Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Invoices #645473.exe

Overview

General Information

Sample name:Invoices #645473.exe
Analysis ID:1544371
MD5:7da470614cd6b249cb23791bddaa250f
SHA1:8697882c8587ae8f2c3d13ac7d67d9b2af63dd53
SHA256:b74738195e0a2cb8cb1fefaed422beacea62264fe0a96195474464e65c221b3a
Tags:exeuser-threatcat_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected FormBook
AI detected suspicious sample
Contains functionality to detect sleep reduction / modifications
Drops VBS files to the startup folder
Initial sample is a PE file and has a suspicious name
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
Potential key logger detected (key state polling based)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Invoices #645473.exe (PID: 7108 cmdline: "C:\Users\user\Desktop\Invoices #645473.exe" MD5: 7DA470614CD6B249CB23791BDDAA250F)
    • translucently.exe (PID: 6160 cmdline: "C:\Users\user\Desktop\Invoices #645473.exe" MD5: 7DA470614CD6B249CB23791BDDAA250F)
      • svchost.exe (PID: 6492 cmdline: "C:\Users\user\Desktop\Invoices #645473.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • wscript.exe (PID: 5316 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • translucently.exe (PID: 4480 cmdline: "C:\Users\user\AppData\Local\camellin\translucently.exe" MD5: 7DA470614CD6B249CB23791BDDAA250F)
      • svchost.exe (PID: 3260 cmdline: "C:\Users\user\AppData\Local\camellin\translucently.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2bf20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x140cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2bf20:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x140cf:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 3 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          2.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2e723:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x168d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          5.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            5.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2f523:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x176d2:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
            2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              Click to see the 3 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , ProcessId: 5316, ProcessName: wscript.exe
              Sigma detected: Uncommon Svchost Parent Process
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Invoices #645473.exe", CommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", ParentImage: C:\Users\user\AppData\Local\camellin\translucently.exe, ParentProcessId: 6160, ParentProcessName: translucently.exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", ProcessId: 6492, ProcessName: svchost.exe
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs" , ProcessId: 5316, ProcessName: wscript.exe
              Sigma detected: Windows Processes Suspicious Parent Directory
              Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Invoices #645473.exe", CommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", ParentImage: C:\Users\user\AppData\Local\camellin\translucently.exe, ParentProcessId: 6160, ParentProcessName: translucently.exe, ProcessCommandLine: "C:\Users\user\Desktop\Invoices #645473.exe", ProcessId: 6492, ProcessName: svchost.exe

              Data Obfuscation

              barindex
              Sigma detected: Drops script at startup location
              Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\camellin\translucently.exe, ProcessId: 6160, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs

              Suricata Signatures

              No Suricata rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeReversingLabs: Detection: 63%
              Multi AV Scanner detection for submitted file
              Source: Invoices #645473.exeReversingLabs: Detection: 63%
              Yara detected FormBook
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: Invoices #645473.exeJoe Sandbox ML: detected
              Source: Invoices #645473.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: Binary string: wntdll.pdbUGP source: translucently.exe, 00000001.00000003.1718796261.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000001.00000003.1719832765.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2209097760.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2211050007.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.000000000359E000.00000040.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1858403387.0000000004670000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1856614868.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2326202490.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2322445346.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.000000000349E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: translucently.exe, 00000001.00000003.1718796261.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000001.00000003.1719832765.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2247298103.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2209097760.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2211050007.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.000000000359E000.00000040.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1858403387.0000000004670000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1856614868.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2326202490.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2322445346.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.000000000349E000.00000040.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00452126
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,4_2_0045C999
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,4_2_00436ADE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00434BEE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,4_2_00436D2D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00442E1F
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0045DD7C FindFirstFileW,FindClose,4_2_0045DD7C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0044BD29
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_00475FE5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0044BF8D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044289D InternetQueryDataAvailable,InternetReadFile,0_2_0044289D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00459FFF
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00459FFF
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00459FFF OpenClipboard,EmptyClipboard,CloseClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,4_2_00459FFF
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00456354 GetCursorPos,ScreenToClient,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetWindowLongW,0_2_00456354
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0047C08E
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_0047C08E
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0047C08E SendMessageW,DefDlgProcW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,GetWindowLongW,SendMessageW,SendMessageW,SendMessageW,_wcsncpy,SendMessageW,SendMessageW,SendMessageW,InvalidateRect,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,4_2_0047C08E

