CB92
            Function 00A33886 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00A33925
            • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00A3393A
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00A33954
            • _wcslen.LIBCMT ref: 00A33999
            • SendMessageW.USER32(?,00001057,00000000,?), ref: 00A339C6
            • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00A339F4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$Window_wcslen
            • String ID: SysListView32
            • API String ID: 2147712094-78025650
            • Opcode ID: aef8250fd5b28b22654af41b1ddeb3207e930394310232e0b8b5f06cf922aab8
            • Instruction ID: 927b2fcc3facf4448bf514b0908d89bf8ab784947d4bd9f91f69c5c2cef2d03a
            • Opcode Fuzzy Hash: aef8250fd5b28b22654af41b1ddeb3207e930394310232e0b8b5f06cf922aab8
            • Instruction Fuzzy Hash: 9741A272A04218ABEF21DF64CC45FEA7BA9FF48350F100526F958E7281D7759D80CB90
            Function 00A0BC5E Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A0BCFD
            • IsMenu.USER32(00000000), ref: 00A0BD1D
            • CreatePopupMenu.USER32 ref: 00A0BD53
            • GetMenuItemCount.USER32(00F86840), ref: 00A0BDA4
            • InsertMenuItemW.USER32(00F86840,?,00000001,00000030), ref: 00A0BDCC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$Item$CountCreateInfoInsertPopup
            • String ID: 0$2
            • API String ID: 93392585-3793063076
            • Opcode ID: 2981c632f711dde6b48c9619cd5e76bafda978f856bacec98e342ea843c501db
            • Instruction ID: 4099de78204a15429d2b67e0dd93da1d26ef37e4cd10fe03cb34f22073599c8f
            • Opcode Fuzzy Hash: 2981c632f711dde6b48c9619cd5e76bafda978f856bacec98e342ea843c501db
            • Instruction Fuzzy Hash: 0B518C70A1020EDBDF10DFA8EA88BAEFBF4AF45324F148259E411A72D1D770A941CB71
            Function 00A0C874 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
            Download Yara Rule
            APIs
            • LoadIconW.USER32(00000000,00007F03), ref: 00A0C913
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: IconLoad
            • String ID: blank$info$question$stop$warning
            • API String ID: 2457776203-404129466
            • Opcode ID: 44c9c358607a624d87db4f2526cb4917d93bdb4175da63c51515dbfad7107c38
            • Instruction ID: 464da0baf17081643ea4cfac6069c93f4bc5987558b3bc7bf8587f81c1877da4
            • Opcode Fuzzy Hash: 44c9c358607a624d87db4f2526cb4917d93bdb4175da63c51515dbfad7107c38
            • Instruction Fuzzy Hash: 9C110D3278930EBAE7159B54BC83EAA77BCDF15374B10452EF904A62C3D7705D005269
            Function 00A0ED19 Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$LocalTime
            • String ID:
            • API String ID: 952045576-0
            • Opcode ID: f71ef6f4ca4f39a9e63c3030d40513efb5c98400cac00b0d6d18d7a06f9a5da2
            • Instruction ID: 92849fa9186dfff8c9e6b2087383ca6983f9ad97b41f1d3609befacc854953a5
            • Opcode Fuzzy Hash: f71ef6f4ca4f39a9e63c3030d40513efb5c98400cac00b0d6d18d7a06f9a5da2
            • Instruction Fuzzy Hash: 9441A465D1011876DB11EBF4CC8AFCFB7A8AF85750F50886AE528E3161FB34E245C3A6
            Function 009BF8D8 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009F682C,00000004,00000000,00000000), ref: 009BF953
            • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,009F682C,00000004,00000000,00000000), ref: 009FF3D1
            • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,009F682C,00000004,00000000,00000000), ref: 009FF454
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ShowWindow
            • String ID:
            • API String ID: 1268545403-0
            • Opcode ID: 57101e576131facc66bdf26e2ffe353f7096d3f795e1b860e83eca6b58354e73
            • Instruction ID: 8306055783defc0a8e1d6dc7762e2530c5452924b0acc044e48032fc3e216409
            • Opcode Fuzzy Hash: 57101e576131facc66bdf26e2ffe353f7096d3f795e1b860e83eca6b58354e73
            • Instruction Fuzzy Hash: B7412831208680FAC739CB2C8EB87BA7B99AF46370F14443CF18762560D675A881CB11
            Function 00A32D03 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • DeleteObject.GDI32(00000000), ref: 00A32D1B
            • GetDC.USER32(00000000), ref: 00A32D23
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A32D2E
            • ReleaseDC.USER32(00000000,00000000), ref: 00A32D3A
            • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00A32D76
            • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00A32D87
            • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00A35A65,?,?,000000FF,00000000,?,000000FF,?), ref: 00A32DC2
            • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00A32DE1
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
            • String ID:
            • API String ID: 3864802216-0
            • Opcode ID: 3ec6776d475f58e9e79015a52518f73d9d787a7f5a6e6e4e200ea3ef311d6417
            • Instruction ID: f66fc23632f7669f9323d3b4795692e572135b8906e85371a28141472f91145f
            • Opcode Fuzzy Hash: 3ec6776d475f58e9e79015a52518f73d9d787a7f5a6e6e4e200ea3ef311d6417
            • Instruction Fuzzy Hash: 4B318E72201214BFEB218F50CC8AFEB3FADEF09765F044055FE08AA291C6759C51CBA4
            Function 00A05622 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: 2f626b5cc69f91280c9b2fcf1074ce00d87ce154cd156e6ef6cc5196771ddabf
            • Instruction ID: ac4f989ea892d40c6dd4562dd3160c76dbc5dee8bf163dbb077f90b77f7b5766
            • Opcode Fuzzy Hash: 2f626b5cc69f91280c9b2fcf1074ce00d87ce154cd156e6ef6cc5196771ddabf
            • Instruction Fuzzy Hash: 0D219871E50A0D7BD2145631AE82FBB335CBE62384F480424FD055A5C2F722ED108DA9
            Function 00A24FAE Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: NULL Pointer assignment$Not an Object type
            • API String ID: 0-572801152
            • Opcode ID: 7d2b4fe1268bc6d7ef255127b1ddfd265217d0c40cb115c63aad762184372c1d
            • Instruction ID: 30f37c7c786272f7a1cf052250d8ef2eb73c12b2d400c38d8f02b2b081ca93ab
            • Opcode Fuzzy Hash: 7d2b4fe1268bc6d7ef255127b1ddfd265217d0c40cb115c63aad762184372c1d
            • Instruction Fuzzy Hash: F1D1C171E0061AAFDF14CFA8E890BAEB7B5BF48354F148179E915AB280E770DD41CB90
            Function 009E1522 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
            Download Yara Rule
            APIs
            • GetCPInfo.KERNEL32(?,?), ref: 009E15CE
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009E1651
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009E16E4
            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 009E16FB
              • Part of subcall function 009D3820: RtlAllocateHeap.NTDLL(00000000,?,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6,?,009A1129), ref: 009D3852
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009E1777
            • __freea.LIBCMT ref: 009E17A2
            • __freea.LIBCMT ref: 009E17AE
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
            • String ID:
            • API String ID: 2829977744-0
            • Opcode ID: 7aff18eadd2a150e7beab5e5eb955e9fa743d22a72000eb2cfb82ddbcb29c35e
            • Instruction ID: cd3f08e5b0b838bdc9b74b5c175d252e859e972bbef51ffc073e3ac0ee25d896
            • Opcode Fuzzy Hash: 7aff18eadd2a150e7beab5e5eb955e9fa743d22a72000eb2cfb82ddbcb29c35e
            • Instruction Fuzzy Hash: B891C571E002969ADF228FB6CC41EEEBBB9AF89710F184659F805E7141DB35DD80CB60
            Function 00A24523 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearInit
            • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
            • API String ID: 2610073882-625585964
            • Opcode ID: 08366c396a727b87cc80a6959f65c90f3919bcdbd8d1e22ca0830d6fa0f03d7b
            • Instruction ID: dc46a393af85af0d9df9fc01d71ecb5d86b4595bb005c7ebd6349b3ac32aa7d4
            • Opcode Fuzzy Hash: 08366c396a727b87cc80a6959f65c90f3919bcdbd8d1e22ca0830d6fa0f03d7b
            • Instruction Fuzzy Hash: A6917371A00225AFDF24CFA9DC44FAEBBB8EF4A714F108569F515AB280D7709945CFA0
            Function 00A11187 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            APIs
            • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00A1125C
            • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00A11284
            • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00A112A8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A112D8
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A1135F
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A113C4
            • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00A11430
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ArraySafe$Data$Access$UnaccessVartype
            • String ID:
            • API String ID: 2550207440-0
            • Opcode ID: adf85fece4ee70f8cba1e191f095649eea380834e1c23dde61fc1831e7258b88
            • Instruction ID: 27b77ac97bcf04511855b7da3bb0036b5561b33122dceacd7be9822e257ff064
            • Opcode Fuzzy Hash: adf85fece4ee70f8cba1e191f095649eea380834e1c23dde61fc1831e7258b88
            • Instruction Fuzzy Hash: E1910475A00219AFDB00DFA8D884BFEB7B9FF45725F144029EA11EB291D774E981CB90
            Function 009B948A Relevance: 10.8, APIs: 7, Instructions: 254COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 55a3e3e36dc234d14c8249fa94b0224f6c024f217a68f0a1f7996656c23cbf46
            • Instruction ID: 4040ed1644ab6406c66dcf2451ac0e9923409614ea03c73f55910e63281e309e
            • Opcode Fuzzy Hash: 55a3e3e36dc234d14c8249fa94b0224f6c024f217a68f0a1f7996656c23cbf46
            • Instruction Fuzzy Hash: 9D913771D44219EFCB14CFA9CD84AEEBBB8FF49320F144459EA15B7251D378AA42CB60
            Function 00A23947 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00A2396B
            • CharUpperBuffW.USER32(?,?), ref: 00A23A7A
            • _wcslen.LIBCMT ref: 00A23A8A
            • VariantClear.OLEAUT32(?), ref: 00A23C1F
              • Part of subcall function 00A10CDF: VariantInit.OLEAUT32(00000000), ref: 00A10D1F
              • Part of subcall function 00A10CDF: VariantCopy.OLEAUT32(?,?), ref: 00A10D28
              • Part of subcall function 00A10CDF: VariantClear.OLEAUT32(?), ref: 00A10D34
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
            • String ID: AUTOIT.ERROR$Incorrect Parameter format
            • API String ID: 4137639002-1221869570
            • Opcode ID: 67484d1e7095a89a7ce79228a9df7ce5798adcf3e54c026fb4a7878986354df7
            • Instruction ID: be38e727de22d6c4b7800fc8706879e5275cd8c270eb349d085e1265358644c9
            • Opcode Fuzzy Hash: 67484d1e7095a89a7ce79228a9df7ce5798adcf3e54c026fb4a7878986354df7
            • Instruction Fuzzy Hash: 1A918A756083119FCB04EF28D48196AB7E4FF8A314F04882DF88997351DB35EE45CB92
            Function 00A24BAD Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A0000E: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?,?,00A0035E), ref: 00A0002B
              • Part of subcall function 00A0000E: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?), ref: 00A00046
              • Part of subcall function 00A0000E: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?), ref: 00A00054
              • Part of subcall function 00A0000E: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?), ref: 00A00064
            • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00A24C51
            • _wcslen.LIBCMT ref: 00A24D59
            • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00A24DCF
            • CoTaskMemFree.OLE32(?), ref: 00A24DDA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
            • String ID: NULL Pointer assignment
            • API String ID: 614568839-2785691316
            • Opcode ID: cb5740a1708f33ba5c0a87ff5c934ababc23a2a6d64b7e5de6bbb16ca9579f60
            • Instruction ID: f34743239a0d2cf8eefeed974345e6738a74db4bbb91dabd915d058d06bfb1ba
            • Opcode Fuzzy Hash: cb5740a1708f33ba5c0a87ff5c934ababc23a2a6d64b7e5de6bbb16ca9579f60
            • Instruction Fuzzy Hash: F1912771D0022DAFDF10DFA8DC80AEEB7B8BF48310F108169E915A7241DB349A44CFA0
            Function 00A320FD Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
            Download Yara Rule
            APIs
            • GetMenu.USER32(?), ref: 00A32183
            • GetMenuItemCount.USER32(00000000), ref: 00A321B5
            • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00A321DD
            • _wcslen.LIBCMT ref: 00A32213
            • GetMenuItemID.USER32(?,?), ref: 00A3224D
            • GetSubMenu.USER32(?,?), ref: 00A3225B
              • Part of subcall function 00A03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A03A57
              • Part of subcall function 00A03A3D: GetCurrentThreadId.KERNEL32 ref: 00A03A5E
              • Part of subcall function 00A03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A025B3), ref: 00A03A65
            • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00A322E3
              • Part of subcall function 00A0E97B: Sleep.KERNEL32 ref: 00A0E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
            • String ID:
            • API String ID: 4196846111-0
            • Opcode ID: 15c0815a2bf13b2c867cb22e5497c0c78ef66fd4ae1a056e9e2fb949643bc069
            • Instruction ID: 84633dadc9dfca17960ef5214bf145985d1bceb0fb3d5cc9aa82b98231ec93ba
            • Opcode Fuzzy Hash: 15c0815a2bf13b2c867cb22e5497c0c78ef66fd4ae1a056e9e2fb949643bc069
            • Instruction Fuzzy Hash: 80714C75E00215AFCB10EFA4CD45BAEB7F5AF89320F148459F916AB351DB34ED418B90
            Function 00A0AEBA Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(?), ref: 00A0AEF9
            • GetKeyboardState.USER32(?), ref: 00A0AF0E
            • SetKeyboardState.USER32(?), ref: 00A0AF6F
            • PostMessageW.USER32(?,00000101,00000010,?), ref: 00A0AF9D
            • PostMessageW.USER32(?,00000101,00000011,?), ref: 00A0AFBC
            • PostMessageW.USER32(?,00000101,00000012,?), ref: 00A0AFFD
            • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00A0B020
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 1f5c1ac01efde82bfab00405d803ff3f51178105420c4898a118cddcf19d7699
            • Instruction ID: 1599a2bd2064d28c51c741eed5b4f1a113454bf2145f3fefd3dc9b97a8b74cc1
            • Opcode Fuzzy Hash: 1f5c1ac01efde82bfab00405d803ff3f51178105420c4898a118cddcf19d7699
            • Instruction Fuzzy Hash: 9751D1A0A147DA3EFB368734DD45BBBBEA95B06304F088489F1D9958C2C398ACC4D761
            Function 00A0ACDA Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
            Download Yara Rule
            APIs
            • GetParent.USER32(00000000), ref: 00A0AD19
            • GetKeyboardState.USER32(?), ref: 00A0AD2E
            • SetKeyboardState.USER32(?), ref: 00A0AD8F
            • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00A0ADBB
            • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00A0ADD8
            • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00A0AE17
            • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00A0AE38
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessagePost$KeyboardState$Parent
            • String ID:
            • API String ID: 87235514-0
            • Opcode ID: 9518a0fe723e18cb6faad8dc4eac0e23f3a7b7adef6f6f74bf3c31d6562774ac
            • Instruction ID: c532ceb93a556e524820a6e35e63d9410b352710a07729d00af15fbb0227c262
            • Opcode Fuzzy Hash: 9518a0fe723e18cb6faad8dc4eac0e23f3a7b7adef6f6f74bf3c31d6562774ac
            • Instruction Fuzzy Hash: F95107A1A147E93DFB338334DC55BBABEA95B56300F088489F1D5568C3D394EC88D762
            Function 009D542E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetConsoleCP.KERNEL32(009E3CD6,?,?,?,?,?,?,?,?,009D5BA3,?,?,009E3CD6,?,?), ref: 009D5470
            • __fassign.LIBCMT ref: 009D54EB
            • __fassign.LIBCMT ref: 009D5506
            • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,009E3CD6,00000005,00000000,00000000), ref: 009D552C
            • WriteFile.KERNEL32(?,009E3CD6,00000000,009D5BA3,00000000,?,?,?,?,?,?,?,?,?,009D5BA3,?), ref: 009D554B
            • WriteFile.KERNEL32(?,?,00000001,009D5BA3,00000000,?,?,?,?,?,?,?,?,?,009D5BA3,?), ref: 009D5584
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
            • String ID:
            • API String ID: 1324828854-0
            • Opcode ID: 47cdf955f17599b95e17b73ed6b6e5909934a0bad025eb3f279853c3cad35690
            • Instruction ID: a7afd514a030f6ca33aca619dc774a0dcd2b7b7562bfe3880fca2b04377cbe70
            • Opcode Fuzzy Hash: 47cdf955f17599b95e17b73ed6b6e5909934a0bad025eb3f279853c3cad35690
            • Instruction Fuzzy Hash: 7E51C070A00649AFDB11CFA8EC45AEEBBF9EF08300F15851BF555E7391D6309A81CB60
            Function 009C2D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
            Download Yara Rule
            APIs
            • _ValidateLocalCookies.LIBCMT ref: 009C2D4B
            • ___except_validate_context_record.LIBVCRUNTIME ref: 009C2D53
            • _ValidateLocalCookies.LIBCMT ref: 009C2DE1
            • __IsNonwritableInCurrentImage.LIBCMT ref: 009C2E0C
            • _ValidateLocalCookies.LIBCMT ref: 009C2E61
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
            • String ID: csm
            • API String ID: 1170836740-1018135373
            • Opcode ID: 3c7aa84eec09284f1e9bad31f72879d776e4d4f275f3d2ae2c21946dcdb234ab
            • Instruction ID: d7bb9b763ace8771f2d0882e1f5e35746d2287156ba7347a483bb38ad7b4d029
            • Opcode Fuzzy Hash: 3c7aa84eec09284f1e9bad31f72879d776e4d4f275f3d2ae2c21946dcdb234ab
            • Instruction Fuzzy Hash: F541C334E00209ABCF10DF68C845F9EBBB9BF84364F148159E8156B392DB31AA01CBD2
            Function 00A210B8 Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A2304E: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A2307A
              • Part of subcall function 00A2304E: _wcslen.LIBCMT ref: 00A2309B
            • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00A21112
            • WSAGetLastError.WSOCK32 ref: 00A21121
            • WSAGetLastError.WSOCK32 ref: 00A211C9
            • closesocket.WSOCK32(00000000), ref: 00A211F9
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
            • String ID:
            • API String ID: 2675159561-0
            • Opcode ID: 6e8a8e27eefefbf68d1191ea9c2d1964c0dedd0cc98756416055340a655e55f5
            • Instruction ID: c6e0ec31966f52118c061e2e5d57846bc71211aaefe3f3fb389957f4a78e0069
            • Opcode Fuzzy Hash: 6e8a8e27eefefbf68d1191ea9c2d1964c0dedd0cc98756416055340a655e55f5
            • Instruction Fuzzy Hash: 3C41F431600214AFDB10DF68DC85BAAB7E9FF95324F148169FD05AB291D770AE42CBE1
            Function 00A0CF00 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A0CF22,?), ref: 00A0DDFD
              • Part of subcall function 00A0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A0CF22,?), ref: 00A0DE16
            • lstrcmpiW.KERNEL32(?,?), ref: 00A0CF45
            • MoveFileW.KERNEL32(?,?), ref: 00A0CF7F
            • _wcslen.LIBCMT ref: 00A0D005
            • _wcslen.LIBCMT ref: 00A0D01B
            • SHFileOperationW.SHELL32(?), ref: 00A0D061
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
            • String ID: \*.*
            • API String ID: 3164238972-1173974218
            • Opcode ID: e4d4695f442b68cef7e0c2d03a224862e7221c609de82a6c3499a3bce7027c30
            • Instruction ID: 2a3098210fb9efd9ce7d0f0e3062f0a34332b0c3d838f39f6a7949a7c0dccd48
            • Opcode Fuzzy Hash: e4d4695f442b68cef7e0c2d03a224862e7221c609de82a6c3499a3bce7027c30