              E-Banking Fraud

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
              Initial sample is a PE file and has a suspicious name
              Source: initial sampleStatic PE information: Filename: Invoices #645473.exe
              Windows Scripting host queries suspicious COM object (likely to drop second stage)
              Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042C7C3 NtClose,2_2_0042C7C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B60 NtClose,LdrInitializeThunk,2_2_03472B60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03472DF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034735C0 NtCreateMutant,LdrInitializeThunk,2_2_034735C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474340 NtSetContextThread,2_2_03474340
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03474650 NtSuspendThread,2_2_03474650
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BE0 NtQueryValueKey,2_2_03472BE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BF0 NtAllocateVirtualMemory,2_2_03472BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472B80 NtQueryInformationFile,2_2_03472B80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472BA0 NtEnumerateValueKey,2_2_03472BA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AD0 NtReadFile,2_2_03472AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AF0 NtWriteFile,2_2_03472AF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472AB0 NtWaitForSingleObject,2_2_03472AB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F60 NtCreateProcessEx,2_2_03472F60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F30 NtCreateSection,2_2_03472F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FE0 NtCreateFile,2_2_03472FE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472F90 NtProtectVirtualMemory,2_2_03472F90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FA0 NtQuerySection,2_2_03472FA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472FB0 NtResumeThread,2_2_03472FB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E30 NtWriteVirtualMemory,2_2_03472E30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EE0 NtQueueApcThread,2_2_03472EE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472E80 NtReadVirtualMemory,2_2_03472E80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472EA0 NtAdjustPrivilegesToken,2_2_03472EA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D00 NtSetInformationFile,2_2_03472D00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D10 NtMapViewOfSection,2_2_03472D10
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472D30 NtUnmapViewOfSection,2_2_03472D30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DD0 NtDelayExecution,2_2_03472DD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472DB0 NtEnumerateKey,2_2_03472DB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C60 NtCreateKey,2_2_03472C60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C70 NtFreeVirtualMemory,2_2_03472C70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472C00 NtQueryInformationProcess,2_2_03472C00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CC0 NtQueryVirtualMemory,2_2_03472CC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CF0 NtOpenProcess,2_2_03472CF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472CA0 NtQueryInformationToken,2_2_03472CA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473010 NtOpenDirectoryObject,2_2_03473010
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473090 NtSetValueKey,2_2_03473090
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034739B0 NtGetContextThread,2_2_034739B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D70 NtOpenThread,2_2_03473D70
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03473D10 NtOpenProcessToken,2_2_03473D10
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00434D50: GetFullPathNameW,__swprintf,_wcslen,_wcslen,_wcslen,CreateDirectoryW,CreateFileW,_memset,_wcslen,_wcsncpy,DeviceIoControl,CloseHandle,RemoveDirectoryW,CloseHandle,0_2_00434D50
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004461ED _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,_wcsncpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004461ED
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004364AA
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004120380_2_00412038
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0047E1FA0_2_0047E1FA
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0041A46B0_2_0041A46B
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0041240C0_2_0041240C
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004045E00_2_004045E0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004128180_2_00412818
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0047CBF00_2_0047CBF0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044EBBC0_2_0044EBBC
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00412C380_2_00412C38
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044ED9A0_2_0044ED9A
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00424F700_2_00424F70
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0041AF0D0_2_0041AF0D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004271610_2_00427161
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004212BE0_2_004212BE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004433900_2_00443390
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004433910_2_00443391
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0041D7500_2_0041D750
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004037E00_2_004037E0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004278590_2_00427859
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040F8900_2_0040F890
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0042397B0_2_0042397B
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00409A400_2_00409A40
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00411B630_2_00411B63
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00423EBF0_2_00423EBF
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_03F8BE880_2_03F8BE88
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00409A401_2_00409A40
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004120381_2_00412038
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0047E1FA1_2_0047E1FA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0041A46B1_2_0041A46B
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0041240C1_2_0041240C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004045E01_2_004045E0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004128181_2_00412818
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0047CBF01_2_0047CBF0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044EBBC1_2_0044EBBC
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00412C381_2_00412C38
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044ED9A1_2_0044ED9A
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00424F701_2_00424F70
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0041AF0D1_2_0041AF0D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004271611_2_00427161
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004212BE1_2_004212BE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004433901_2_00443390
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004433911_2_00443391
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0041D7501_2_0041D750
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004037E01_2_004037E0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004278591_2_00427859
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0040F8901_2_0040F890
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0042397B1_2_0042397B
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00411B631_2_00411B63
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00423EBF1_2_00423EBF
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0403DAB81_2_0403DAB8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004100C32_2_004100C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029302_2_00402930
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004029892_2_00402989
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416A432_2_00416A43
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004012202_2_00401220
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416A3E2_2_00416A3E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004102E32_2_004102E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E3632_2_0040E363
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004033802_2_00403380
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004034AD2_2_004034AD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004025602_2_00402560
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004026592_2_00402659
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042EE132_2_0042EE13
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA3522_2_034FA352
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F02_2_0344E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035003E62_2_035003E6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E02742_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C02C02_2_034C02C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C81582_2_034C8158
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034301002_2_03430100
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA1182_2_034DA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F81CC2_2_034F81CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F41A22_2_034F41A2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035001AA2_2_035001AA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D20002_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034647502_2_03464750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034407702_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C02_2_0343C7C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C6E02_2_0345C6E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034405352_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035005912_2_03500591
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F24462_2_034F2446
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E44202_2_034E4420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EE4F62_2_034EE4F6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB402_2_034FAB40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F6BD72_2_034F6BD7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA802_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034569622_2_03456962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A02_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350A9A62_2_0350A9A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344A8402_2_0344A840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034428402_2_03442840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E8F02_2_0346E8F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034268B82_2_034268B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4F402_2_034B4F40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03482F282_2_03482F28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460F302_2_03460F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E2F302_2_034E2F30
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432FC82_2_03432FC8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BEFA02_2_034BEFA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440E592_2_03440E59
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEE262_2_034FEE26
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FEEDB2_2_034FEEDB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452E902_2_03452E90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FCE932_2_034FCE93
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344AD002_2_0344AD00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DCD1F2_2_034DCD1F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343ADE02_2_0343ADE0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03458DBF2_2_03458DBF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440C002_2_03440C00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430CF22_2_03430CF2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0CB52_2_034E0CB5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342D34C2_2_0342D34C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F132D2_2_034F132D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0348739A2_2_0348739A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B2C02_2_0345B2C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E12ED2_2_034E12ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034452A02_2_034452A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347516C2_2_0347516C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342F1722_2_0342F172
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350B16B2_2_0350B16B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344B1B02_2_0344B1B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EF0CC2_2_034EF0CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034470C02_2_034470C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F70E92_2_034F70E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF0E02_2_034FF0E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF7B02_2_034FF7B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034856302_2_03485630
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F16CC2_2_034F16CC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F75712_2_034F7571
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035095C32_2_035095C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DD5B02_2_034DD5B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034314602_2_03431460
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FF43F2_2_034FF43F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFB762_2_034FFB76
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B5BF02_2_034B5BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347DBF92_2_0347DBF9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FB802_2_0345FB80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFA492_2_034FFA49
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7A462_2_034F7A46