            • Instruction Fuzzy Hash: 8A4155B190521D5FDF12EFA4ED81FDEB7B8AF48790F0000E6E505EB182EA34AA44CB51
            Function 00A32DFD Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00A32E1C
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00A32E4F
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00A32E84
            • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00A32EB6
            • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00A32EE0
            • GetWindowLongW.USER32(00000000,000000F0), ref: 00A32EF1
            • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00A32F0B
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LongWindow$MessageSend
            • String ID:
            • API String ID: 2178440468-0
            • Opcode ID: 52dac29a4d14054157c640457351fece0acc22d66eb37fb85e6b828f96c22095
            • Instruction ID: 3e51d391bf3a68d31dc43f3635de1ada5c761382576181b623419e1e6f026553
            • Opcode Fuzzy Hash: 52dac29a4d14054157c640457351fece0acc22d66eb37fb85e6b828f96c22095
            • Instruction Fuzzy Hash: 17313731644250AFDB20CF98DC86F653BE0FB8A720F245164FA049F2B1CB75AC82DB40
            Function 00A07726 Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A07769
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A0778F
            • SysAllocString.OLEAUT32(00000000), ref: 00A07792
            • SysAllocString.OLEAUT32(?), ref: 00A077B0
            • SysFreeString.OLEAUT32(?), ref: 00A077B9
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00A077DE
            • SysAllocString.OLEAUT32(?), ref: 00A077EC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: 7ef2f910c5f85ed2926ec5994430b9a9ae404781912896c5939345726b47f959
            • Instruction ID: 343a3e0531983af7d25c6f4bc3b2fa99731221364674ade6c9d5fe325792464f
            • Opcode Fuzzy Hash: 7ef2f910c5f85ed2926ec5994430b9a9ae404781912896c5939345726b47f959
            • Instruction Fuzzy Hash: FA21A176A0421DAFDF10DFA8DC88DBF77ACEB097A4B048025FA15DB191D670ED428760
            Function 00A077FD Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A07842
            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00A07868
            • SysAllocString.OLEAUT32(00000000), ref: 00A0786B
            • SysAllocString.OLEAUT32 ref: 00A0788C
            • SysFreeString.OLEAUT32 ref: 00A07895
            • StringFromGUID2.OLE32(?,?,00000028), ref: 00A078AF
            • SysAllocString.OLEAUT32(?), ref: 00A078BD
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
            • String ID:
            • API String ID: 3761583154-0
            • Opcode ID: f20d51387ca7e1561bbed514298b26ae66fc5b8cfef9bb87af7bb7900e2635f9
            • Instruction ID: fe24e401e6df94ae2809b20de056f2d78926e62aaddde3c6bf1d33797312b7e0
            • Opcode Fuzzy Hash: f20d51387ca7e1561bbed514298b26ae66fc5b8cfef9bb87af7bb7900e2635f9
            • Instruction Fuzzy Hash: 44216232A04208AFDB10DFE8DC8DDAE77ACEB097607108125F915DB2A1D674EC85CB64
            Function 00A104D2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(0000000C), ref: 00A104F2
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A1052E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 22368dd3a169b94c02cdb44913bfb776dfbb83af817e83d0e81276ac016317c4
            • Instruction ID: 55fb6efa740a14525d6b50c8109f6211ae5f7b9a7660d1fa7ac178b22f282c99
            • Opcode Fuzzy Hash: 22368dd3a169b94c02cdb44913bfb776dfbb83af817e83d0e81276ac016317c4
            • Instruction Fuzzy Hash: EA213D75500305ABDB209F69DC44EDABBB6BF54774F208A19F8A1E62E0D7B099D1CF20
            Function 00A105A7 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
            Download Yara Rule
            APIs
            • GetStdHandle.KERNEL32(000000F6), ref: 00A105C6
            • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00A10601
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateHandlePipe
            • String ID: nul
            • API String ID: 1424370930-2873401336
            • Opcode ID: 225e81c61c06bad161fba7f1082e8e971d80f5c37a1cb6e100e65e70bb3c7ec9
            • Instruction ID: 8826c42897749b1fd5489450f4ddac54a5cbc958492cd726a39ab297389bc590
            • Opcode Fuzzy Hash: 225e81c61c06bad161fba7f1082e8e971d80f5c37a1cb6e100e65e70bb3c7ec9
            • Instruction Fuzzy Hash: 5E2141755003059BDB209FA99C44EDAB7A5AF95730F204A19F8B1E72D0D7F099E1CB50
            Function 00A340AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009A604C
              • Part of subcall function 009A600E: GetStockObject.GDI32(00000011), ref: 009A6060
              • Part of subcall function 009A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009A606A
            • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00A34112
            • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00A3411F
            • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00A3412A
            • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00A34139
            • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00A34145
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$CreateObjectStockWindow
            • String ID: Msctls_Progress32
            • API String ID: 1025951953-3636473452
            • Opcode ID: cc1c761aeb1ea25bd7f1c1ccd2c6a36c227e7d8501ee5ea41f05d0c1a90eb15b
            • Instruction ID: f60045719e1b91ada02b55eb46e2d116d543e9099de59852e6967dd3f760e915
            • Opcode Fuzzy Hash: cc1c761aeb1ea25bd7f1c1ccd2c6a36c227e7d8501ee5ea41f05d0c1a90eb15b
            • Instruction Fuzzy Hash: 8C11B2B2150219BEEF118FA4CC86EE77FADEF09798F014111FA18A2050CB769C61DBA4
            Function 009DD7DF Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
            Download Yara Rule
            APIs
              • Part of subcall function 009DD7A3: _free.LIBCMT ref: 009DD7CC
            • _free.LIBCMT ref: 009DD82D
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • _free.LIBCMT ref: 009DD838
            • _free.LIBCMT ref: 009DD843
            • _free.LIBCMT ref: 009DD897
            • _free.LIBCMT ref: 009DD8A2
            • _free.LIBCMT ref: 009DD8AD
            • _free.LIBCMT ref: 009DD8B8
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
            • Instruction ID: 5cd90b801f3497e71f8588e03df04e79a25cc8f57ab9715de7d39b59ba3cf581
            • Opcode Fuzzy Hash: 2933ec371357d85e0939af21d8d0365b0e51011a77ef7c4dc3c45f1a05a36567
            • Instruction Fuzzy Hash: 0E1151B15C2B04AAE521BFB0CC47FCB7BDC6F90700F408826B29DB6292DA65B5055650
            Function 00A0DA5A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
            • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00A0DA74
            • LoadStringW.USER32(00000000), ref: 00A0DA7B
            • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00A0DA91
            • LoadStringW.USER32(00000000), ref: 00A0DA98
            • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00A0DADC
            Strings
            • %s (%d) : ==> %s: %s %s, xrefs: 00A0DAB9
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HandleLoadModuleString$Message
            • String ID: %s (%d) : ==> %s: %s %s
            • API String ID: 4072794657-3128320259
            • Opcode ID: 028ac7f3235e13422ad8005d92bd46da7a68958d35e243c819efbca7c1021060
            • Instruction ID: 0091e666dbf850dfda22409f8c4b2214c301dfd11194fb77b4cb17946022a2f7
            • Opcode Fuzzy Hash: 028ac7f3235e13422ad8005d92bd46da7a68958d35e243c819efbca7c1021060
            • Instruction Fuzzy Hash: F80162F35002087FE710DBE09D89EE7726CE708311F400595B706F2082EA749E854F74
            Function 00A1096B Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(00F7E400,00F7E400), ref: 00A1097B
            • EnterCriticalSection.KERNEL32(00F7E3E0,00000000), ref: 00A1098D
            • TerminateThread.KERNEL32(00000000,000001F6), ref: 00A1099B
            • WaitForSingleObject.KERNEL32(00000000,000003E8), ref: 00A109A9
            • CloseHandle.KERNEL32(00000000), ref: 00A109B8
            • InterlockedExchange.KERNEL32(00F7E400,000001F6), ref: 00A109C8
            • LeaveCriticalSection.KERNEL32(00F7E3E0), ref: 00A109CF
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
            • String ID:
            • API String ID: 3495660284-0
            • Opcode ID: f20ae8fc21e9f73c60c673fdeab8d3f080ee9a0c6a15e8232060466ecfb5ec99
            • Instruction ID: a876e938b287de502ddaa7d13f35e39ea88e0d50e04f5eef2f8f67d842c3c0cd
            • Opcode Fuzzy Hash: f20ae8fc21e9f73c60c673fdeab8d3f080ee9a0c6a15e8232060466ecfb5ec99
            • Instruction Fuzzy Hash: EEF03131442512BBD741AFD4EE8CBD6BB35FF05712F401015F201608A1C7B494B6CF90
            Function 009A5D0A Relevance: 9.3, APIs: 6, Instructions: 276COMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?,?), ref: 009A5D30
            • GetWindowRect.USER32(?,?), ref: 009A5D71
            • ScreenToClient.USER32(?,?), ref: 009A5D99
            • GetClientRect.USER32(?,?), ref: 009A5ED7
            • GetWindowRect.USER32(?,?), ref: 009A5EF8
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Rect$Client$Window$Screen
            • String ID:
            • API String ID: 1296646539-0
            • Opcode ID: d7068681ec39f0d39093712e02c6ad5f9352ac7e8444343b0beec742d225d0a9
            • Instruction ID: 35a7e6411bcf0bc40a9395623689df7084dcd81b6ee764bdd97132fabfa4f580
            • Opcode Fuzzy Hash: d7068681ec39f0d39093712e02c6ad5f9352ac7e8444343b0beec742d225d0a9
            • Instruction Fuzzy Hash: 90B19D34A0078AEBDB10CFA9C4407EEB7F5FF58310F14881AE8A9D7250D734AA51DB90
            Function 009D01B7 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
            Download Yara Rule
            APIs
            • __allrem.LIBCMT ref: 009D00BA
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D00D6
            • __allrem.LIBCMT ref: 009D00ED
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D010B
            • __allrem.LIBCMT ref: 009D0122
            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 009D0140
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
            • String ID:
            • API String ID: 1992179935-0
            • Opcode ID: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction ID: 6e449b314ae05e6937b7d4d798190c3b2830b226db762e66fcd799562b1fcf37
            • Opcode Fuzzy Hash: c0aa086816e9a6b10c8594d9af3fc1b6618250ddc70608c46d0048b3e4fbc764
            • Instruction Fuzzy Hash: 3F81E272A40706ABE720AB69CC51B6AB3A9EFC1364F24853FF551D7781E770DA008B91
            Function 00A21D10 Relevance: 9.3, APIs: 6, Instructions: 254networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A23149: select.WSOCK32(00000000,?,00000000,00000000,?,?,?,00000000,?,?,?,00A2101C,00000000,?,?,00000000), ref: 00A23195
            • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00A21DC0
            • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00A21DE1
            • WSAGetLastError.WSOCK32 ref: 00A21DF2
            • inet_ntoa.WSOCK32(?), ref: 00A21E8C
            • htons.WSOCK32(?,?,?,?,?), ref: 00A21EDB
            • _strlen.LIBCMT ref: 00A21F35
              • Part of subcall function 00A039E8: _strlen.LIBCMT ref: 00A039F2
              • Part of subcall function 009A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000002,?,?,?,?,009BCF58,?,?,?), ref: 009A6DBA
              • Part of subcall function 009A6D9E: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,?,?,?,009BCF58,?,?,?), ref: 009A6DED
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide_strlen$ErrorLasthtonsinet_ntoaselect
            • String ID:
            • API String ID: 1923757996-0
            • Opcode ID: 291a343a32671c9e5e8789058e74bf5b580fde4653f782778cda7d977b84da06
            • Instruction ID: 520f3a77b805abc51cdcef880a875312230c0dd46010cb5d18004cc7d2353f85
            • Opcode Fuzzy Hash: 291a343a32671c9e5e8789058e74bf5b580fde4653f782778cda7d977b84da06
            • Instruction Fuzzy Hash: BFA1ED31604310AFC324DF28D895F2A7BA5AFD5318F54896CF4665B2E2DB31EE42CB91
            Function 009D61FE Relevance: 9.2, APIs: 6, Instructions: 216COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,009C82D9,009C82D9,?,?,?,009D644F,00000001,00000001,8BE85006), ref: 009D6258
            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,009D644F,00000001,00000001,8BE85006,?,?,?), ref: 009D62DE
            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 009D63D8
            • __freea.LIBCMT ref: 009D63E5
              • Part of subcall function 009D3820: RtlAllocateHeap.NTDLL(00000000,?,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6,?,009A1129), ref: 009D3852
            • __freea.LIBCMT ref: 009D63EE
            • __freea.LIBCMT ref: 009D6413
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide__freea$AllocateHeap
            • String ID:
            • API String ID: 1414292761-0
            • Opcode ID: 15ea37208c42928e620603d81634b11ecb884d7565d30a018b204a67f9686413
            • Instruction ID: 26dd41b28d96eb2ada58c92bfd57fd80d66902774b103555a472f9ec461cc7c3
            • Opcode Fuzzy Hash: 15ea37208c42928e620603d81634b11ecb884d7565d30a018b204a67f9686413
            • Instruction Fuzzy Hash: 0751E172A40216ABDB258FA4CC81FBFB7A9EB84750F15C72AFD05D6241DB34DC40D660
            Function 00A2BBDB Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A2B6AE,?,?), ref: 00A2C9B5
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2C9F1
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA68
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2BCCA
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A2BD25
            • RegCloseKey.ADVAPI32(00000000), ref: 00A2BD6A
            • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00A2BD99
            • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00A2BDF3
            • RegCloseKey.ADVAPI32(?), ref: 00A2BDFF
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
            • String ID:
            • API String ID: 1120388591-0
            • Opcode ID: bc2930e57be9058f010b6769aac1d3d719a56c0d3e188c870cf2b35fac086faa
            • Instruction ID: 098b099d0e20c6997c7b82cbd982239900db5f44a3bd5c2742a1ef3ccab8e017
            • Opcode Fuzzy Hash: bc2930e57be9058f010b6769aac1d3d719a56c0d3e188c870cf2b35fac086faa
            • Instruction Fuzzy Hash: E881AE30218241EFC714DF28D891E6ABBE5FF85318F14896CF4594B2A2DB31ED45CBA2
            Function 009FF7AD Relevance: 9.2, APIs: 6, Instructions: 183memoryCOMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(00000035), ref: 009FF7B9
            • SysAllocString.OLEAUT32(00000001), ref: 009FF860
            • VariantCopy.OLEAUT32(009FFA64,00000000), ref: 009FF889
            • VariantClear.OLEAUT32(009FFA64), ref: 009FF8AD
            • VariantCopy.OLEAUT32(009FFA64,00000000), ref: 009FF8B1
            • VariantClear.OLEAUT32(?), ref: 009FF8BB
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearCopy$AllocInitString
            • String ID:
            • API String ID: 3859894641-0
            • Opcode ID: 8d35731d7ad8b5d064877826db119e9ae8cf2f9bb987116ffe6e330cfe9dd42b
            • Instruction ID: b13cb309d463835c6020c61b0fb144a42664f2e9219a8b696e5cd963000b4041
            • Opcode Fuzzy Hash: 8d35731d7ad8b5d064877826db119e9ae8cf2f9bb987116ffe6e330cfe9dd42b
            • Instruction Fuzzy Hash: 2F51EC35500318BACF14AF65D8B5739B3A8EF85720F249467FA06DF292DBB48C80D796
            Function 00A1910C Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A7620: _wcslen.LIBCMT ref: 009A7625
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            • GetOpenFileNameW.COMDLG32(00000058), ref: 00A194E5
            • _wcslen.LIBCMT ref: 00A19506
            • _wcslen.LIBCMT ref: 00A1952D
            • GetSaveFileNameW.COMDLG32(00000058), ref: 00A19585
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$FileName$OpenSave
            • String ID: X
            • API String ID: 83654149-3081909835
            • Opcode ID: 845ace2902d8483ff61f90a0d6752cf1fda259d552834f0f300f60b7e9d9c878
            • Instruction ID: dac96522961097546b714197db3410f3dec61909d5a7d4b7d36fbe0128694ba3
            • Opcode Fuzzy Hash: 845ace2902d8483ff61f90a0d6752cf1fda259d552834f0f300f60b7e9d9c878
            • Instruction Fuzzy Hash: 73E18E31A083109FD724DF24C891BAAB7E5BFC5314F04896DF8999B2A2DB31DD45CB92
            Function 009B920C Relevance: 9.1, APIs: 6, Instructions: 113COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            • BeginPaint.USER32(?,?,?), ref: 009B9241
            • GetWindowRect.USER32(?,?), ref: 009B92A5
            • ScreenToClient.USER32(?,?), ref: 009B92C2
            • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 009B92D3
            • EndPaint.USER32(?,?,?,?,?), ref: 009B9321
            • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 009F71EA
              • Part of subcall function 009B9339: BeginPath.GDI32(00000000), ref: 009B9357
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
            • String ID:
            • API String ID: 3050599898-0
            • Opcode ID: 336638d275780c1e8edff17b0df2d31863558d254c299fcc3c04898f12f277d8
            • Instruction ID: c5490f4d58a8b4982857200cbd2971007a27b60dddfb781a6c87e36890abc5c0
            • Opcode Fuzzy Hash: 336638d275780c1e8edff17b0df2d31863558d254c299fcc3c04898f12f277d8
            • Instruction Fuzzy Hash: 5141AF31108204AFD711DFA8CC85FBA7BE8EB45730F144629FA64972A1C7319846DB61
            Function 00A107EF Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
            Download Yara Rule
            APIs
            • InterlockedExchange.KERNEL32(?,000001F5), ref: 00A1080C
            • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00A10847
            • EnterCriticalSection.KERNEL32(?), ref: 00A10863
            • LeaveCriticalSection.KERNEL32(?), ref: 00A108DC
            • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00A108F3
            • InterlockedExchange.KERNEL32(?,000001F6), ref: 00A10921
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
            • String ID:
            • API String ID: 3368777196-0
            • Opcode ID: cedac6ddc64483770dab254ac813125198947217b8865ae86e19e2e3137b6f75
            • Instruction ID: 97b75eb65a937778d3ee029daa0046397e7f0aa04c48c8d4aca04e22364d902a
            • Opcode Fuzzy Hash: cedac6ddc64483770dab254ac813125198947217b8865ae86e19e2e3137b6f75
            • Instruction Fuzzy Hash: 7E416971900205EBDF14EFA4DC85AAA77B9FF44710F1440A9ED04AA297DB70DEA1DBA0
            Function 00A381DB Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,009FF3AB,00000000,?,?,00000000,?,009F682C,00000004,00000000,00000000), ref: 00A3824C
            • EnableWindow.USER32(00000000,00000000), ref: 00A38272
            • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00A382D1
            • ShowWindow.USER32(00000000,00000004), ref: 00A382E5
            • EnableWindow.USER32(00000000,00000001), ref: 00A3830B
            • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00A3832F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Show$Enable$MessageSend
            • String ID:
            • API String ID: 642888154-0
            • Opcode ID: 6e35fbfe77a5d109b0795c9abc506be31532efcf7955d39b625aade9d69f63b8
            • Instruction ID: eff9dfc882b9f960d2d768388b9ab032cafa52bace893c26e2fa624032aafca7
            • Opcode Fuzzy Hash: 6e35fbfe77a5d109b0795c9abc506be31532efcf7955d39b625aade9d69f63b8
            • Instruction Fuzzy Hash: 1641A574601744AFDB11CF95DC99BE57BE0FB0A714F184169FA185F262CB35A842CB50