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B3A6C2_2_034B3A6C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EDAC62_2_034EDAC6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DDAAC2_2_034DDAAC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03485AA02_2_03485AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E1AA32_2_034E1AA3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034499502_2_03449950
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345B9502_2_0345B950
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D59102_2_034D5910
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AD8002_2_034AD800
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034438E02_2_034438E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFF092_2_034FFF09
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD22_2_03403FD2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03403FD52_2_03403FD5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03441F922_2_03441F92
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFFB12_2_034FFFB1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03449EB02_2_03449EB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03443D402_2_03443D40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F1D5A2_2_034F1D5A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F7D732_2_034F7D73
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345FDC02_2_0345FDC0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B9C322_2_034B9C32
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FFCF22_2_034FFCF2
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00409A404_2_00409A40
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004120384_2_00412038
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0047E1FA4_2_0047E1FA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0041A46B4_2_0041A46B
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0041240C4_2_0041240C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004045E04_2_004045E0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004128184_2_00412818
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0047CBF04_2_0047CBF0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044EBBC4_2_0044EBBC
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00412C384_2_00412C38
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044ED9A4_2_0044ED9A
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00424F704_2_00424F70
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0041AF0D4_2_0041AF0D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004271614_2_00427161
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004212BE4_2_004212BE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004433904_2_00443390
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004433914_2_00443391
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0041D7504_2_0041D750
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004037E04_2_004037E0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004278594_2_00427859
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0040F8904_2_0040F890
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0042397B4_2_0042397B
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00411B634_2_00411B63
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00423EBF4_2_00423EBF
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_03E7B2B04_2_03E7B2B0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 00425210 appears 56 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 00445975 appears 130 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 0041171A appears 74 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 0041832D appears 52 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 004136BC appears 36 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 004092C0 appears 50 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 0041718C appears 88 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 00401B70 appears 46 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 0040E6D0 appears 70 times
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: String function: 0043362D appears 38 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034AEA12 appears 86 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0342B970 appears 265 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03475130 appears 58 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03487E54 appears 108 times
              Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 034BF290 appears 105 times
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: String function: 00445975 appears 65 times
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: String function: 0041171A appears 37 times
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: String function: 0041718C appears 44 times
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: String function: 0040E6D0 appears 35 times
              Source: Invoices #645473.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.troj.expl.evad.winEXE@10/3@0/0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044AF5C GetLastError,FormatMessageW,0_2_0044AF5C
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,0_2_00464422
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,0_2_004364AA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,1_2_00464422
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,1_2_004364AA
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00464422 OpenProcess,GetLastError,GetLastError,GetCurrentThread,OpenThreadToken,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,OpenProcess,AdjustTokenPrivileges,CloseHandle,TerminateProcess,GetLastError,CloseHandle,4_2_00464422
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004364AA GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,SetSystemPowerState,4_2_004364AA
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045D517 SetErrorMode,GetDiskFreeSpaceW,GetLastError,SetErrorMode,0_2_0045D517
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0043701F CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,__wcsicoll,CloseHandle,0_2_0043701F
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0047A999 OleInitialize,CLSIDFromProgID,CoCreateInstance,CoInitializeSecurity,_memset,_wcslen,_memset,CoCreateInstanceEx,CoSetProxyBlanket,0_2_0047A999
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0043614F __swprintf,__swprintf,__wcsicoll,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,0_2_0043614F
              Source: C:\Users\user\Desktop\Invoices #645473.exeFile created: C:\Users\user\AppData\Local\camellinJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeFile created: C:\Users\user\AppData\Local\Temp\retrofitsJump to behavior
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs"
              Source: Invoices #645473.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\Invoices #645473.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: Invoices #645473.exeReversingLabs: Detection: 63%
              Source: C:\Users\user\Desktop\Invoices #645473.exeFile read: C:\Users\user\Desktop\Invoices #645473.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\Invoices #645473.exe "C:\Users\user\Desktop\Invoices #645473.exe"
              Source: C:\Users\user\Desktop\Invoices #645473.exeProcess created: C:\Users\user\AppData\Local\camellin\translucently.exe "C:\Users\user\Desktop\Invoices #645473.exe"