            Function 00A04C7D Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • IsWindowVisible.USER32(?), ref: 00A04C95
            • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00A04CB2
            • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00A04CEA
            • _wcslen.LIBCMT ref: 00A04D08
            • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00A04D10
            • _wcsstr.LIBVCRUNTIME ref: 00A04D1A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
            • String ID:
            • API String ID: 72514467-0
            • Opcode ID: c1a4bfda8794d65772c10a8ee24b9ba85c4107a227be61007e53db7234b7c8dc
            • Instruction ID: c79046b17512f1431d65d99ea5054a942f9007e7aece1b2fd2c5baa21bf59aa9
            • Opcode Fuzzy Hash: c1a4bfda8794d65772c10a8ee24b9ba85c4107a227be61007e53db7234b7c8dc
            • Instruction Fuzzy Hash: F62129B26042047BEB159B75AC0AF7B7BACEF89760F10402DF905DA1D1DB75CD0187A0
            Function 00A1581E Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 336comCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A3AA2: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,009A3A97,?,?,009A2E7F,?,?,?,00000000), ref: 009A3AC2
            • _wcslen.LIBCMT ref: 00A1587B
            • CoInitialize.OLE32(00000000), ref: 00A15995
            • CoCreateInstance.OLE32(00A3FCF8,00000000,00000001,00A3FB68,?), ref: 00A159AE
            • CoUninitialize.OLE32 ref: 00A159CC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateFullInitializeInstanceNamePathUninitialize_wcslen
            • String ID: .lnk
            • API String ID: 3172280962-24824748
            • Opcode ID: 6e033469e58e716d0726db179edd5a13240343b23af52c2aee6f061636c42024
            • Instruction ID: 3fe952a7308d53f20840f826b59d49a4bad16447e79889fd64e69045539d4f22
            • Opcode Fuzzy Hash: 6e033469e58e716d0726db179edd5a13240343b23af52c2aee6f061636c42024
            • Instruction Fuzzy Hash: 64D14271A08601DFC714DF24C884A6ABBE5FFC9710F148859F88A9B261DB31ED85CB92
            Function 00A0175D Relevance: 9.1, APIs: 6, Instructions: 68memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A00FB4: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A00FCA
              • Part of subcall function 00A00FB4: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A00FD6
              • Part of subcall function 00A00FB4: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A00FE5
              • Part of subcall function 00A00FB4: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A00FEC
              • Part of subcall function 00A00FB4: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A01002
            • GetLengthSid.ADVAPI32(?,00000000,00A01335), ref: 00A017AE
            • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00A017BA
            • HeapAlloc.KERNEL32(00000000), ref: 00A017C1
            • CopySid.ADVAPI32(00000000,00000000,?), ref: 00A017DA
            • GetProcessHeap.KERNEL32(00000000,00000000,00A01335), ref: 00A017EE
            • HeapFree.KERNEL32(00000000), ref: 00A017F5
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
            • String ID:
            • API String ID: 3008561057-0
            • Opcode ID: 9209ed13d3356624cf392c347d2635d54a1af2b905727d614a6cc52a7c7f2842
            • Instruction ID: a3d72c62c8104051d4f5005936aa2ca7b3f1380627554766eda5db66aae320be
            • Opcode Fuzzy Hash: 9209ed13d3356624cf392c347d2635d54a1af2b905727d614a6cc52a7c7f2842
            • Instruction Fuzzy Hash: 00117932600209EFDB14DFA4EC59FEE7BB9EB46365F104118F481A7290D736A945DF60
            Function 00A014CE Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
            Download Yara Rule
            APIs
            • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00A014FF
            • OpenProcessToken.ADVAPI32(00000000), ref: 00A01506
            • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00A01515
            • CloseHandle.KERNEL32(00000004), ref: 00A01520
            • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00A0154F
            • DestroyEnvironmentBlock.USERENV(00000000), ref: 00A01563
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
            • String ID:
            • API String ID: 1413079979-0
            • Opcode ID: 52a78c0cb7b128d395c3669605d7ee1cd0ee6e803fab26f8ab75f0ce2d6d5433
            • Instruction ID: c41f492ec5823d33b666d015798fbaf4c8829f3ce0569b3b44149f80e4284793
            • Opcode Fuzzy Hash: 52a78c0cb7b128d395c3669605d7ee1cd0ee6e803fab26f8ab75f0ce2d6d5433
            • Instruction Fuzzy Hash: FE1156B250020DABDF11CFE8ED49FDE7BA9EF48718F044024FA05A60A0C3769E65DB60
            Function 009C3382 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,009C3379,009C2FE5), ref: 009C3390
            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 009C339E
            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 009C33B7
            • SetLastError.KERNEL32(00000000,?,009C3379,009C2FE5), ref: 009C3409
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLastValue___vcrt_
            • String ID:
            • API String ID: 3852720340-0
            • Opcode ID: d876f1f9a7accbf2de750798a423d7133ca729ab7a0c0856ac34145e7fd14efe
            • Instruction ID: 312eea314c76fb29886d59c6c082e1e7a0b41e80c74b4b5bc44a4927a1f7b5fc
            • Opcode Fuzzy Hash: d876f1f9a7accbf2de750798a423d7133ca729ab7a0c0856ac34145e7fd14efe
            • Instruction Fuzzy Hash: 53012432E0C711BEE62427B47C96F762AA8EB45379360C32EF410852F0FF514D025286
            Function 009D2D74 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,009D5686,009E3CD6,?,00000000,?,009D5B6A,?,?,?,?,?,009CE6D1,?,00A68A48), ref: 009D2D78
            • _free.LIBCMT ref: 009D2DAB
            • _free.LIBCMT ref: 009D2DD3
            • SetLastError.KERNEL32(00000000,?,?,?,?,009CE6D1,?,00A68A48,00000010,009A4F4A,?,?,00000000,009E3CD6), ref: 009D2DE0
            • SetLastError.KERNEL32(00000000,?,?,?,?,009CE6D1,?,00A68A48,00000010,009A4F4A,?,?,00000000,009E3CD6), ref: 009D2DEC
            • _abort.LIBCMT ref: 009D2DF2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$_free$_abort
            • String ID:
            • API String ID: 3160817290-0
            • Opcode ID: bca577bf2a21feca26087ed2e19f944b019b5fefb4365e8dbf099e5135185013
            • Instruction ID: 68f7a7c35b3c0145952efe3c5a467968eb23e294a49c0d7365d6b1746abab0a5
            • Opcode Fuzzy Hash: bca577bf2a21feca26087ed2e19f944b019b5fefb4365e8dbf099e5135185013
            • Instruction Fuzzy Hash: 24F0CD355C460067C21267747C06F5B266F6FE27B1F25C517F464A73D2EE6488025271
            Function 00A38A24 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009B9693
              • Part of subcall function 009B9639: SelectObject.GDI32(?,00000000), ref: 009B96A2
              • Part of subcall function 009B9639: BeginPath.GDI32(?), ref: 009B96B9
              • Part of subcall function 009B9639: SelectObject.GDI32(?,00000000), ref: 009B96E2
            • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00A38A4E
            • LineTo.GDI32(?,00000003,00000000), ref: 00A38A62
            • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00A38A70
            • LineTo.GDI32(?,00000000,00000003), ref: 00A38A80
            • EndPath.GDI32(?), ref: 00A38A90
            • StrokePath.GDI32(?), ref: 00A38AA0
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
            • String ID:
            • API String ID: 43455801-0
            • Opcode ID: 1207b901bb2bcd7d18154d2eb1cbd92219df59249dc2a415d8749698c3624b71
            • Instruction ID: cdda1c94659081a9561c33c747ce215edd105305a23d8cb21176f63c2195c10b
            • Opcode Fuzzy Hash: 1207b901bb2bcd7d18154d2eb1cbd92219df59249dc2a415d8749698c3624b71
            • Instruction Fuzzy Hash: 2911CC7640014DFFDB11DFD4DC48E9A7F6DEB05364F048011FA1999161C7719D56DB60
            Function 00A051FD Relevance: 9.0, APIs: 6, Instructions: 49COMMON
            Download Yara Rule
            APIs
            • GetDC.USER32(00000000), ref: 00A05218
            • GetDeviceCaps.GDI32(00000000,00000058), ref: 00A05229
            • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00A05230
            • ReleaseDC.USER32(00000000,00000000), ref: 00A05238
            • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00A0524F
            • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00A05261
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CapsDevice$Release
            • String ID:
            • API String ID: 1035833867-0
            • Opcode ID: 60169d6a776f325ad0a7324bf8806c25220a5035b0591f8aa5edf8afdc2929ed
            • Instruction ID: 585e420d12057e27e71d22271f73f550da0c936f1e12e031982d861064148eb4
            • Opcode Fuzzy Hash: 60169d6a776f325ad0a7324bf8806c25220a5035b0591f8aa5edf8afdc2929ed
            • Instruction Fuzzy Hash: 91014F75E00718BBEB109BF59C49B5EBFB8EF48761F044065FA04E7291D6709901CFA0
            Function 009A1BC3 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
            Download Yara Rule
            APIs
            • MapVirtualKeyW.USER32(0000005B,00000000), ref: 009A1BF4
            • MapVirtualKeyW.USER32(00000010,00000000), ref: 009A1BFC
            • MapVirtualKeyW.USER32(000000A0,00000000), ref: 009A1C07
            • MapVirtualKeyW.USER32(000000A1,00000000), ref: 009A1C12
            • MapVirtualKeyW.USER32(00000011,00000000), ref: 009A1C1A
            • MapVirtualKeyW.USER32(00000012,00000000), ref: 009A1C22
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Virtual
            • String ID:
            • API String ID: 4278518827-0
            • Opcode ID: 49e819b7814d94e68da622e601b9ac326db4ef3ce621dc8f2568275bb6a970dd
            • Instruction ID: 74b703975d66cc58a9cc6e4452c1a5f2f5891e44dc75f26e2634c1a1742ffddf
            • Opcode Fuzzy Hash: 49e819b7814d94e68da622e601b9ac326db4ef3ce621dc8f2568275bb6a970dd
            • Instruction Fuzzy Hash: 820167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
            Function 00A0EB20 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
            Download Yara Rule
            APIs
            • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00A0EB30
            • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00A0EB46
            • GetWindowThreadProcessId.USER32(?,?), ref: 00A0EB55
            • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A0EB64
            • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A0EB6E
            • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00A0EB75
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
            • String ID:
            • API String ID: 839392675-0
            • Opcode ID: 38ee2948ef8f1faff6606852f8ea731c516f300a2fa51cadd3908b05a8656270
            • Instruction ID: 089a4777de07f89127d4131fb913b436d1115f196fa07cfd732802134edc3f0f
            • Opcode Fuzzy Hash: 38ee2948ef8f1faff6606852f8ea731c516f300a2fa51cadd3908b05a8656270
            • Instruction Fuzzy Hash: 1FF05E72240158BBE7219BA29C0EEEF7E7CEFCBB21F004158F601E1091D7A45A02D7B5
            Function 009F7439 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
            Download Yara Rule
            APIs
            • GetClientRect.USER32(?), ref: 009F7452
            • SendMessageW.USER32(?,00001328,00000000,?), ref: 009F7469
            • GetWindowDC.USER32(?), ref: 009F7475
            • GetPixel.GDI32(00000000,?,?), ref: 009F7484
            • ReleaseDC.USER32(?,00000000), ref: 009F7496
            • GetSysColor.USER32(00000005), ref: 009F74B0
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClientColorMessagePixelRectReleaseSendWindow
            • String ID:
            • API String ID: 272304278-0
            • Opcode ID: 81d9b3d3a3919f310e8495265aab18ea9d800a1d4b9a184660440fc4ba8c1b55
            • Instruction ID: 857f6821581bf6d06b5662f21eee8b7092e1387f47be16a35d8ff85cf8c968e7
            • Opcode Fuzzy Hash: 81d9b3d3a3919f310e8495265aab18ea9d800a1d4b9a184660440fc4ba8c1b55
            • Instruction Fuzzy Hash: 77014B31400619EFEB519FE4DC0ABAABBB6FB04321F514564FA16A21B1CB351E52AB50
            Function 00A01874 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
            Download Yara Rule
            APIs
            • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00A0187F
            • UnloadUserProfile.USERENV(?,?), ref: 00A0188B
            • CloseHandle.KERNEL32(?), ref: 00A01894
            • CloseHandle.KERNEL32(?), ref: 00A0189C
            • GetProcessHeap.KERNEL32(00000000,?), ref: 00A018A5
            • HeapFree.KERNEL32(00000000), ref: 00A018AC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
            • String ID:
            • API String ID: 146765662-0
            • Opcode ID: 4e7806e31044741af0454cc71cf22a335d402ca69a4659bfa971041083a87fe2
            • Instruction ID: 2ae0c9f1f88aeeeb32bc6521781a37196769f5c2cf0e810972c63753889b299d
            • Opcode Fuzzy Hash: 4e7806e31044741af0454cc71cf22a335d402ca69a4659bfa971041083a87fe2
            • Instruction Fuzzy Hash: 7EE0C236004101BBDA419BE1ED0C90ABB29FB49B32B108220F225A5070CB329432EB50
            Function 00A0C5D0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A7620: _wcslen.LIBCMT ref: 009A7625
            • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A0C6EE
            • _wcslen.LIBCMT ref: 00A0C735
            • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00A0C79C
            • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00A0C7CA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ItemMenu$Info_wcslen$Default
            • String ID: 0
            • API String ID: 1227352736-4108050209
            • Opcode ID: dad0a5bec216d27f07133f1d025214a0b478af7b724fe55d6d1aecb5d1f4af11
            • Instruction ID: 0fe282626d3b6c78219cbc4d7ffed5ec49965e334bafde7c0c266445eebc071b
            • Opcode Fuzzy Hash: dad0a5bec216d27f07133f1d025214a0b478af7b724fe55d6d1aecb5d1f4af11
            • Instruction Fuzzy Hash: 0151AD716043089BD7659F28EC85B6A77E8AB89320F044B29F995E21E0DB64D9058B92
            Function 00A2AD64 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
            Download Yara Rule
            APIs
            • ShellExecuteExW.SHELL32(0000003C), ref: 00A2AEA3
              • Part of subcall function 009A7620: _wcslen.LIBCMT ref: 009A7625
            • GetProcessId.KERNEL32(00000000), ref: 00A2AF38
            • CloseHandle.KERNEL32(00000000), ref: 00A2AF67
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseExecuteHandleProcessShell_wcslen
            • String ID: <$@
            • API String ID: 146682121-1426351568
            • Opcode ID: a358c015189474d91cadde7d34108178b8aa0da32922971f434f5b6b3e5f7de5
            • Instruction ID: 7c9411bc5e875c4d613bfc8e247d6633340baadb46d35d1c96151f05e57ea71e
            • Opcode Fuzzy Hash: a358c015189474d91cadde7d34108178b8aa0da32922971f434f5b6b3e5f7de5
            • Instruction Fuzzy Hash: 7D718C71A00625DFCB14EF98D885A9EBBF0FF49310F0584A9E816AB352CB74ED45CB91
            Function 00A0719E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
            Download Yara Rule
            APIs
            • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00A07206
            • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00A0723C
            • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00A0724D
            • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00A072CF
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorMode$AddressCreateInstanceProc
            • String ID: DllGetClassObject
            • API String ID: 753597075-1075368562
            • Opcode ID: 79ddfd3ad43377fb7c032437f3505139672630e3c5408311651b9722f9470a27
            • Instruction ID: 0737f9648b5bc2464ecc471577623a30175fb81b328491a67709aa13d3ffcfa8
            • Opcode Fuzzy Hash: 79ddfd3ad43377fb7c032437f3505139672630e3c5408311651b9722f9470a27
            • Instruction Fuzzy Hash: 4B419171A04208EFDB15CF94D884ADE7BB9EF48310F1580A9BD059F28AD7B1ED41CBA0
            Function 00A33D7C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00A33E35
            • IsMenu.USER32(?), ref: 00A33E4A
            • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00A33E92
            • DrawMenuBar.USER32 ref: 00A33EA5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$Item$DrawInfoInsert
            • String ID: 0
            • API String ID: 3076010158-4108050209
            • Opcode ID: 4d22e3479acb8f6ff89175aa8f4c5f0231c364efa9e7186377c8c272c8908ef5
            • Instruction ID: cd0e5de97af1e89d61fa01dfda6fb3ab18a34dd9b4bf41b0391a792e6da05d17
            • Opcode Fuzzy Hash: 4d22e3479acb8f6ff89175aa8f4c5f0231c364efa9e7186377c8c272c8908ef5
            • Instruction Fuzzy Hash: 2E414676A05209AFDF10DFA4D884AAABBF9FF49360F148129F905A7250D730AE45CF60
            Function 00A01DE2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A03CCA
            • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00A01E66
            • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00A01E79
            • SendMessageW.USER32(?,00000189,?,00000000), ref: 00A01EA9
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$_wcslen$ClassName
            • String ID: ComboBox$ListBox
            • API String ID: 2081771294-1403004172
            • Opcode ID: 56ad951700879fce8b3902cbffcb2eb836dc8f99fc5b99a7d890f7813b38cd66
            • Instruction ID: 61ce97899afb657eeea2bb22c5b1cf12aba84e79992ed89ef33da30c716834de
            • Opcode Fuzzy Hash: 56ad951700879fce8b3902cbffcb2eb836dc8f99fc5b99a7d890f7813b38cd66
            • Instruction Fuzzy Hash: DB213B71A00108BFDB149BB4ED46DFFB7B9EF86360F144519F825A71E1DB38490A8760
            Function 00A2C9EA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 91COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: HKEY_LOCAL_MACHINE$HKLM
            • API String ID: 176396367-4004644295
            • Opcode ID: 69306560dcd0c870ab15f9ab7087c20f00d8f1ac46254cbb71e180129e0603d7
            • Instruction ID: 5a3cf55d51e5475ed1040c27d5f5558536ba98705cc6bd5d02afb84cb7f63507
            • Opcode Fuzzy Hash: 69306560dcd0c870ab15f9ab7087c20f00d8f1ac46254cbb71e180129e0603d7
            • Instruction Fuzzy Hash: 3431F873A001794BCB20DF6CE9516BE33A39BA17E4B154039E845AB345F671CE40D3E0
            Function 00A32F17 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00A32F8D
            • LoadLibraryW.KERNEL32(?), ref: 00A32F94
            • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00A32FA9
            • DestroyWindow.USER32(?), ref: 00A32FB1
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$DestroyLibraryLoadWindow
            • String ID: SysAnimate32
            • API String ID: 3529120543-1011021900
            • Opcode ID: 72a723697e11ac8a00211411e6dff55c4982059f53cf1617bace0f03283122c1
            • Instruction ID: b922fe7022db5f7aa252de46f12d6fc4c019aeae8771347ece4b2e0775a29241
            • Opcode Fuzzy Hash: 72a723697e11ac8a00211411e6dff55c4982059f53cf1617bace0f03283122c1
            • Instruction Fuzzy Hash: 1B219D72204205ABEB208FA4DC81FBB77BDEF99364F104618FA50E6190D771DCA19760
            Function 009C4D6D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,009C4D1E,009D28E9,?,009C4CBE,009D28E9,00A688B8,0000000C,009C4E15,009D28E9,00000002), ref: 009C4D8D
            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 009C4DA0
            • FreeLibrary.KERNEL32(00000000,?,?,?,009C4D1E,009D28E9,?,009C4CBE,009D28E9,00A688B8,0000000C,009C4E15,009D28E9,00000002,00000000), ref: 009C4DC3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AddressFreeHandleLibraryModuleProc
            • String ID: CorExitProcess$mscoree.dll
            • API String ID: 4061214504-1276376045
            • Opcode ID: e5ba3f91e875f228b990a72ea54d30fa2e9f86aeb6b9944aa1cce419bb27ec13
            • Instruction ID: 302c3adbdc7fc4d74cd69d685441e61dc9a4a283518c08588de146bce28eda0f
            • Opcode Fuzzy Hash: e5ba3f91e875f228b990a72ea54d30fa2e9f86aeb6b9944aa1cce419bb27ec13
            • Instruction Fuzzy Hash: 63F06235A40208BBDB119FD0DC49FADBFB9EF44761F0001A8F906B62A0CB746E41DB92
            Function 009A4E90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,009A4EDD,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E9C
            • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 009A4EAE
            • FreeLibrary.KERNEL32(00000000,?,?,009A4EDD,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4EC0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-3689287502
            • Opcode ID: 48e9fea7b742ae312d574a51bfd40597f8a913238f0e2b5f13b0665768684db2
            • Instruction ID: e5e82de35d6696d418198740f2450adbb212334b08939da0d6fdbe7b54d4b056
            • Opcode Fuzzy Hash: 48e9fea7b742ae312d574a51bfd40597f8a913238f0e2b5f13b0665768684db2
            • Instruction Fuzzy Hash: 4CE08C36A026226BD2225B65AC18A6BA668AFC2F72B150215FC01F2200DBA4CD0392E0
            Function 009A4E59 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryA.KERNEL32(kernel32.dll,?,?,009E3CDE,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E62
            • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 009A4E74
            • FreeLibrary.KERNEL32(00000000,?,?,009E3CDE,?,00A71418,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?,?,?,00000000), ref: 009A4E87
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Library$AddressFreeLoadProc
            • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
            • API String ID: 145871493-1355242751
            • Opcode ID: 1c50385186adc417c2bc6f2d12c1544f94e88f34ef5d2ee41bdb92dc56ca5a01
            • Instruction ID: 1963d28ca273e932ac31dd3a03d448bb38a3fcd2e9ce928437f1aa0bc6c8412c
            • Opcode Fuzzy Hash: 1c50385186adc417c2bc6f2d12c1544f94e88f34ef5d2ee41bdb92dc56ca5a01
            • Instruction Fuzzy Hash: E1D0123650262167DA225B657C18D8B6A5CBFC6F713150615B905F2154CFA4CD0296D1
            Function 00A2A387 Relevance: 7.8, APIs: 5, Instructions: 256COMMON
            Download Yara Rule
            APIs
            • GetCurrentProcessId.KERNEL32 ref: 00A2A427
            • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00A2A435
            • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00A2A468
            • CloseHandle.KERNEL32(?), ref: 00A2A63D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$CloseCountersCurrentHandleOpen
            • String ID:
            • API String ID: 3488606520-0
            • Opcode ID: bedb2f30341c9aac9fdefc639a5a3c5937c47d01abe931a9f59f5512cf11cda7
            • Instruction ID: 3227827e869522a33671c0a819c478d4bae2e289a8fe3be9727b78a33e9c2c31
            • Opcode Fuzzy Hash: bedb2f30341c9aac9fdefc639a5a3c5937c47d01abe931a9f59f5512cf11cda7
            • Instruction Fuzzy Hash: 25A181716043019FD720DF28D886F2AB7E5AF94714F14886DF99A9B2D2D770EC41CB92
            Function 00A0E3FB Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A0DDE0: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00A0CF22,?), ref: 00A0DDFD
              • Part of subcall function 00A0DDE0: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00A0CF22,?), ref: 00A0DE16
              • Part of subcall function 00A0E199: GetFileAttributesW.KERNEL32(?,00A0CF95), ref: 00A0E19A
            • lstrcmpiW.KERNEL32(?,?), ref: 00A0E473
            • MoveFileW.KERNEL32(?,?), ref: 00A0E4AC
            • _wcslen.LIBCMT ref: 00A0E5EB
            • _wcslen.LIBCMT ref: 00A0E603
            • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00A0E650
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
            • String ID:
            • API String ID: 3183298772-0
            • Opcode ID: f8d0526feed39d207a847192d879ed824a01bc105bf273bea1685c5975f3e05f
            • Instruction ID: c1f37bff9647a7e34c22825b0301e260a6c61130a522f3129ebe2238d3832cbd
            • Opcode Fuzzy Hash: f8d0526feed39d207a847192d879ed824a01bc105bf273bea1685c5975f3e05f
            • Instruction Fuzzy Hash: BF5150B24083495BC724EB94EC91ADBB3ECAF85350F004D1EF589D3191EF75A6888766
            Function 00A2B9C9 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A2C998: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00A2B6AE,?,?), ref: 00A2C9B5
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2C9F1
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA68
              • Part of subcall function 00A2C998: _wcslen.LIBCMT ref: 00A2CA9E
            • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00A2BAA5
            • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00A2BB00
            • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00A2BB63
            • RegCloseKey.ADVAPI32(?,?), ref: 00A2BBA6
            • RegCloseKey.ADVAPI32(00000000), ref: 00A2BBB3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
            • String ID:
            • API String ID: 826366716-0
            • Opcode ID: 39540e422d6801c4d699fb7015c3d107f66cb775412ab774b6f45fba646d4a4d
            • Instruction ID: 02468d23e0631e4ad80399b62ea10993c6ef03e167bae3f5d4fb519867d20b2d
            • Opcode Fuzzy Hash: 39540e422d6801c4d699fb7015c3d107f66cb775412ab774b6f45fba646d4a4d
            • Instruction Fuzzy Hash: C661B031218241AFC314DF18D890F2ABBE5FF85358F14856CF4998B2A2DB31ED45CBA2
            Function 00A08BB0 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
            Download Yara Rule
            APIs
            • VariantInit.OLEAUT32(?), ref: 00A08BCD
            • VariantClear.OLEAUT32 ref: 00A08C3E
            • VariantClear.OLEAUT32 ref: 00A08C9D
            • VariantClear.OLEAUT32(?), ref: 00A08D10
            • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00A08D3B
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$Clear$ChangeInitType
            • String ID:
            • API String ID: 4136290138-0
            • Opcode ID: 3d99dca6cb536c1d2559a1f7318ccb2e6cbf16a488f8d29105093d6de69d25c9
            • Instruction ID: bc8b8b1ee6dc0a81d935bb5af1dea377d8cbc8c2825695122068d89d4cc89a5e
            • Opcode Fuzzy Hash: 3d99dca6cb536c1d2559a1f7318ccb2e6cbf16a488f8d29105093d6de69d25c9
            • Instruction Fuzzy Hash: B9517AB5A00219EFCB10CF68D884AAAB7F8FF89310B158559F949EB350E734E911CF94
            Function 00A18AFB Relevance: 7.6, APIs: 5, Instructions: 143COMMON
            Download Yara Rule
            APIs
            • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00A18BAE
            • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00A18BDA
            • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00A18C32
            • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00A18C57
            • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00A18C5F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: PrivateProfile$SectionWrite$String
            • String ID:
            • API String ID: 2832842796-0
            • Opcode ID: 6b447dd51ff04f00d794bc22f0657c4cdfaf804e1e9e3938d4fbbb834a4e7f61
            • Instruction ID: 3716bd07ce94a92caf4c1e900b82ab7205d093eaf838dc2ec0c1ff74e3a6b746
            • Opcode Fuzzy Hash: 6b447dd51ff04f00d794bc22f0657c4cdfaf804e1e9e3938d4fbbb834a4e7f61
            • Instruction Fuzzy Hash: BE511C35A002159FCB15DFA4C881AAEBBF5FF89314F088458F849AB362DB35ED51CB90
            Function 00A28EE4 Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
            Download Yara Rule
            APIs
            • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00A28F40
            • GetProcAddress.KERNEL32(00000000,?), ref: 00A28FD0
            • GetProcAddress.KERNEL32(00000000,00000000), ref: 00A28FEC
            • GetProcAddress.KERNEL32(00000000,?), ref: 00A29032
            • FreeLibrary.KERNEL32(00000000), ref: 00A29052
              • Part of subcall function 009BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00A11043,?,753CE610), ref: 009BF6E6
              • Part of subcall function 009BF6C9: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,009FFA64,00000000,00000000,?,?,00A11043,?,753CE610,?,009FFA64), ref: 009BF70D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
            • String ID:
            • API String ID: 666041331-0
            • Opcode ID: f9d2d25ac51191fa5ca8e617cb6cfb031f4e72d99ada6b54d643fef9837802ae
            • Instruction ID: 296018dbac08f9adf5fb89feba92804ab4c72a35f5f72bdaeb513f9c58bdc96c
            • Opcode Fuzzy Hash: f9d2d25ac51191fa5ca8e617cb6cfb031f4e72d99ada6b54d643fef9837802ae
            • Instruction Fuzzy Hash: BA512935605215DFC711DF58C4949ADBBB1FF49324F0880A9F806AB362DB31ED86CB90
            Function 00A36B76 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
            Download Yara Rule
            APIs
            • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00A36C33
            • SetWindowLongW.USER32(?,000000EC,?), ref: 00A36C4A
            • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00A36C73
            • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00A1AB79,00000000,00000000), ref: 00A36C98
            • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00A36CC7
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Long$MessageSendShow
            • String ID:
            • API String ID: 3688381893-0
            • Opcode ID: cb0fd8745fcad937b6cb978ee8d037c3079150adabfa82e39c1454fcb0d51972
            • Instruction ID: 1cf72fbf99acde49828efaaf6fff75e50d613d09de3407980a2d2e9b99d539bc
            • Opcode Fuzzy Hash: cb0fd8745fcad937b6cb978ee8d037c3079150adabfa82e39c1454fcb0d51972
            • Instruction Fuzzy Hash: 0541E435A04104BFDB24CF68CC59FA9BBB5EB09360F149228F999E72E0C371ED42CA50
            Function 009D2051 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: 9b2e732e21a393e248d9ad5b003fd1589f8997d94d55ec37c3450395056fa32f
            • Instruction ID: e27ab9f3e76eb37eb323022ee6e2fbcfc3a3e3ec678da819557e83f808b5f12c
            • Opcode Fuzzy Hash: 9b2e732e21a393e248d9ad5b003fd1589f8997d94d55ec37c3450395056fa32f
            • Instruction Fuzzy Hash: 9541C432A40200AFCB24DFB8C981A6DB7F5EF99324F1585AAE515EB351D731ED01DB80
            Function 009B912D Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
            Download Yara Rule
            APIs
            • GetCursorPos.USER32(?), ref: 009B9141
            • ScreenToClient.USER32(00000000,?), ref: 009B915E
            • GetAsyncKeyState.USER32(00000001), ref: 009B9183
            • GetAsyncKeyState.USER32(00000002), ref: 009B919D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AsyncState$ClientCursorScreen
            • String ID:
            • API String ID: 4210589936-0
            • Opcode ID: 20b0b3287ad0f7d62fa63d9a54eb225f64e77cff0e35f780b9d0b226472ce5c6
            • Instruction ID: d90b7244e311dda204e56af0c3323875b425efdbce23e8bc33dcedba1e8fe216
            • Opcode Fuzzy Hash: 20b0b3287ad0f7d62fa63d9a54eb225f64e77cff0e35f780b9d0b226472ce5c6
            • Instruction Fuzzy Hash: D3416C31A0C60ABBDF059FA8C948BFEB774FF05330F208219E529A6290C7346954DB91
            Function 00A13874 Relevance: 7.6, APIs: 5, Instructions: 101windowCOMMON
            Download Yara Rule
            APIs
            • GetInputState.USER32 ref: 00A138CB
            • TranslateAcceleratorW.USER32(?,00000000,?), ref: 00A13922
            • TranslateMessage.USER32(?), ref: 00A1394B
            • DispatchMessageW.USER32(?), ref: 00A13955
            • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A13966
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Message$Translate$AcceleratorDispatchInputPeekState
            • String ID:
            • API String ID: 2256411358-0
            • Opcode ID: f36c166bc1f69505e5c5bfc333808c4405b4738e279413bca5731b4435357461
            • Instruction ID: 322ae33e50c485b5a5b62fa6e72b60abaa7e2edf3384dfd3214e44a7a0e73c14
            • Opcode Fuzzy Hash: f36c166bc1f69505e5c5bfc333808c4405b4738e279413bca5731b4435357461
            • Instruction Fuzzy Hash: E531D5729043419EEF35CFB49C69FF63BE8EB05310F044569E466961A0E3F4AAC6CB11
            Function 00A1CF1A Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
            Download Yara Rule
            APIs
            • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00A1CF38
            • InternetReadFile.WININET(?,00000000,?,?), ref: 00A1CF6F
            • GetLastError.KERNEL32(?,00000000,?,?,?,00A1C21E,00000000), ref: 00A1CFB4
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A1C21E,00000000), ref: 00A1CFC8
            • SetEvent.KERNEL32(?,?,00000000,?,?,?,00A1C21E,00000000), ref: 00A1CFF2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
            • String ID:
            • API String ID: 3191363074-0
            • Opcode ID: 8b88f45e88f914ebc7fb4012a8280415a8b2eed21d4fcf1b3a53bf3dee96b164
            • Instruction ID: c3091c1dc57530dc94189c5b017145238d962f2b12dc410a388d90bd0e71a171
            • Opcode Fuzzy Hash: 8b88f45e88f914ebc7fb4012a8280415a8b2eed21d4fcf1b3a53bf3dee96b164
            • Instruction Fuzzy Hash: 8F314A71640305AFDB20DFA5CD84AEBBBF9EB54360B10442EF516E2141DB30EE82DB60
            Function 00A01901 Relevance: 7.6, APIs: 5, Instructions: 93sleepwindowCOMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(?,?), ref: 00A01915
            • PostMessageW.USER32(00000001,00000201,00000001), ref: 00A019C1
            • Sleep.KERNEL32(00000000,?,?,?), ref: 00A019C9
            • PostMessageW.USER32(00000001,00000202,00000000), ref: 00A019DA
            • Sleep.KERNEL32(00000000,?,?,?,?), ref: 00A019E2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessagePostSleep$RectWindow
            • String ID:
            • API String ID: 3382505437-0
            • Opcode ID: 9adc3cdecb667110ccbbed4cf13d7e3ca83ee30d673534fdbed66cebc23751b2
            • Instruction ID: e345f76f5983be0db274accb2f7f02bca050e48e9df500120650985f959a7c51
            • Opcode Fuzzy Hash: 9adc3cdecb667110ccbbed4cf13d7e3ca83ee30d673534fdbed66cebc23751b2
            • Instruction Fuzzy Hash: CE31DF72A0021DEFCB00CFA8DD99AEE3BB5EB05325F104229F921AB2D1C7709D54DB90
            Function 00A35706 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00A35745
            • SendMessageW.USER32(?,00001074,?,00000001), ref: 00A3579D
            • _wcslen.LIBCMT ref: 00A357AF
            • _wcslen.LIBCMT ref: 00A357BA
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A35816
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$_wcslen
            • String ID:
            • API String ID: 763830540-0
            • Opcode ID: 2b0c32dedf011ac362da1a07c29018bca2e5b0c3569222a8002203b4ebd4c846
            • Instruction ID: c4c2c6c397a91e85f96f1225ac06d33d51ae67bae0d1b0c6dc1b186545bc2da7
            • Opcode Fuzzy Hash: 2b0c32dedf011ac362da1a07c29018bca2e5b0c3569222a8002203b4ebd4c846
            • Instruction Fuzzy Hash: 4F21A071D04618AADB20CFB8CC85AEE7BB9FF44720F108616F929EA180D7748A85CF50
            Function 009B990E Relevance: 7.6, APIs: 5, Instructions: 70COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 009B98CC
            • SetTextColor.GDI32(?,?), ref: 009B98D6
            • SetBkMode.GDI32(?,00000001), ref: 009B98E9
            • GetStockObject.GDI32(00000005), ref: 009B98F1
            • GetWindowLongW.USER32(?,000000EB), ref: 009B9952
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Color$LongModeObjectStockTextWindow
            • String ID:
            • API String ID: 1860813098-0
            • Opcode ID: 3eabbd3cffaa3a4d8679f92e4ccaad1477cc164bee57d8a6e187fc824e45efd6
            • Instruction ID: c3748fc27e86d8136dac832ecf76b7297735deb3c30fbee0a31034c6e0177c91
            • Opcode Fuzzy Hash: 3eabbd3cffaa3a4d8679f92e4ccaad1477cc164bee57d8a6e187fc824e45efd6
            • Instruction Fuzzy Hash: F121F6321592509FCB228F75ED65AE63F64EF13330B08425DF6929B1A2C72A4982CB51
            Function 00A20930 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
            Download Yara Rule
            APIs
            • IsWindow.USER32(00000000), ref: 00A20951
            • GetForegroundWindow.USER32 ref: 00A20968
            • GetDC.USER32(00000000), ref: 00A209A4
            • GetPixel.GDI32(00000000,?,00000003), ref: 00A209B0
            • ReleaseDC.USER32(00000000,00000003), ref: 00A209E8
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ForegroundPixelRelease
            • String ID:
            • API String ID: 4156661090-0
            • Opcode ID: 4e969d04fcef567ae4229846b9544a358398b4b58297c826cbdef7b71fd56bc1
            • Instruction ID: d868ab9d11f2c7e81495611eb60bc7c91fca67740ee2d014b2d67988ddbf4940
            • Opcode Fuzzy Hash: 4e969d04fcef567ae4229846b9544a358398b4b58297c826cbdef7b71fd56bc1
            • Instruction Fuzzy Hash: 82218435600214AFD704EFA9DD85AAEB7F5EF45710F048068F856A7762CB30AC45CB90
            Function 009DCDBD Relevance: 7.6, APIs: 5, Instructions: 68COMMON
            Download Yara Rule
            APIs
            • GetEnvironmentStringsW.KERNEL32 ref: 009DCDC6
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 009DCDE9
              • Part of subcall function 009D3820: RtlAllocateHeap.NTDLL(00000000,?,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6,?,009A1129), ref: 009D3852
            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 009DCE0F
            • _free.LIBCMT ref: 009DCE22
            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 009DCE31
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
            • String ID:
            • API String ID: 336800556-0
            • Opcode ID: 972cddb60664108ba3ad32b4100d7427e67c61f84003dadee6799cacdc924e8e
            • Instruction ID: dedf3e8b7b251ac8d0bf0262f649b6c3832065f666801864fc710f4778a316fb
            • Opcode Fuzzy Hash: 972cddb60664108ba3ad32b4100d7427e67c61f84003dadee6799cacdc924e8e
            • Instruction Fuzzy Hash: C101D4F26412167F632156BA6C88D7BBB6DDEC6BA1315812BF905D7300EA608D02D2B0
            Function 009B9639 Relevance: 7.6, APIs: 5, Instructions: 66COMMON
            Download Yara Rule
            APIs
            • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009B9693
            • SelectObject.GDI32(?,00000000), ref: 009B96A2
            • BeginPath.GDI32(?), ref: 009B96B9
            • SelectObject.GDI32(?,00000000), ref: 009B96E2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ObjectSelect$BeginCreatePath
            • String ID:
            • API String ID: 3225163088-0
            • Opcode ID: 5e500a3a80cd2bf15fcf4f1afacd78f78c6e2f2c2e2429037b686b3d454f5813
            • Instruction ID: 84a27ab8e1ca5ed18bd70c9b53a28ce1936d4bf72ee64990de7fba68650dad0c
            • Opcode Fuzzy Hash: 5e500a3a80cd2bf15fcf4f1afacd78f78c6e2f2c2e2429037b686b3d454f5813
            • Instruction Fuzzy Hash: B4218031812305EBDB11DFA8ED197E97BF8BB50335F108216F618A61B0D3705893CB90
            Function 00A05711 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _memcmp
            • String ID:
            • API String ID: 2931989736-0
            • Opcode ID: f19ab5c7df81f99e0d631a53a44c93f17b1a2374d54259002114872e7f337662
            • Instruction ID: c3346d9b32b2fcc14c6976abefe404ef03cf6ab53533c9b63b064bc3f52a32b7
            • Opcode Fuzzy Hash: f19ab5c7df81f99e0d631a53a44c93f17b1a2374d54259002114872e7f337662
            • Instruction Fuzzy Hash: B201B9B1E8160DBFD7185620EE42FBB735CAF61398F004824FD04AA2C2F760ED1096A5
            Function 009D2DF8 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • GetLastError.KERNEL32(?,?,?,009CF2DE,009D3863,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6), ref: 009D2DFD
            • _free.LIBCMT ref: 009D2E32
            • _free.LIBCMT ref: 009D2E59
            • SetLastError.KERNEL32(00000000,009A1129), ref: 009D2E66
            • SetLastError.KERNEL32(00000000,009A1129), ref: 009D2E6F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$_free
            • String ID:
            • API String ID: 3170660625-0
            • Opcode ID: 5e426d0c5891a6738f3f8569d700140a755db1768d38f60495d77c4f3425215d
            • Instruction ID: 566f6217ab5971d05ebc98f54e4e4c214c6298b395ed52d790ad00287310a768
            • Opcode Fuzzy Hash: 5e426d0c5891a6738f3f8569d700140a755db1768d38f60495d77c4f3425215d
            • Instruction Fuzzy Hash: EC01F9365C56006BC61267B46C45E2B276DABF13B2725C927F465A3392EA74CC024130
            Function 00A0000E Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
            Download Yara Rule
            APIs
            • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?,?,00A0035E), ref: 00A0002B
            • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?), ref: 00A00046
            • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?), ref: 00A00054
            • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?), ref: 00A00064
            • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,009FFF41,80070057,?,?), ref: 00A00070
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: From$Prog$FreeStringTasklstrcmpi
            • String ID:
            • API String ID: 3897988419-0
            • Opcode ID: c92ceeab9a5d94345068a1e9671d3aeaf8d1c83d09d5b708201bc23927b21e30
            • Instruction ID: a67310d6545aac5416381102b46f8dbb0f9181ed5bc1a7204836b0d85b6b3824
            • Opcode Fuzzy Hash: c92ceeab9a5d94345068a1e9671d3aeaf8d1c83d09d5b708201bc23927b21e30
            • Instruction Fuzzy Hash: 9C01A276600208BFDB108FA8EC48FAA7EFDEF44762F144124F905E6250EB71DE418BA0
            Function 00A0E97B Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?), ref: 00A0E997
            • QueryPerformanceFrequency.KERNEL32(?), ref: 00A0E9A5
            • Sleep.KERNEL32(00000000), ref: 00A0E9AD
            • QueryPerformanceCounter.KERNEL32(?), ref: 00A0E9B7
            • Sleep.KERNEL32 ref: 00A0E9F3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: PerformanceQuery$CounterSleep$Frequency
            • String ID:
            • API String ID: 2833360925-0
            • Opcode ID: 9e2d4fcdb051e4f7d7119933f78ddb1b3265174c22e1261f93af0956516ac8f1
            • Instruction ID: b0fd0d0ccb6e2ea709ab529c9170f8f78fa62241c0e264ac7980a4524313d783
            • Opcode Fuzzy Hash: 9e2d4fcdb051e4f7d7119933f78ddb1b3265174c22e1261f93af0956516ac8f1
            • Instruction Fuzzy Hash: D9011731C0162DDBCF00EBE5ED59AEDFB78BB09751F000A56E502B2291CB309665ABA1
            Function 00A010F9 Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
            Download Yara Rule
            APIs
            • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00A01114
            • GetLastError.KERNEL32(?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01120
            • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A0112F
            • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00A00B9B,?,?,?), ref: 00A01136
            • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00A0114D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
            • String ID:
            • API String ID: 842720411-0
            • Opcode ID: b6114168e067481358b25bfbe815d901f72d0e0c731f93760255480da0999105
            • Instruction ID: 215ec4bcc160a3a03188c730747444aceb355de487d995ff12a6f2ecf3123a2e
            • Opcode Fuzzy Hash: b6114168e067481358b25bfbe815d901f72d0e0c731f93760255480da0999105
            • Instruction Fuzzy Hash: 82016D75500215BFDB158FA4EC49AAA3B6EEF85364B100418FA41D7350DA31DC019B60
            Function 00A00FB4 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00A00FCA
            • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00A00FD6
            • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00A00FE5
            • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00A00FEC
            • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00A01002
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: c16ffcd53ed580b2cdb7334635977aea0269aa82f4ab66758dc29ba95463b61d
            • Instruction ID: 822eec13bcb32f91cfddb3452de56a504175e9170193b964728dafcbac03a15e
            • Opcode Fuzzy Hash: c16ffcd53ed580b2cdb7334635977aea0269aa82f4ab66758dc29ba95463b61d
            • Instruction Fuzzy Hash: F9F06235200315EBD7218FE4EC4DF963B6DEF8A761F104414F946D7291CA70DC518B60
            Function 00A01014 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
            Download Yara Rule
            APIs
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A0102A
            • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A01036
            • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A01045
            • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A0104C
            • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A01062
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: HeapInformationToken$AllocErrorLastProcess
            • String ID:
            • API String ID: 44706859-0
            • Opcode ID: 01dbe958461581b16f29648c590600a477fb5d1c0851ffbfb1675835394a9dad
            • Instruction ID: 08f0555776a67740a8fbf4f1dd087d11813d7e8984e807a67127a782e7c94ce3
            • Opcode Fuzzy Hash: 01dbe958461581b16f29648c590600a477fb5d1c0851ffbfb1675835394a9dad
            • Instruction Fuzzy Hash: C6F06D35200315EBDB219FE4EC49F963BADEF8A761F500424FA85E7290CA70D8518B60
            Function 00A1030F Relevance: 7.5, APIs: 6, Instructions: 41COMMON
            Download Yara Rule
            APIs
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A10324
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A10331
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A1033E
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A1034B
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A10358
            • CloseHandle.KERNEL32(?,?,?,?,00A1017D,?,00A132FC,?,00000001,009E2592,?), ref: 00A10365
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseHandle
            • String ID:
            • API String ID: 2962429428-0
            • Opcode ID: fee9a078a1e7f0cc81891a872d6d8bfbd109c7becec7cd422b2b348aa07a0c8d
            • Instruction ID: a9c38ad2ee644f4cf43ecd23981cdd3615aea5953d6fc16d2080ba475a1eb64f
            • Opcode Fuzzy Hash: fee9a078a1e7f0cc81891a872d6d8bfbd109c7becec7cd422b2b348aa07a0c8d
            • Instruction Fuzzy Hash: C401AA72800B159FCB30AF66D880852FBF9BF603153158A3FD1A696931C3B1A999DF80
            Function 009DD73A Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 009DD752
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • _free.LIBCMT ref: 009DD764
            • _free.LIBCMT ref: 009DD776
            • _free.LIBCMT ref: 009DD788
            • _free.LIBCMT ref: 009DD79A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: f7c6af07e9b6f0d04c412bf045613e51ddb1378fd1517a728b90db7cf3d6c638
            • Instruction ID: c9981ad142ae399655108d943a524061fa9745504828107521025b1475c6b173
            • Opcode Fuzzy Hash: f7c6af07e9b6f0d04c412bf045613e51ddb1378fd1517a728b90db7cf3d6c638
            • Instruction Fuzzy Hash: ACF036725C5204ABC625EBA4FAC5D2677EDBB94760B948C47F098E7701C774FC808A64
            Function 00A05C44 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
            Download Yara Rule
            APIs
            • GetDlgItem.USER32(?,000003E9), ref: 00A05C58
            • GetWindowTextW.USER32(00000000,?,00000100), ref: 00A05C6F
            • MessageBeep.USER32(00000000), ref: 00A05C87
            • KillTimer.USER32(?,0000040A), ref: 00A05CA3
            • EndDialog.USER32(?,00000001), ref: 00A05CBD
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: BeepDialogItemKillMessageTextTimerWindow
            • String ID:
            • API String ID: 3741023627-0
            • Opcode ID: 2e929e17738f625ef51fc9912800ea5a0c69a0ceac842e157eedd209843af4b8
            • Instruction ID: 88455242aad572428b48efd5564458eec9a81cf7571af11aa67225d65cda4847
            • Opcode Fuzzy Hash: 2e929e17738f625ef51fc9912800ea5a0c69a0ceac842e157eedd209843af4b8
            • Instruction Fuzzy Hash: AF018631900B08ABFB259B60ED4FFA67BB8BB01B05F041559B583B10E1DBF4A9858F90
            Function 009D22A0 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
            Download Yara Rule
            APIs
            • _free.LIBCMT ref: 009D22BE
              • Part of subcall function 009D29C8: RtlFreeHeap.NTDLL(00000000,00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000), ref: 009D29DE
              • Part of subcall function 009D29C8: GetLastError.KERNEL32(00000000,?,009DD7D1,00000000,00000000,00000000,00000000,?,009DD7F8,00000000,00000007,00000000,?,009DDBF5,00000000,00000000), ref: 009D29F0
            • _free.LIBCMT ref: 009D22D0
            • _free.LIBCMT ref: 009D22E3
            • _free.LIBCMT ref: 009D22F4
            • _free.LIBCMT ref: 009D2305
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$ErrorFreeHeapLast
            • String ID:
            • API String ID: 776569668-0
            • Opcode ID: 972e8c9aeabaab65b6a443f0ffd95c67c1c4efa896fb805d69cc8a61d9035378
            • Instruction ID: 309898fa5a297164436dee78f3d5aa69daf2a8a480364d0db7c5fb43bcbd541b
            • Opcode Fuzzy Hash: 972e8c9aeabaab65b6a443f0ffd95c67c1c4efa896fb805d69cc8a61d9035378
            • Instruction Fuzzy Hash: 35F03A748801208BC622EFE8BD11D583BA8B728760700C55BF418D33B2CB700893BFE4
            Function 009B95C5 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
            Download Yara Rule
            APIs
            • EndPath.GDI32(?), ref: 009B95D4
            • StrokeAndFillPath.GDI32(?,?,009F71F7,00000000,?,?,?), ref: 009B95F0
            • SelectObject.GDI32(?,00000000), ref: 009B9603
            • DeleteObject.GDI32 ref: 009B9616
            • StrokePath.GDI32(?), ref: 009B9631
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Path$ObjectStroke$DeleteFillSelect
            • String ID:
            • API String ID: 2625713937-0
            • Opcode ID: f5543266ba166829042c9a8d0e8c91188d50496e38cb194015e5827e0153f8f2
            • Instruction ID: 16d8d1a1df1a00ccd540e56ed1fb810847f8d951a015410a961a9dbe9b8a826e
            • Opcode Fuzzy Hash: f5543266ba166829042c9a8d0e8c91188d50496e38cb194015e5827e0153f8f2
            • Instruction Fuzzy Hash: 6BF0B631015244EBDB26DFE9EE297A43BA5AB01332F44C214F669650F0C7748997DF20
            Function 009D0F47 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __freea$_free
            • String ID: a/p$am/pm
            • API String ID: 3432400110-3206640213
            • Opcode ID: fc493d1b7e0be8222d9613f3795d9340e4dc010d1addb4381e7251ea417ea8f9
            • Instruction ID: a32fa2da4d11fc53734c1c5843cc35171fb0a22b673c8af1e52bfdda30790793
            • Opcode Fuzzy Hash: fc493d1b7e0be8222d9613f3795d9340e4dc010d1addb4381e7251ea417ea8f9
            • Instruction Fuzzy Hash: EAD1F137984206EADB289F68C845BBEB7B9EF05300F24C51BE6119B751D3359D80CB91
            Function 00A27B7E Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009C0242: EnterCriticalSection.KERNEL32(00A7070C,00A71884,?,?,009B198B,00A72518,?,?,?,009A12F9,00000000), ref: 009C024D
              • Part of subcall function 009C0242: LeaveCriticalSection.KERNEL32(00A7070C,?,009B198B,00A72518,?,?,?,009A12F9,00000000), ref: 009C028A
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 009C00A3: __onexit.LIBCMT ref: 009C00A9
            • __Init_thread_footer.LIBCMT ref: 00A27BFB
              • Part of subcall function 009C01F8: EnterCriticalSection.KERNEL32(00A7070C,?,?,009B8747,00A72514), ref: 009C0202
              • Part of subcall function 009C01F8: LeaveCriticalSection.KERNEL32(00A7070C,?,009B8747,00A72514), ref: 009C0235
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
            • String ID: 5$G$Variable must be of type 'Object'.
            • API String ID: 535116098-3733170431
            • Opcode ID: 75705e114828c4d6a7fad6f5c6f90df7d6a8650681a2085a1d60394110d5e7f0
            • Instruction ID: 030b6635df73f56c2ac320f72ec73bb57eb5abcc65685216f3dbbeedd44a8837
            • Opcode Fuzzy Hash: 75705e114828c4d6a7fad6f5c6f90df7d6a8650681a2085a1d60394110d5e7f0
            • Instruction Fuzzy Hash: 56917D71A04219EFCB14EF58E991EBDB7B1FF45304F148069F8066B292DB71AE41CB51
            Function 00A02716 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A0B403: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A021D0,?,?,00000034,00000800,?,00000034), ref: 00A0B42D
            • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00A02760
              • Part of subcall function 00A0B3CE: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00A021FF,?,?,00000800,?,00001073,00000000,?,?), ref: 00A0B3F8
              • Part of subcall function 00A0B32A: GetWindowThreadProcessId.USER32(?,?), ref: 00A0B355
              • Part of subcall function 00A0B32A: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00A02194,00000034,?,?,00001004,00000000,00000000), ref: 00A0B365
              • Part of subcall function 00A0B32A: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00A02194,00000034,?,?,00001004,00000000,00000000), ref: 00A0B37B
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A027CD
            • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00A0281A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
            • String ID: @
            • API String ID: 4150878124-2766056989
            • Opcode ID: 1fc249acea4da01aef632581538f4edc57156e682a7b177b019fcb079ec33459
            • Instruction ID: 956ddbffe3b70bd0a5db16cf3e642efc0172b739872d43375e5707eb05268641
            • Opcode Fuzzy Hash: 1fc249acea4da01aef632581538f4edc57156e682a7b177b019fcb079ec33459
            • Instruction Fuzzy Hash: E8413B7690021CAFDB10DFA4DD46BEEBBB8AF09300F108095FA55B7181DB716E45CBA1
            Function 009D172E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe,00000104), ref: 009D1769
            • _free.LIBCMT ref: 009D1834
            • _free.LIBCMT ref: 009D183E
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free$FileModuleName
            • String ID: C:\Users\user\Desktop\eArchive_InvoiceNOS20240004228.exe
            • API String ID: 2506810119-2668543238
            • Opcode ID: d2974c79666c6ab31999566f8d62c4e36f372229a69fabd2308d15585900cca9
            • Instruction ID: 0ff1c4b8854db5f77014f41562b23c140505f09acc616ad4fd3a8afc814e2b6d
            • Opcode Fuzzy Hash: d2974c79666c6ab31999566f8d62c4e36f372229a69fabd2308d15585900cca9
            • Instruction Fuzzy Hash: B7315E76A80258BBDB21DB99DC85E9EBBFCEB95310B148167F804D7321D6708E81DB90
            Function 00A0C27D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00A0C306
            • DeleteMenu.USER32(?,00000007,00000000), ref: 00A0C34C
            • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00A71990,00F86840), ref: 00A0C395
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$Delete$InfoItem
            • String ID: 0
            • API String ID: 135850232-4108050209
            • Opcode ID: 7b0f7bc74a1935438c8f1969f955a3d1432b40950031e76025d0aeb2a7a9d57c
            • Instruction ID: 22e6226735c862f5d0d45892d4ea439c1e5ba036879840512e62bd32f7d03ce5
            • Opcode Fuzzy Hash: 7b0f7bc74a1935438c8f1969f955a3d1432b40950031e76025d0aeb2a7a9d57c
            • Instruction Fuzzy Hash: 8C418D712143059FDB20DF25E884B5ABBE4AF85320F148B1DF9A59B2D1D730A904CB62
            Function 00A34416 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
            Download Yara Rule
            APIs
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00A3CC08,00000000,?,?,?,?), ref: 00A344AA
            • GetWindowLongW.USER32 ref: 00A344C7
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A344D7
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Long
            • String ID: SysTreeView32
            • API String ID: 847901565-1698111956
            • Opcode ID: 9b9216c7d077ad221c14d9852800c3930ef6ac89d5bf7ab4105e44da77ddb6f1
            • Instruction ID: 7aa0b98e65ab126d8184fddd336255a3b23c4b82b737f6b26eb1b99bf8119fff
            • Opcode Fuzzy Hash: 9b9216c7d077ad221c14d9852800c3930ef6ac89d5bf7ab4105e44da77ddb6f1
            • Instruction Fuzzy Hash: F0319A32210605AFDB209F78DC46BEA7BA9EB49334F208725F979A21E1D770EC519B50
            Function 00A2304E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A2335B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00A23077,?,?), ref: 00A23378
            • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00A2307A
            • _wcslen.LIBCMT ref: 00A2309B
            • htons.WSOCK32(00000000,?,?,00000000), ref: 00A23106
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
            • String ID: 255.255.255.255
            • API String ID: 946324512-2422070025
            • Opcode ID: 3137d8357e0aff7de3c20bdeca9ef0e46e356942f5d3c4be49cd0bd53ea10ded
            • Instruction ID: c6b53737a23c3490b37c3009a204bb2941ac37c66ce114c77e55c8237a4b5bd5
            • Opcode Fuzzy Hash: 3137d8357e0aff7de3c20bdeca9ef0e46e356942f5d3c4be49cd0bd53ea10ded
            • Instruction Fuzzy Hash: C631C1362042219FCF10CF6CD985EA977A0EF56318F248169E9158B392CB39DE41C760
            Function 00A33EB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00A33F40
            • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00A33F54
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A33F78
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$Window
            • String ID: SysMonthCal32
            • API String ID: 2326795674-1439706946
            • Opcode ID: 2d52a27027940c1ccd35ebab0b545c20611717c013f31b2f609c9d51d82024d3
            • Instruction ID: acffb15bc8519911832c5109de8236cf5bcbe25c00a0b8713fb168b72bae2401
            • Opcode Fuzzy Hash: 2d52a27027940c1ccd35ebab0b545c20611717c013f31b2f609c9d51d82024d3
            • Instruction Fuzzy Hash: BB21BC33600219BFDF21CF90DC46FEA3BB9EF88724F110214FA15AB1D0D6B5A8918B90
            Function 00A34653 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00A34705
            • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00A34713
            • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00A3471A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$DestroyWindow
            • String ID: msctls_updown32
            • API String ID: 4014797782-2298589950
            • Opcode ID: d3cbec2fe70636ed7996862dfb63456526507d5d8545955c59e762f358d4d1e8
            • Instruction ID: cd44a381dd7452bd261ee4432e4ba586446cc05d66639d3f3f1c1f1dba8d4626
            • Opcode Fuzzy Hash: d3cbec2fe70636ed7996862dfb63456526507d5d8545955c59e762f358d4d1e8
            • Instruction Fuzzy Hash: B0215EB5600208AFEB11DF68DC81DA737ADEB8A3A4B040059FA049B251DB74FC52CA60
            Function 00A095AD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 85COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
            • API String ID: 176396367-2734436370
            • Opcode ID: 404222070a51a7a62dece145d875f427579c743dadfcd3ca50a98083861e5f5a
            • Instruction ID: 34a41e4c3ed5698c328cc05459d4dbf83e5ea26d0858fea7cd0aa411740b54e4
            • Opcode Fuzzy Hash: 404222070a51a7a62dece145d875f427579c743dadfcd3ca50a98083861e5f5a
            • Instruction Fuzzy Hash: 1A215B72A045156AD331BB25AC03FB7B3E8AF91310F50442AF949970C3EB52AD45C2D6
            Function 00A337B7 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00A33840
            • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00A33850
            • MoveWindow.USER32(00000000,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00A33876
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend$MoveWindow
            • String ID: Listbox
            • API String ID: 3315199576-2633736733
            • Opcode ID: 2cf53d65aee9f6c5523b2e9ec0a2d7c055f22881e06bbaff20edcb9a54440e13
            • Instruction ID: 100a19af3575e713339707f978febcd0764a0a8744b5d30956aff3ec4d680c0f
            • Opcode Fuzzy Hash: 2cf53d65aee9f6c5523b2e9ec0a2d7c055f22881e06bbaff20edcb9a54440e13
            • Instruction Fuzzy Hash: BC219F72614218BBEF21CF95DC85FBB376EEF89764F118124F9049B190CA75DC5287A0
            Function 00A149F4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • SetErrorMode.KERNEL32(00000001), ref: 00A14A08
            • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00A14A5C
            • SetErrorMode.KERNEL32(00000000,?,?,00A3CC08), ref: 00A14AD0
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorMode$InformationVolume
            • String ID: %lu
            • API String ID: 2507767853-685833217
            • Opcode ID: e79aefcfb8b3e627672c1a0c69bbab262c3ad86886f9897bbe0b2c7feee52b18
            • Instruction ID: 61f55d90850828ceebbe1355922a21aee458739f6dc42824f84a5cab1bd25d87
            • Opcode Fuzzy Hash: e79aefcfb8b3e627672c1a0c69bbab262c3ad86886f9897bbe0b2c7feee52b18
            • Instruction Fuzzy Hash: 07319375A00108AFDB10DF98C881EAABBF8FF49314F148094F509DB252D771ED45CBA1
            Function 00A341EB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00A3424F
            • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00A34264
            • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00A34271
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: msctls_trackbar32
            • API String ID: 3850602802-1010561917
            • Opcode ID: a623dfe4f16b9c54ca3f54b8e8e9038ace9c541df30518d3e6b9f99943aca717
            • Instruction ID: c5cf33e9d88ea0cc2267f2beb504a0c888b2d3d9f9c28105d334c4fbe5da924f
            • Opcode Fuzzy Hash: a623dfe4f16b9c54ca3f54b8e8e9038ace9c541df30518d3e6b9f99943aca717
            • Instruction Fuzzy Hash: 6511C671240248BFEF209F69CC46FEB3BACEF99B64F110614FA55E60A0D671EC519B50
            Function 00A02F52 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A6B57: _wcslen.LIBCMT ref: 009A6B6A
              • Part of subcall function 00A02DA7: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A02DC5
              • Part of subcall function 00A02DA7: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A02DD6
              • Part of subcall function 00A02DA7: GetCurrentThreadId.KERNEL32 ref: 00A02DDD
              • Part of subcall function 00A02DA7: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A02DE4
            • GetFocus.USER32 ref: 00A02F78
              • Part of subcall function 00A02DEE: GetParent.USER32(00000000), ref: 00A02DF9
            • GetClassNameW.USER32(?,?,00000100), ref: 00A02FC3
            • EnumChildWindows.USER32(?,00A0303B), ref: 00A02FEB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
            • String ID: %s%d
            • API String ID: 1272988791-1110647743
            • Opcode ID: 460d0f41779b0fc0a208610d5a35257760769fc2b04131787b3afc556df4da9e
            • Instruction ID: f035b9e6ede07a8b5b0dfb9aae152ad13ee15052985d2fe60f9da398683ab2ad
            • Opcode Fuzzy Hash: 460d0f41779b0fc0a208610d5a35257760769fc2b04131787b3afc556df4da9e
            • Instruction Fuzzy Hash: 5E11A2726002096BCF15BFB0AD9AFED776AAF84314F049075B909AB192DF309A458B70
            Function 00A35882 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
            Download Yara Rule
            APIs
            • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A358C1
            • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00A358EE
            • DrawMenuBar.USER32(?), ref: 00A358FD
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Menu$InfoItem$Draw
            • String ID: 0
            • API String ID: 3227129158-4108050209
            • Opcode ID: d25fe97b7535213119fe6d91557456dbb8fa8cee03eeaa9b0ace1024c29a8fc1
            • Instruction ID: a872f296a3e3d8d31224a4b2db0f91581eb51c73f9415c4a45e4ae3e8252784b
            • Opcode Fuzzy Hash: d25fe97b7535213119fe6d91557456dbb8fa8cee03eeaa9b0ace1024c29a8fc1
            • Instruction Fuzzy Hash: BD016932900218EFDB219F65DC45BEEBBB5FB85360F1080A9F849E6151DB308A94EF21
            Function 009FD3A0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 27libraryloaderCOMMON
            Download Yara Rule
            APIs
            • GetProcAddress.KERNEL32(?,GetSystemWow64DirectoryW), ref: 009FD3BF
            • FreeLibrary.KERNEL32 ref: 009FD3E5
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: AddressFreeLibraryProc
            • String ID: GetSystemWow64DirectoryW$X64
            • API String ID: 3013587201-2590602151
            • Opcode ID: 4692f45794c50cc1a52ad0fd9945526b76797a783e0219237232a3059addc98d
            • Instruction ID: e11880a7633f3cc0fb58d04a1d5b7904d8871579336c15dbcfffc329b65628cb
            • Opcode Fuzzy Hash: 4692f45794c50cc1a52ad0fd9945526b76797a783e0219237232a3059addc98d
            • Instruction Fuzzy Hash: F8F055318077289BE73097208C489BD732ABF00B20B50CA49F326F5098E7B4C840EBC3
            Function 00A0007F Relevance: 6.3, APIs: 4, Instructions: 322COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: cad787da2e9dd8943c59a43af7a1b709dd09c55d7ae7ab8fc72afafe512fa00c
            • Instruction ID: afc4480c20c54bdc36b731e2c45d4260f9408e4d1778a8d16185e1188c3eea31
            • Opcode Fuzzy Hash: cad787da2e9dd8943c59a43af7a1b709dd09c55d7ae7ab8fc72afafe512fa00c
            • Instruction Fuzzy Hash: 09C13975A0020AAFDB15CFA8D894FAEB7B5FF48304F118598E505EB291D731EE41DB90
            Function 009D3E80 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: __alldvrm$_strrchr
            • String ID:
            • API String ID: 1036877536-0
            • Opcode ID: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
            • Instruction ID: 33038cf06460334401a512373d31b5f9a1c29c259da2d0f0339d7f9394041c15
            • Opcode Fuzzy Hash: 190bec492484a18a97fe5f025dcdb3e473ceac46589bc02d4dbe4f94f5be8f6e
            • Instruction Fuzzy Hash: 2AA12771D843869FEB25CF18C8917AEBBE9EF61350F18C16EE5859B381C2388D81C751
            Function 00A2342E Relevance: 6.3, APIs: 4, Instructions: 257COMMON
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Variant$ClearInitInitializeUninitialize
            • String ID:
            • API String ID: 1998397398-0
            • Opcode ID: 85a1f59f658546684376ed920d4c5911d3ed08756f26783f29320dfde82b17c5
            • Instruction ID: 22da6fb93fe601b14081b8a8d9b1d70f4b93771fbc5643c5076be32ef2cbe0e8
            • Opcode Fuzzy Hash: 85a1f59f658546684376ed920d4c5911d3ed08756f26783f29320dfde82b17c5
            • Instruction Fuzzy Hash: 3AA13E756043109FCB10EF68D985A2AB7E5FF89714F04885DF98A9B362DB34EE01CB91
            Function 00A00436 Relevance: 6.2, APIs: 4, Instructions: 230COMMON
            Download Yara Rule
            APIs
            • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00A3FC08,?), ref: 00A005F0
            • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00A3FC08,?), ref: 00A00608
            • CLSIDFromProgID.OLE32(?,?,00000000,00A3CC40,000000FF,?,00000000,00000800,00000000,?,00A3FC08,?), ref: 00A0062D
            • _memcmp.LIBVCRUNTIME ref: 00A0064E
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FromProg$FreeTask_memcmp
            • String ID:
            • API String ID: 314563124-0
            • Opcode ID: fe890c93b4058a5058b7b7a24cd2b596e60ebae9e4de11e02a632f430207b4e2
            • Instruction ID: b4cc2244f21bbd79c9286a40e7e0254f78e89aa1d5ebe5be59c4844ec2619115
            • Opcode Fuzzy Hash: fe890c93b4058a5058b7b7a24cd2b596e60ebae9e4de11e02a632f430207b4e2
            • Instruction Fuzzy Hash: 8381EB75A00109EFCB04DF94D984EEEB7B9FF89315F208558F516AB290DB71AE06CB60
            Function 009E1391 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _free
            • String ID:
            • API String ID: 269201875-0
            • Opcode ID: c58e9a85614950918606d18cdd171eace8990997a109e07964c098435abd1302
            • Instruction ID: 20f2c20ab818698f4bfe70569b5bfc5818aa8749b9f7ff4ee98c0ec45d356f40
            • Opcode Fuzzy Hash: c58e9a85614950918606d18cdd171eace8990997a109e07964c098435abd1302
            • Instruction Fuzzy Hash: A0413031A005516BDB277BBA8C45BBE3BA9EF81370F144626F415D63E2F6344C419762
            Function 00A36278 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
            Download Yara Rule
            APIs
            • GetWindowRect.USER32(00F8FED0,?), ref: 00A362E2
            • ScreenToClient.USER32(?,?), ref: 00A36315
            • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00A36382
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ClientMoveRectScreen
            • String ID:
            • API String ID: 3880355969-0
            • Opcode ID: 4729a2b09823804314bcba89a6e1fea8d6bfa8facf8d2a5d8dba855c8b6605ee
            • Instruction ID: f11855e96db07c97d8279ed463a9abac02fb31e0cbf08d390765295a311239ca
            • Opcode Fuzzy Hash: 4729a2b09823804314bcba89a6e1fea8d6bfa8facf8d2a5d8dba855c8b6605ee
            • Instruction Fuzzy Hash: 86512B75A00209EFDF10DFA8D981AAE7BB5FF45360F108169F9659B2A0D730ED81CB90
            Function 00A21AD6 Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
            Download Yara Rule
            APIs
            • socket.WSOCK32(00000002,00000002,00000011), ref: 00A21AFD
            • WSAGetLastError.WSOCK32 ref: 00A21B0B
            • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00A21B8A
            • WSAGetLastError.WSOCK32 ref: 00A21B94
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorLast$socket
            • String ID:
            • API String ID: 1881357543-0
            • Opcode ID: f8ae0ec94605e4923173e8952d363369cdbdc8780b9fb206f1d021487570f525
            • Instruction ID: 6586e5f621468d118077859c3c06351ff38aa5cd86490fe14ccc1e41f46b4d7d
            • Opcode Fuzzy Hash: f8ae0ec94605e4923173e8952d363369cdbdc8780b9fb206f1d021487570f525
            • Instruction Fuzzy Hash: 8241B074600210AFE720AF24D886F6A77E5AB85718F548458F91A9F3D3E772ED428BD0
            Function 009DB41F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: aa00ff6118487f0e2d21d38d254a1f238b96919b4665741e4105f45fcbb0c3c9
            • Instruction ID: f4f75795613d3803d7f4e58e09e77b047142313fa68715e845347d3e853df2e8
            • Opcode Fuzzy Hash: aa00ff6118487f0e2d21d38d254a1f238b96919b4665741e4105f45fcbb0c3c9
            • Instruction Fuzzy Hash: A741E275A80344EFE724DF38C841BAABBA9EBC8710F11852FF156DB792D771A9018790
            Function 00A156D9 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
            Download Yara Rule
            APIs
            • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 00A15783
            • GetLastError.KERNEL32(?,00000000), ref: 00A157A9
            • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 00A157CE
            • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 00A157FA
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateHardLink$DeleteErrorFileLast
            • String ID:
            • API String ID: 3321077145-0
            • Opcode ID: 728158b55d94baaed9d9c22ef638c51ea473f026c0fdc2c16d769f42760c733c
            • Instruction ID: 7e2634c32c66d188f1501ffcd347ac045d5de630a45164e645bc05b5ab3e22f1
            • Opcode Fuzzy Hash: 728158b55d94baaed9d9c22ef638c51ea473f026c0fdc2c16d769f42760c733c
            • Instruction Fuzzy Hash: B341DE35A00610DFCB11EF55C945A5EBBE2AF89720B198888F94A6B362CB34FD41DBD1
            Function 009DD8C3 Relevance: 6.1, APIs: 4, Instructions: 110COMMON
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000000,8BE85006,009C6D71,00000000,00000000,009C82D9,?,009C82D9,?,00000001,009C6D71,8BE85006,00000001,009C82D9,009C82D9), ref: 009DD910
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009DD999
            • GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 009DD9AB
            • __freea.LIBCMT ref: 009DD9B4
              • Part of subcall function 009D3820: RtlAllocateHeap.NTDLL(00000000,?,00A71444,?,009BFDF5,?,?,009AA976,00000010,00A71440,009A13FC,?,009A13C6,?,009A1129), ref: 009D3852
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide$AllocateHeapStringType__freea
            • String ID:
            • API String ID: 2652629310-0
            • Opcode ID: df5067c4ef9ea75415b1de4273d2a7d49efb212e2477c7e1a13c6ecf5cafaa13
            • Instruction ID: 1b57fe07809b53d784b693ea57b0e22363322d8ddad7c8aa1ca7c6dfe9e04ac0
            • Opcode Fuzzy Hash: df5067c4ef9ea75415b1de4273d2a7d49efb212e2477c7e1a13c6ecf5cafaa13
            • Instruction Fuzzy Hash: 7B31F472A0220AABDF25CFA5DC91EAE7BA9EF40710F058169FC04D7250EB36DD50CB90
            Function 00A352C1 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001024,00000000,?), ref: 00A35352
            • GetWindowLongW.USER32(?,000000F0), ref: 00A35375
            • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00A35382
            • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00A353A8
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LongWindow$InvalidateMessageRectSend
            • String ID:
            • API String ID: 3340791633-0
            • Opcode ID: 474560ceba9f62f58981c0bc85b56fbeb19116e6d6594c4178fc199e53779547
            • Instruction ID: 6c13475179f74850d04ad5a65386909b42460b202a4a7f0ef91b081ad06a25c1
            • Opcode Fuzzy Hash: 474560ceba9f62f58981c0bc85b56fbeb19116e6d6594c4178fc199e53779547
            • Instruction Fuzzy Hash: 6631C434E95A08EFEB349B7CCC26BE877A5EB05390F584101FA109E1E1C7B49981EB41
            Function 00A0AB9C Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
            Download Yara Rule
            APIs
            • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00A0ABF1
            • SetKeyboardState.USER32(00000080,?,00008000), ref: 00A0AC0D
            • PostMessageW.USER32(00000000,00000101,00000000), ref: 00A0AC74
            • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00A0ACC6
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: KeyboardState$InputMessagePostSend
            • String ID:
            • API String ID: 432972143-0
            • Opcode ID: d27b1975354786b47d076395a7a99410373be50005ea17d0a1aec5e565c50f36
            • Instruction ID: 33707b71d978b0bd824aab8b399801f8cddbfcf22dacc7f88a26f3a37508fa4e
            • Opcode Fuzzy Hash: d27b1975354786b47d076395a7a99410373be50005ea17d0a1aec5e565c50f36
            • Instruction Fuzzy Hash: 0D312430A0471CAFFF35CBA4AC097FE7BB5ABA9320F05431AE485961D1C37489818792
            Function 00A37674 Relevance: 6.1, APIs: 4, Instructions: 102windowCOMMON
            Download Yara Rule
            APIs
            • ClientToScreen.USER32(?,?), ref: 00A3769A
            • GetWindowRect.USER32(?,?), ref: 00A37710
            • PtInRect.USER32(?,?,00A38B89), ref: 00A37720
            • MessageBeep.USER32(00000000), ref: 00A3778C
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Rect$BeepClientMessageScreenWindow
            • String ID:
            • API String ID: 1352109105-0
            • Opcode ID: cf2d0b910d06085f9fa35703427753dd36e07dcaa68ebf4734a54800b5160a5d
            • Instruction ID: 1b7c8f25038900c389b00826f0e0493244cb497825c539ac115a53e370163879
            • Opcode Fuzzy Hash: cf2d0b910d06085f9fa35703427753dd36e07dcaa68ebf4734a54800b5160a5d
            • Instruction Fuzzy Hash: 2C416DB4A05214EFCB21CF98CC95EADB7F5FB49314F1581A8F5159B261D730A942CF90
            Function 00A316DA Relevance: 6.1, APIs: 4, Instructions: 101COMMON
            Download Yara Rule
            APIs
            • GetForegroundWindow.USER32 ref: 00A316EB
              • Part of subcall function 00A03A3D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00A03A57
              • Part of subcall function 00A03A3D: GetCurrentThreadId.KERNEL32 ref: 00A03A5E
              • Part of subcall function 00A03A3D: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00A025B3), ref: 00A03A65
            • GetCaretPos.USER32(?), ref: 00A316FF
            • ClientToScreen.USER32(00000000,?), ref: 00A3174C
            • GetForegroundWindow.USER32 ref: 00A31752
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
            • String ID:
            • API String ID: 2759813231-0
            • Opcode ID: 52004387f8b8df15981384a083d4aa5ba72e9da06044c9cccab9e656ea7a62fc
            • Instruction ID: 730d72020f40287c48de1a8ffc73a1083d6c5157e8c334e1b59fc3c0a7fa4331
            • Opcode Fuzzy Hash: 52004387f8b8df15981384a083d4aa5ba72e9da06044c9cccab9e656ea7a62fc
            • Instruction Fuzzy Hash: 23313071E00149AFCB00DFA9C885DAEB7F9EF89304B5480A9F415E7211D6319E45CBA0
            Function 00A0D4DC Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
            Download Yara Rule
            APIs
            • CreateToolhelp32Snapshot.KERNEL32 ref: 00A0D501
            • Process32FirstW.KERNEL32(00000000,?), ref: 00A0D50F
            • Process32NextW.KERNEL32(00000000,?), ref: 00A0D52F
            • CloseHandle.KERNEL32(00000000), ref: 00A0D5DC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
            • String ID:
            • API String ID: 420147892-0
            • Opcode ID: bbb0a67b52dfadf6b08a4680b4a36080394c19f3f0f8df79e845932c84321d4d
            • Instruction ID: 1fc6cdd7804aaf7fc8d2fb1d65846b5d8163bdb8352edcc59f430d41edac075c
            • Opcode Fuzzy Hash: bbb0a67b52dfadf6b08a4680b4a36080394c19f3f0f8df79e845932c84321d4d
            • Instruction Fuzzy Hash: 55317E721082049FD300EF94DC85BAFBBE8EFDA354F14092DF585961A1EB71A945CB92
            Function 00A38FC9 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            • GetCursorPos.USER32(?), ref: 00A39001
            • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,009F7711,?,?,?,?,?), ref: 00A39016
            • GetCursorPos.USER32(?), ref: 00A3905E
            • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,009F7711,?,?,?), ref: 00A39094
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Cursor$LongMenuPopupProcTrackWindow
            • String ID:
            • API String ID: 2864067406-0
            • Opcode ID: ae9296355900fed63e339390fe0d2b338a1ab15b8d354226f4ff4c641707f715
            • Instruction ID: cbd3d25ecb52b6a7d15cdcfc00e0022ef27fc21bd85aa446379ecb05bc80cef1
            • Opcode Fuzzy Hash: ae9296355900fed63e339390fe0d2b338a1ab15b8d354226f4ff4c641707f715
            • Instruction Fuzzy Hash: 8C21BF35600118EFCB29CFA8CC58EEB3BB9EB8A360F008055F90557261C3719991DB61
            Function 00A0D2C1 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
            Download Yara Rule
            APIs
            • GetFileAttributesW.KERNEL32(?,00A3CB68), ref: 00A0D2FB
            • GetLastError.KERNEL32 ref: 00A0D30A
            • CreateDirectoryW.KERNEL32(?,00000000), ref: 00A0D319
            • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00A3CB68), ref: 00A0D376
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateDirectory$AttributesErrorFileLast
            • String ID:
            • API String ID: 2267087916-0
            • Opcode ID: 6e3dda962ee39a52aedae99951c9e5984bd84a08271755c2db34c355025166e4
            • Instruction ID: 7625de41dc26c9428f9176be610c8f5e3c72054a785d4a5260900e7f097053d6
            • Opcode Fuzzy Hash: 6e3dda962ee39a52aedae99951c9e5984bd84a08271755c2db34c355025166e4
            • Instruction Fuzzy Hash: 202191715043059FC700EFA8D8814AAB7E4BF96364F104A1DF499DB2E1E730D946CB93
            Function 00A01571 Relevance: 6.1, APIs: 4, Instructions: 78memoryCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00A0102A
              • Part of subcall function 00A01014: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00A01036
              • Part of subcall function 00A01014: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A01045
              • Part of subcall function 00A01014: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00A0104C
              • Part of subcall function 00A01014: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00A01062
            • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00A015BE
            • _memcmp.LIBVCRUNTIME ref: 00A015E1
            • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00A01617
            • HeapFree.KERNEL32(00000000), ref: 00A0161E
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
            • String ID:
            • API String ID: 1592001646-0
            • Opcode ID: 55c45cbf6e7d32a421d43b449fc08ad5fb0ab92e9d9f2cd0ecfa9866f61433af
            • Instruction ID: 5ff9bf2dc93444a567b8654230e6ce75f5dd88e99c04a3fac5e29fa7a2ce0ee4
            • Opcode Fuzzy Hash: 55c45cbf6e7d32a421d43b449fc08ad5fb0ab92e9d9f2cd0ecfa9866f61433af
            • Instruction Fuzzy Hash: 6321AC32E00108EFDF14DFA4DD45BEEB7B8EF84354F084459E441AB281E731AA45DBA0
            Function 00A32782 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000EC), ref: 00A3280A
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A32824
            • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00A32832
            • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00A32840
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Long$AttributesLayered
            • String ID:
            • API String ID: 2169480361-0
            • Opcode ID: 1c0739266ced7309e5adf0cf466e473767d423c361b13a0af02654fa506b3cd8
            • Instruction ID: 91d86e20637f1ac3a2384c419c13d79a53db9b9ec042a64e603bcd75ea8a077b
            • Opcode Fuzzy Hash: 1c0739266ced7309e5adf0cf466e473767d423c361b13a0af02654fa506b3cd8
            • Instruction Fuzzy Hash: D921AF31604611AFD714DB24CC55FAABBA5AF86324F148158F4268B6E2CB71FC82CBD0
            Function 00A078F5 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 00A08D7D: lstrlenW.KERNEL32(?,00000002,000000FF,?,?,?,00A0790A,?,000000FF,?,00A08754,00000000,?,0000001C,?,?), ref: 00A08D8C
              • Part of subcall function 00A08D7D: lstrcpyW.KERNEL32(00000000,?), ref: 00A08DB2
              • Part of subcall function 00A08D7D: lstrcmpiW.KERNEL32(00000000,?,00A0790A,?,000000FF,?,00A08754,00000000,?,0000001C,?,?), ref: 00A08DE3
            • lstrlenW.KERNEL32(?,00000002,000000FF,?,000000FF,?,00A08754,00000000,?,0000001C,?,?,00000000), ref: 00A07923
            • lstrcpyW.KERNEL32(00000000,?), ref: 00A07949
            • lstrcmpiW.KERNEL32(00000002,cdecl,?,00A08754,00000000,?,0000001C,?,?,00000000), ref: 00A07984
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: lstrcmpilstrcpylstrlen
            • String ID: cdecl
            • API String ID: 4031866154-3896280584
            • Opcode ID: dbfb8d0585bd4a10856cb2604952b98f6a3a60d24665d32e5fd4cc2a0f91fe99
            • Instruction ID: 8488a9db577268a4d200eeabd37e9d46f99bdf78c9840b38c73617d30874b843
            • Opcode Fuzzy Hash: dbfb8d0585bd4a10856cb2604952b98f6a3a60d24665d32e5fd4cc2a0f91fe99
            • Instruction Fuzzy Hash: D611D63A200245ABCB159F34EC45E7A77A5FF85390B50412AF946C72A4EB31D811D7A1
            Function 00A37CC2 Relevance: 6.1, APIs: 4, Instructions: 70COMMON
            Download Yara Rule
            APIs
            • GetWindowLongW.USER32(?,000000F0), ref: 00A37D0B
            • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00A37D2A
            • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00A37D42
            • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,00A1B7AD,00000000), ref: 00A37D6B
              • Part of subcall function 009B9BA1: GetWindowLongW.USER32(00000000,000000EB), ref: 009B9BB2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$Long
            • String ID:
            • API String ID: 847901565-0
            • Opcode ID: 52d4f8b2bc5acc5f029ac2c9b46b7f78908d0bac8236577b99ac6bc1ce753860
            • Instruction ID: f95f39209bc38e1ef09e6580b99f9c2cae4771144945138b8e6bab61428ac1ff
            • Opcode Fuzzy Hash: 52d4f8b2bc5acc5f029ac2c9b46b7f78908d0bac8236577b99ac6bc1ce753860
            • Instruction Fuzzy Hash: 5D11DF72214664AFCB20CF68CC04AAA3BA4AF453B0F118324F939D72F0D7308952DB40
            Function 00A35660 Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001060,?,00000004), ref: 00A356BB
            • _wcslen.LIBCMT ref: 00A356CD
            • _wcslen.LIBCMT ref: 00A356D8
            • SendMessageW.USER32(?,00001002,00000000,?), ref: 00A35816
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend_wcslen
            • String ID:
            • API String ID: 455545452-0
            • Opcode ID: beaa2e694dabf683293f8b1d8e4a0e9c1f4bd9254c8676376c48285bb3046ac0
            • Instruction ID: 7d6274ec0e2cabc3eef22bd26fe5ee54497469fb9e46587153a311b6e413c3a6
            • Opcode Fuzzy Hash: beaa2e694dabf683293f8b1d8e4a0e9c1f4bd9254c8676376c48285bb3046ac0
            • Instruction Fuzzy Hash: 1711B471E0061496DB20DFB98C86BEE77BCAF11760F54802AF915D6081E7748A80CB61
            Function 009D1D09 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
            Download Yara Rule
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID:
            • API String ID:
            • Opcode ID: 213235e1c7c9c789d32f5514b217dc42a3794dccb46bc8bdbcc6afe99b3ef76f
            • Instruction ID: 5f5eddcb75f15ec6bb213828844d63e761f7c2bb449aebd06ea258ec5265ebd4
            • Opcode Fuzzy Hash: 213235e1c7c9c789d32f5514b217dc42a3794dccb46bc8bdbcc6afe99b3ef76f
            • Instruction Fuzzy Hash: 98018BB72896167FF6212AB86CC0F67661EDF817B8B308327F522A13D2DB608C409160
            Function 00A01A27 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,000000B0,?,?), ref: 00A01A47
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A01A59
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A01A6F
            • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00A01A8A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend
            • String ID:
            • API String ID: 3850602802-0
            • Opcode ID: c9778418000054a38d570816bdb211ad9a4425707c095b8749dbd1e08f8aae5e
            • Instruction ID: e99503cb051a2cafe22c3ca3d67b7d8a0cc7984a7701f739214d8a732d49f4d8
            • Opcode Fuzzy Hash: c9778418000054a38d570816bdb211ad9a4425707c095b8749dbd1e08f8aae5e
            • Instruction Fuzzy Hash: E811F73AA01219FFEB11DBA5DD85FEDBB78EB08750F200091EA04B7290D6716E51DB94
            Function 00A0E1D6 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThreadId.KERNEL32 ref: 00A0E1FD
            • MessageBoxW.USER32(?,?,?,?), ref: 00A0E230
            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00A0E246
            • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00A0E24D
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
            • String ID:
            • API String ID: 2880819207-0
            • Opcode ID: cd1653e46db387e97e6810b5d670b24f4a835c61f3ca6535009ab2823f08de69
            • Instruction ID: ccfc939b136acd7984c02ce45d87b8af702ad80e7e12541f470065eaaebb8f3c
            • Opcode Fuzzy Hash: cd1653e46db387e97e6810b5d670b24f4a835c61f3ca6535009ab2823f08de69
            • Instruction Fuzzy Hash: FE110872D04218BBCB01DBECAC09ADE7FACAB45325F008719F924E72D0D270C90187A0
            Function 009CD1CC Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
            Download Yara Rule
            APIs
            • CreateThread.KERNEL32(00000000,?,009CCFF9,00000000,00000004,00000000), ref: 009CD218
            • GetLastError.KERNEL32 ref: 009CD224
            • __dosmaperr.LIBCMT ref: 009CD22B
            • ResumeThread.KERNEL32(00000000), ref: 009CD249
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Thread$CreateErrorLastResume__dosmaperr
            • String ID:
            • API String ID: 173952441-0
            • Opcode ID: 0737f74cbe11c1eab17552bf88b3a63c9acc84a24dde029c139eea3f2e7f5a1b
            • Instruction ID: 2fd20045132914c9487ab971eee6c9f95d6317974cd768f5aee23532d0ed5885
            • Opcode Fuzzy Hash: 0737f74cbe11c1eab17552bf88b3a63c9acc84a24dde029c139eea3f2e7f5a1b
            • Instruction Fuzzy Hash: 6C019276C06204BBDB219BA5DC09FAA7A6DDFC1731F20422DF935961D0DB71C901D7A2
            Function 009A600E Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
            Download Yara Rule
            APIs
            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009A604C
            • GetStockObject.GDI32(00000011), ref: 009A6060
            • SendMessageW.USER32(00000000,00000030,00000000), ref: 009A606A
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CreateMessageObjectSendStockWindow
            • String ID:
            • API String ID: 3970641297-0
            • Opcode ID: 97f1c9ae6957a777d8b6de8bb95e28683f5b4fa3beb27f41045b80e383e55d71
            • Instruction ID: 7e6ccbd41d20ea68389ea99a89adc8f412ed999c5a7d4aab48ecdd89238ae162
            • Opcode Fuzzy Hash: 97f1c9ae6957a777d8b6de8bb95e28683f5b4fa3beb27f41045b80e383e55d71
            • Instruction Fuzzy Hash: F5116D72501959BFEF128FA59C44EEABB6DFF093A4F090215FA1462110D7369CA1EBE0
            Function 009C3B3C Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • ___BuildCatchObject.LIBVCRUNTIME ref: 009C3B56
              • Part of subcall function 009C3AA3: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 009C3AD2
              • Part of subcall function 009C3AA3: ___AdjustPointer.LIBCMT ref: 009C3AED
            • _UnwindNestedFrames.LIBCMT ref: 009C3B6B
            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 009C3B7C
            • CallCatchBlock.LIBVCRUNTIME ref: 009C3BA4
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
            • String ID:
            • API String ID: 737400349-0
            • Opcode ID: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction ID: a54d4fb1c8a85f3e42606a7017217452d97cc85948d3d68efc17c2cbe7b9032d
            • Opcode Fuzzy Hash: 12ea49abee573113f57dbd3ec3a577afcc9c348439d29e6cbe32e78011ac24d3
            • Instruction Fuzzy Hash: AF01D732900149BBDF129E95CC46FEB7B6DEF98754F048018FE5866121C632E9619BA1
            Function 009D3073 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,009A13C6,00000000,00000000,?,009D301A,009A13C6,00000000,00000000,00000000,?,009D328B,00000006,FlsSetValue), ref: 009D30A5
            • GetLastError.KERNEL32(?,009D301A,009A13C6,00000000,00000000,00000000,?,009D328B,00000006,FlsSetValue,00A42290,FlsSetValue,00000000,00000364,?,009D2E46), ref: 009D30B1
            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,009D301A,009A13C6,00000000,00000000,00000000,?,009D328B,00000006,FlsSetValue,00A42290,FlsSetValue,00000000), ref: 009D30BF
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LibraryLoad$ErrorLast
            • String ID:
            • API String ID: 3177248105-0
            • Opcode ID: 67a019ac47df2390d616066f8284efc3f1837f1f7ee665746446887817348fd9
            • Instruction ID: 244962bc1b7845bbe4ba6da438c41239da634e3410d5d577f3792e0d53be2f64
            • Opcode Fuzzy Hash: 67a019ac47df2390d616066f8284efc3f1837f1f7ee665746446887817348fd9
            • Instruction Fuzzy Hash: 8001D436381222ABCB218BB8EC449577B9CAF45B72B14C621F905F7240C725D902C7E1
            Function 00A07464 Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
            Download Yara Rule
            APIs
            • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00A0747F
            • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00A07497
            • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00A074AC
            • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00A074CA
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Type$Register$FileLoadModuleNameUser
            • String ID:
            • API String ID: 1352324309-0
            • Opcode ID: 5bde2e0b209e228185ab95509d1e3d7ed821b53ee33b7a7780bd867b8ed822f5
            • Instruction ID: cf664e9e7d7e6ee3714f811c75cff19384d544af0536a8cea7ac3aad8dcdb07a
            • Opcode Fuzzy Hash: 5bde2e0b209e228185ab95509d1e3d7ed821b53ee33b7a7780bd867b8ed822f5
            • Instruction Fuzzy Hash: 1211ADB5A05318ABE720CF58EC08B9A7BFCEB00B10F108569B656E6191D7B2F904DB60
            Function 00A0B0A8 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
            Download Yara Rule
            APIs
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A0ACD3,?,00008000), ref: 00A0B0C4
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A0ACD3,?,00008000), ref: 00A0B0E9
            • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00A0ACD3,?,00008000), ref: 00A0B0F3
            • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00A0ACD3,?,00008000), ref: 00A0B126
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CounterPerformanceQuerySleep
            • String ID:
            • API String ID: 2875609808-0
            • Opcode ID: 667a5b49148da314d1614ccf068461d31745e3e3d42b910967df3cc60a18d36c
            • Instruction ID: e0b8b6c6567b63e3e652b0c971b1866a67b8ecfeefaf5fcaa46361fc938d3de0
            • Opcode Fuzzy Hash: 667a5b49148da314d1614ccf068461d31745e3e3d42b910967df3cc60a18d36c
            • Instruction Fuzzy Hash: 0C116D31C1152CE7CF00EFE4EE68AEEBB78FF49721F104285E941B2181CB3056619BA1
            Function 00A02DA7 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
            Download Yara Rule
            APIs
            • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00A02DC5
            • GetWindowThreadProcessId.USER32(?,00000000), ref: 00A02DD6
            • GetCurrentThreadId.KERNEL32 ref: 00A02DDD
            • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00A02DE4
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
            • String ID:
            • API String ID: 2710830443-0
            • Opcode ID: 8541f380f3ae5a5158dc4948600ba39f9aa4ece8ba62a5e52ce4adc36a59c524
            • Instruction ID: 47518e6ebbcb6abd3d30e56a0cf1ff44a8ce49c549a9afedaa77c262f3d44230
            • Opcode Fuzzy Hash: 8541f380f3ae5a5158dc4948600ba39f9aa4ece8ba62a5e52ce4adc36a59c524
            • Instruction Fuzzy Hash: 31E06D711013287ADB205BA2AC0EFEB7E6CEB42BB1F001115B105E10809AA0C942C7B0
            Function 00A38863 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009B9639: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 009B9693
              • Part of subcall function 009B9639: SelectObject.GDI32(?,00000000), ref: 009B96A2
              • Part of subcall function 009B9639: BeginPath.GDI32(?), ref: 009B96B9
              • Part of subcall function 009B9639: SelectObject.GDI32(?,00000000), ref: 009B96E2
            • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00A38887
            • LineTo.GDI32(?,?,?), ref: 00A38894
            • EndPath.GDI32(?), ref: 00A388A4
            • StrokePath.GDI32(?), ref: 00A388B2
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
            • String ID:
            • API String ID: 1539411459-0
            • Opcode ID: d675fbda64ebaabeb3746dc7fe2f0949c6da9d01938d23213e09da94573391f1
            • Instruction ID: cfaf9acec7528f26a1db28fc48983b0dfda99b6c95a87cf3ac75edba0d21ba95
            • Opcode Fuzzy Hash: d675fbda64ebaabeb3746dc7fe2f0949c6da9d01938d23213e09da94573391f1
            • Instruction Fuzzy Hash: 14F0DA36045659FBDB129FD8AC0AFCA3B69AF06320F448100FB12750E2C7795552DBA5
            Function 009B98B0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
            Download Yara Rule
            APIs
            • GetSysColor.USER32(00000008), ref: 009B98CC
            • SetTextColor.GDI32(?,?), ref: 009B98D6
            • SetBkMode.GDI32(?,00000001), ref: 009B98E9
            • GetStockObject.GDI32(00000005), ref: 009B98F1
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Color$ModeObjectStockText
            • String ID:
            • API String ID: 4037423528-0
            • Opcode ID: b5de0dc1feea99d0ff56a46c367bfa0e4b6c2e6b1b6cb7d9e4c0eaf3b42e38dd
            • Instruction ID: f65ad7ae99c51cd6159e7d92b81773d882b23b1c06cb31eaf2aa067e09c5f8b5
            • Opcode Fuzzy Hash: b5de0dc1feea99d0ff56a46c367bfa0e4b6c2e6b1b6cb7d9e4c0eaf3b42e38dd
            • Instruction Fuzzy Hash: A3E09B31244244AEDF219BB4FC09BE87F15EB11335F048319F7F6650E1C37146419B10
            Function 00A0162B Relevance: 6.0, APIs: 4, Instructions: 22threadCOMMON
            Download Yara Rule
            APIs
            • GetCurrentThread.KERNEL32 ref: 00A01634
            • OpenThreadToken.ADVAPI32(00000000,?,?,?,00A011D9), ref: 00A0163B
            • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00A011D9), ref: 00A01648
            • OpenProcessToken.ADVAPI32(00000000,?,?,?,00A011D9), ref: 00A0164F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CurrentOpenProcessThreadToken
            • String ID:
            • API String ID: 3974789173-0
            • Opcode ID: 06a5772e20ebcabc7758a1afa8876a85d3fd01832d41bc32987f5bda5c532e65
            • Instruction ID: 3a5e05cee55c3fd6be6dc336aa6e5d41d251fb52ce7b52f997ef36ad98e27043
            • Opcode Fuzzy Hash: 06a5772e20ebcabc7758a1afa8876a85d3fd01832d41bc32987f5bda5c532e65
            • Instruction Fuzzy Hash: 59E08C32A02211EBD7206FE0AE0DBC77B7CAF457A6F148808F245E9080E7348546CB60
            Function 009FD858 Relevance: 6.0, APIs: 4, Instructions: 19COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 009FD858
            • GetDC.USER32(00000000), ref: 009FD862
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009FD882
            • ReleaseDC.USER32(?), ref: 009FD8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 994c86072c158d2058c8c35890560e425a67cafbd41c2e697e6d95b59be9053b
            • Instruction ID: 9f10b5b3fd4e4b65dfb5970775f0bcd522ab27895c297a6399b4b057467df372
            • Opcode Fuzzy Hash: 994c86072c158d2058c8c35890560e425a67cafbd41c2e697e6d95b59be9053b
            • Instruction Fuzzy Hash: 2EE0EEB1800204EFCB41EFE09D09A6DBBB2AB08320F209409F846A7260CB388902AF40
            Function 009FD86C Relevance: 6.0, APIs: 4, Instructions: 18COMMON
            Download Yara Rule
            APIs
            • GetDesktopWindow.USER32 ref: 009FD86C
            • GetDC.USER32(00000000), ref: 009FD876
            • GetDeviceCaps.GDI32(00000000,0000000C), ref: 009FD882
            • ReleaseDC.USER32(?), ref: 009FD8A3
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CapsDesktopDeviceReleaseWindow
            • String ID:
            • API String ID: 2889604237-0
            • Opcode ID: 659ea921f270b6a369cb2119b7d36d91a986ecdd7c72ed5b59fab01fb03a10f8
            • Instruction ID: d3800c71161a4cf811821305806ba89080f9f7cca2d64d3cf145ca48f4a921cb
            • Opcode Fuzzy Hash: 659ea921f270b6a369cb2119b7d36d91a986ecdd7c72ed5b59fab01fb03a10f8
            • Instruction Fuzzy Hash: 21E092B5800604EFCB51EFE0DD4D66DBBB5BB48321F149449F94AF7260DB389902AF50
            Function 00A14D87 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A7620: _wcslen.LIBCMT ref: 009A7625
            • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00A14ED4
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Connection_wcslen
            • String ID: *$LPT
            • API String ID: 1725874428-3443410124
            • Opcode ID: 736bb9b879b4f72a6b8b6563eb9dcf7bb45c9caea6895f476dd36274e2f8e7fd
            • Instruction ID: f80548cbe88d443d89fb14128176240e8d80e18416eded6081e2742f069be359
            • Opcode Fuzzy Hash: 736bb9b879b4f72a6b8b6563eb9dcf7bb45c9caea6895f476dd36274e2f8e7fd
            • Instruction Fuzzy Hash: 1C915075A002049FCB14DF58C494EEABBF5BF49714F198099E80A9F3A2D731ED86CB91
            Function 009CE27D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
            Download Yara Rule
            APIs
            • __startOneArgErrorHandling.LIBCMT ref: 009CE30D
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ErrorHandling__start
            • String ID: pow
            • API String ID: 3213639722-2276729525
            • Opcode ID: 96bda0bb87add24831af561b687bfd85ca7f8d54042b68246ee55e33543c127b
            • Instruction ID: 488a04d7b0ef8bf1fff289ee21884279b62b5587b6a8d81a58f77061dbbd2b30
            • Opcode Fuzzy Hash: 96bda0bb87add24831af561b687bfd85ca7f8d54042b68246ee55e33543c127b
            • Instruction Fuzzy Hash: 1B513A65E4C20296CB15B794C901B79BB9C9B80740F70CD5EE097423F9FB398C969A47
            Function 009BE187 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 184COMMON
            Download Yara Rule
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID:
            • String ID: #
            • API String ID: 0-1885708031
            • Opcode ID: 13741c53d11776e3223d2e13976ccf10bcaf9720cd5592046663e0c6d38bbb94
            • Instruction ID: 25efd1807bac005141d436ae728eaf122d7bb51996439fa8e18d69908fddcec5
            • Opcode Fuzzy Hash: 13741c53d11776e3223d2e13976ccf10bcaf9720cd5592046663e0c6d38bbb94
            • Instruction Fuzzy Hash: 8851277550424ADFDB15EF68C4816FA7BACEF55320F244069FDA19B2E0D7349D42CB90
            Function 009BF291 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
            Download Yara Rule
            APIs
            • Sleep.KERNEL32(00000000), ref: 009BF2A2
            • GlobalMemoryStatusEx.KERNEL32(?), ref: 009BF2BB
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: GlobalMemorySleepStatus
            • String ID: @
            • API String ID: 2783356886-2766056989
            • Opcode ID: fbde3a83cc7d6a6eb049fc4a50d390edef7105d894e2c132730b17035497ce3c
            • Instruction ID: b80bd1aee69e15244750c029d73838e35d9e856ff2131b1fe1cfde79fa05f3b7
            • Opcode Fuzzy Hash: fbde3a83cc7d6a6eb049fc4a50d390edef7105d894e2c132730b17035497ce3c
            • Instruction Fuzzy Hash: B85123724087449BD320EF90DC86BABBBF8FBC5300F81885DF199411A5EB708529CBA6
            Function 00A25745 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125COMMON
            Download Yara Rule
            APIs
            • CharUpperBuffW.USER32(?,?,?,00000003,?,?), ref: 00A257E0
            • _wcslen.LIBCMT ref: 00A257EC
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: BuffCharUpper_wcslen
            • String ID: CALLARGARRAY
            • API String ID: 157775604-1150593374
            • Opcode ID: 31673a11203500cffd6d8e53422e37759e9e7fa400c7b586af260735031e90b6
            • Instruction ID: a104c5902993ff5fc13d7db1f9e575f78fea4de9e7f7a1b1b64a8700297f9451
            • Opcode Fuzzy Hash: 31673a11203500cffd6d8e53422e37759e9e7fa400c7b586af260735031e90b6
            • Instruction Fuzzy Hash: DE418C31E002199FCB04DFB8D9819AEBBB5FF99324F104029E505AB291E7749D81DBA0
            Function 00A1D0F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
            Download Yara Rule
            APIs
            • _wcslen.LIBCMT ref: 00A1D130
            • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00A1D13A
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CrackInternet_wcslen
            • String ID: |
            • API String ID: 596671847-2343686810
            • Opcode ID: 00a5650f733554e62970a1f7d168147f792d97258c5225d69528e05fe92ac71e
            • Instruction ID: b7e5bb55a4103953d2d819c7ed762d1f385eca872884e36c72e4e451c45178a3
            • Opcode Fuzzy Hash: 00a5650f733554e62970a1f7d168147f792d97258c5225d69528e05fe92ac71e
            • Instruction Fuzzy Hash: CD312C71D00219ABCF15EFA4CC85AEEBFB9FF46340F100119F815A6161E735AA56CBA0
            Function 00A3356C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96COMMON
            Download Yara Rule
            APIs
            • DestroyWindow.USER32(?,?,?,?), ref: 00A33621
            • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00A3365C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$DestroyMove
            • String ID: static
            • API String ID: 2139405536-2160076837
            • Opcode ID: e78bd6c9a6b29d129cc8e4f62dd8d088312ac2e0b8f88cd94c119a1dac0774ef
            • Instruction ID: 3e5e987132a07192a9297b672b3bf816ddf884608968a1cdfe40690ec4363c6f
            • Opcode Fuzzy Hash: e78bd6c9a6b29d129cc8e4f62dd8d088312ac2e0b8f88cd94c119a1dac0774ef
            • Instruction Fuzzy Hash: 85318A72110204AEDB20DF68DC81ABB73A9FF88720F009619F8A5D7290DB34AD91C760
            Function 00A34537 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(?,00001132,00000000,?), ref: 00A3461F
            • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00A34634
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: '
            • API String ID: 3850602802-1997036262
            • Opcode ID: 250d6b12dc82b2501be352592b07f85176751ee94e30ad84159c49ed36936ea9
            • Instruction ID: 2384c2a73b4d2205a045e5f188d8578e789ebc88c6c89e1fd4b366492fe12dfc
            • Opcode Fuzzy Hash: 250d6b12dc82b2501be352592b07f85176751ee94e30ad84159c49ed36936ea9
            • Instruction Fuzzy Hash: E531F675E0130A9FDB14CFA9C991BDABBB5FF49300F14406AE905AB391E770A942CF90
            Function 00A331EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
            Download Yara Rule
            APIs
            • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00A3327C
            • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00A33287
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: MessageSend
            • String ID: Combobox
            • API String ID: 3850602802-2096851135
            • Opcode ID: 22fb5defa2770195392bf05b30ef435df8cc673d850e1c3c656fb7475d5db51c
            • Instruction ID: c47fa2ff6280094f214adc997dea12446cf76f89dc2bd8add97355ab712ce3fa
            • Opcode Fuzzy Hash: 22fb5defa2770195392bf05b30ef435df8cc673d850e1c3c656fb7475d5db51c
            • Instruction Fuzzy Hash: 6911B2723042087FEF219F94DC81EFB376AEBA4364F104228F91897290D6759D518760
            Function 00A33710 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A600E: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009A604C
              • Part of subcall function 009A600E: GetStockObject.GDI32(00000011), ref: 009A6060
              • Part of subcall function 009A600E: SendMessageW.USER32(00000000,00000030,00000000), ref: 009A606A
            • GetWindowRect.USER32(00000000,?), ref: 00A3377A
            • GetSysColor.USER32(00000012), ref: 00A33794
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Window$ColorCreateMessageObjectRectSendStock
            • String ID: static
            • API String ID: 1983116058-2160076837
            • Opcode ID: 3003477b6ad8755bce8a89a4ad339d8826d36f1cdb784af2312fa5f4018785d1
            • Instruction ID: 39c8064547577dcc868bc20225281ffa12434062e6aa682204e4fe6083cd097f
            • Opcode Fuzzy Hash: 3003477b6ad8755bce8a89a4ad339d8826d36f1cdb784af2312fa5f4018785d1
            • Instruction Fuzzy Hash: 8A1126B2610209AFDF00DFA8CC46AFA7BB8FB08314F004915F956E2250E735E8619B60
            Function 00A1CD1E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
            Download Yara Rule
            APIs
            • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00A1CD7D
            • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00A1CDA6
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Internet$OpenOption
            • String ID: <local>
            • API String ID: 942729171-4266983199
            • Opcode ID: 9a4f2d6bb173b8c25598ad2353c54581c9362af1ee6a5a939d9d1eb2b2b93c57
            • Instruction ID: 3b42440c5410ce552d9f6ecb514cd9dd510dd036df3b014dafc38f43400fad8c
            • Opcode Fuzzy Hash: 9a4f2d6bb173b8c25598ad2353c54581c9362af1ee6a5a939d9d1eb2b2b93c57
            • Instruction Fuzzy Hash: FE11C2B1285631BAD7384B66AC49EE7BEACEF127B4F00422AB54993080D7749981D6F0
            Function 00A33429 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
            Download Yara Rule
            APIs
            • GetWindowTextLengthW.USER32(00000000), ref: 00A334AB
            • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00A334BA
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LengthMessageSendTextWindow
            • String ID: edit
            • API String ID: 2978978980-2167791130
            • Opcode ID: f3abb889064e7e0e9a9711cd554e2f9dd7d6af8127b1d8be2da25b8dd5875303
            • Instruction ID: 809ed6003468ebb3bb883710c9bd07a65709ecc22c1e5748a21ba9fc26a87973
            • Opcode Fuzzy Hash: f3abb889064e7e0e9a9711cd554e2f9dd7d6af8127b1d8be2da25b8dd5875303
            • Instruction Fuzzy Hash: 29118C72104208ABEF228FA4DC85ABB37AAEB05775F504724F965A31E0C775DC919B60
            Function 00A06C86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
            • CharUpperBuffW.USER32(?,?,?), ref: 00A06CB6
            • _wcslen.LIBCMT ref: 00A06CC2
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen$BuffCharUpper
            • String ID: STOP
            • API String ID: 1256254125-2411985666
            • Opcode ID: 99c598ee9fdfa282737a0fa0414b5889189678a65d7575ce27e31901905d6446
            • Instruction ID: 3fdb008257f7d697029e6b65802f50aee82800f1630eed0fc864fbc86507a79d
            • Opcode Fuzzy Hash: 99c598ee9fdfa282737a0fa0414b5889189678a65d7575ce27e31901905d6446
            • Instruction Fuzzy Hash: B101D632A0092A8BDB219FFDEC91ABF77B5FBA57187100529E852971D0EB31D960C690
            Function 00A01CDE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A03CCA
            • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00A01D4C
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: db8fd2fb416157e7a5260c5d32bacb6760f4967df4afba9a3dd71ffe90fe0f20
            • Instruction ID: 39fc679fa66aca5bf8641f7a3f5c4929e5e82975cbd20c01a4c11487c309f367
            • Opcode Fuzzy Hash: db8fd2fb416157e7a5260c5d32bacb6760f4967df4afba9a3dd71ffe90fe0f20
            • Instruction Fuzzy Hash: 2001D471A0122CABCF08EBA4DD55DFE73B8FB47360B044A19F872672C1EA34590887A0
            Function 00A01BD8 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A03CCA
            • SendMessageW.USER32(?,00000180,00000000,?), ref: 00A01C46
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 71eca7f1c74f15e1d0d88f4c2a9879b8c2cab378015e67238ae6c500bf8c506e
            • Instruction ID: c956f6855cd5bc49e62afecb2a7636cee3ad3ad13f7c23e6ed91ed2a6f862ac2
            • Opcode Fuzzy Hash: 71eca7f1c74f15e1d0d88f4c2a9879b8c2cab378015e67238ae6c500bf8c506e
            • Instruction Fuzzy Hash: 7301A775A8110C67DF08EBA0DE56AFF77B8AB52340F140019F416772C1EA24DE4C86B1
            Function 00A01C5C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A03CCA
            • SendMessageW.USER32(?,00000182,?,00000000), ref: 00A01CC8
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 8ef532227a1a1f7b950b22d370b9097fc72beb7a55bd93ccd4232d22bdb5d8ee
            • Instruction ID: 37442ec40085f1f5e0a2a693d7587f03679ea828e1676a9684569f6a962b4fec
            • Opcode Fuzzy Hash: 8ef532227a1a1f7b950b22d370b9097fc72beb7a55bd93ccd4232d22bdb5d8ee
            • Instruction Fuzzy Hash: 3601D671A8011C67EF04EBA4DF16AFE73BCAB12380F140415B806B32C1EA24DF19C6B1
            Function 00A01D68 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009A9CB3: _wcslen.LIBCMT ref: 009A9CBD
              • Part of subcall function 00A03CA7: GetClassNameW.USER32(?,?,000000FF), ref: 00A03CCA
            • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00A01DD3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ClassMessageNameSend_wcslen
            • String ID: ComboBox$ListBox
            • API String ID: 624084870-1403004172
            • Opcode ID: 754435042075c1fea1ffe5bd4fb9f7c91571a0a6f67dfc8e84004c42f802b8c2
            • Instruction ID: 14f42d660c27e28ed3d146b6f1feb27893584e19502d611ec0be1e1e05d9ad27
            • Opcode Fuzzy Hash: 754435042075c1fea1ffe5bd4fb9f7c91571a0a6f67dfc8e84004c42f802b8c2
            • Instruction Fuzzy Hash: ABF0AF71A4162866DB04E7A4DD56BFE77BCBB42390F040D19F866A72C1EA645A0882A0
            Function 00A2747E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: _wcslen
            • String ID: 3, 3, 16, 1
            • API String ID: 176396367-3042988571
            • Opcode ID: 4df70f7bafff8832b4edcecbee92ba26067814e17835fa9192afc539637776e7
            • Instruction ID: c2c42f494202c6a5ab03e090a5ad24dc8c9872dfc1ef36adfa5be1fdefcbc609
            • Opcode Fuzzy Hash: 4df70f7bafff8832b4edcecbee92ba26067814e17835fa9192afc539637776e7
            • Instruction Fuzzy Hash: DEE02B02B14230209231337DBDC1FBF568ADFC5B90710183FF981C6266EAA48E9193A2
            Function 00A00B15 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
            Download Yara Rule
            APIs
            • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00A00B23
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: Message
            • String ID: AutoIt$Error allocating memory.
            • API String ID: 2030045667-4017498283
            • Opcode ID: 020117de4dc1dd8a97a658e3a9019c81b6b481644d5071cf957f5fff697f9530
            • Instruction ID: ca6018dca44c7d9b0c66cc33204cc6eb96fe4fa9173becec46aa03419f6ef067
            • Opcode Fuzzy Hash: 020117de4dc1dd8a97a658e3a9019c81b6b481644d5071cf957f5fff697f9530
            • Instruction Fuzzy Hash: B9E04F322843183AD21437947D03FD97A849F46B75F10082AFB98A55C38BE2659047E9
            Function 009C0D42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
            Download Yara Rule
            APIs
              • Part of subcall function 009BF7C9: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,009C0D71,?,?,?,009A100A), ref: 009BF7CE
            • IsDebuggerPresent.KERNEL32(?,?,?,009A100A), ref: 009C0D75
            • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,009A100A), ref: 009C0D84
            Strings
            • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 009C0D7F
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
            • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
            • API String ID: 55579361-631824599
            • Opcode ID: 2ec4fab30c5d4620144d1f03baf28260596d0cfa594b5156b70cfb41561c4f4e
            • Instruction ID: e9bbd0ed223d0a1179d81af69c3fe3ef68ba3dd53a1e86945bbb0af9973b3663
            • Opcode Fuzzy Hash: 2ec4fab30c5d4620144d1f03baf28260596d0cfa594b5156b70cfb41561c4f4e
            • Instruction Fuzzy Hash: C6E06D706003118FD370EFF8DC047867BE4AB40750F00896DF886C6691DBB4E4458B92
            Function 009FD21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
            Download Yara Rule
            APIs
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: LocalTime
            • String ID: %.3d$X64
            • API String ID: 481472006-1077770165
            • Opcode ID: e36dc4c2fa4639e6f7a70d9c67f7d29f19be65b41891148cb7224b9d24c42bc9
            • Instruction ID: 340813d3d0166bd37de97b7ccf5c570c63359a97349dc7f21b3eaef1ea09154d
            • Opcode Fuzzy Hash: e36dc4c2fa4639e6f7a70d9c67f7d29f19be65b41891148cb7224b9d24c42bc9
            • Instruction Fuzzy Hash: 4CD0126180A11CE9CB50A7D0DD459FAB37DBB08311F608C52FA26A1040E62CC508A7A1
            Function 00A32322 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A3232C
            • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00A3233F
              • Part of subcall function 00A0E97B: Sleep.KERNEL32 ref: 00A0E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 11e4557b11c2983031cab1bf71e83d360e38034c281586564cb9cb9de8e47bb8
            • Instruction ID: 0e997119ec73d4ebec36204526116f52660ce8f70d145ab24cbe05e981b68965
            • Opcode Fuzzy Hash: 11e4557b11c2983031cab1bf71e83d360e38034c281586564cb9cb9de8e47bb8
            • Instruction Fuzzy Hash: 89D0C936394310B6E664E7B0AC4FFC6BA14AB00B20F0049167645BA1D0C9A4A8028B54
            Function 00A32356 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
            Download Yara Rule
            APIs
            • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00A3236C
            • PostMessageW.USER32(00000000), ref: 00A32373
              • Part of subcall function 00A0E97B: Sleep.KERNEL32 ref: 00A0E9F3
            Strings
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: FindMessagePostSleepWindow
            • String ID: Shell_TrayWnd
            • API String ID: 529655941-2988720461
            • Opcode ID: 9fa8fcf414bf5eb5484c787c5470c7a3d92d48ad7edd78b6c36c70c1a03b74b9
            • Instruction ID: d6f18b10ecb7b30ad136d8f697856d017cd23c7bc3c012382ec232865a90d378
            • Opcode Fuzzy Hash: 9fa8fcf414bf5eb5484c787c5470c7a3d92d48ad7edd78b6c36c70c1a03b74b9
            • Instruction Fuzzy Hash: 41D0C9323C13107AE664E7B0AC4FFC6B614AB05B20F0049167645BA1D0C9A4A8028B54
            Function 009DBDFD Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
            Download Yara Rule
            APIs
            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 009DBE93
            • GetLastError.KERNEL32 ref: 009DBEA1
            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 009DBEFC
            Memory Dump Source
            • Source File: 00000000.00000002.1660159544.00000000009A1000.00000020.00000001.01000000.00000003.sdmp, Offset: 009A0000, based on PE: true
            • Associated: 00000000.00000002.1660139559.00000000009A0000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A3C000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660244092.0000000000A62000.00000002.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660301038.0000000000A6C000.00000004.00000001.01000000.00000003.sdmpDownload File
            • Associated: 00000000.00000002.1660325893.0000000000A74000.00000002.00000001.01000000.00000003.sdmpDownload File
            Joe Sandbox IDA Plugin
            • Snapshot File: hcaresult_0_2_9a0000_eArchive_InvoiceNOS20240004228.jbxd
            Similarity
            • API ID: ByteCharMultiWide$ErrorLast
            • String ID:
            • API String ID: 1717984340-0
            • Opcode ID: 1df8e8706a7ecbe33b58e2a4defab32b3108e98706164fb31edcce81db893550
            • Instruction ID: 949e952cee943c3f258aaf9ee341b295629c1645d0cfc1f3b47ca24d470bb8e9
            • Opcode Fuzzy Hash: 1df8e8706a7ecbe33b58e2a4defab32b3108e98706164fb31edcce81db893550
            • Instruction Fuzzy Hash: CF414C34640206EFCF219FA9CC54BBA7BA9DF41320F16C15AF959973A1DB308D01DB60