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoices #645473.exe"
              Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs"
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\camellin\translucently.exe "C:\Users\user\AppData\Local\camellin\translucently.exe"
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\camellin\translucently.exe"
              Source: C:\Users\user\Desktop\Invoices #645473.exeProcess created: C:\Users\user\AppData\Local\camellin\translucently.exe "C:\Users\user\Desktop\Invoices #645473.exe"Jump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoices #645473.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\camellin\translucently.exe "C:\Users\user\AppData\Local\camellin\translucently.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\camellin\translucently.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
              Source: Invoices #645473.exeStatic file information: File size 1338477 > 1048576
              Source: Binary string: wntdll.pdbUGP source: translucently.exe, 00000001.00000003.1718796261.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000001.00000003.1719832765.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2209097760.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2211050007.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.000000000359E000.00000040.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1858403387.0000000004670000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1856614868.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2326202490.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2322445346.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.000000000349E000.00000040.00001000.00020000.00000000.sdmp
              Source: Binary string: wntdll.pdb source: translucently.exe, 00000001.00000003.1718796261.0000000003BC0000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000001.00000003.1719832765.0000000004750000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2247298103.0000000003400000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2209097760.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2211050007.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2247298103.000000000359E000.00000040.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1858403387.0000000004670000.00000004.00001000.00020000.00000000.sdmp, translucently.exe, 00000004.00000003.1856614868.00000000044D0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2326202490.0000000003100000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000003.2322445346.0000000002F00000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.0000000003300000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000005.00000002.2366343832.000000000349E000.00000040.00001000.00020000.00000000.sdmp
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: translucently.exe.0.drStatic PE information: real checksum: 0xa2135 should be: 0x14e75b
              Source: Invoices #645473.exeStatic PE information: real checksum: 0xa2135 should be: 0x14e75b
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004171D1 push ecx; ret 0_2_004171E4
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004171D1 push ecx; ret 1_2_004171E4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401801 push ebp; iretd 2_2_00401802
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00402090 push ebp; iretd 2_2_00402093
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004228B2 push esi; retn 0000h2_2_004228BA
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041913D push esp; iretd 2_2_00419156
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00411991 push 2C170C91h; retf 2_2_00411996
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040D265 push ss; retf 2_2_0040D266
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401AF1 push ebp; iretd 2_2_00401AF2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00401B40 push ebp; iretd 2_2_00401B59
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EC3F push edx; iretd 2_2_0041EC40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004125DC push esp; iretd 2_2_004125DD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004085F6 pushad ; iretd 2_2_00408608
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00414DB1 push ebp; ret 2_2_00414DBC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041EDB4 push ebx; retf 2_2_0041EDBD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00403600 push eax; ret 2_2_00403602
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340225F pushad ; ret 2_2_034027F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034027FA pushad ; ret 2_2_034027F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD push ecx; mov dword ptr [esp], ecx2_2_034309B6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340283D push eax; iretd 2_2_03402858
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0340135E push eax; iretd 2_2_03401369
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004171D1 push ecx; ret 4_2_004171E4
              Source: C:\Users\user\Desktop\Invoices #645473.exeFile created: C:\Users\user\AppData\Local\camellin\translucently.exeJump to dropped file

              Boot Survival

              barindex
              Drops VBS files to the startup folder
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbsJump to dropped file
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbsJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbsJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004772DE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_004772DE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_004375B0
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004772DE IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,4_2_004772DE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,4_2_004375B0
              Source: C:\Users\user\Desktop\Invoices #645473.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Contains functionality to detect sleep reduction / modifications
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004440780_2_00444078
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004440781_2_00444078
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004440784_2_00444078
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeAPI/Special instruction interceptor: Address: 403D6DC
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeAPI/Special instruction interceptor: Address: 3E7AED4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
              Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-84660
              Source: C:\Users\user\Desktop\Invoices #645473.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_0-83371
              Source: C:\Users\user\Desktop\Invoices #645473.exeAPI coverage: 3.0 %
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeAPI coverage: 3.5 %
              Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeAPI coverage: 3.3 %
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6516Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exe TID: 6804Thread sleep time: -30000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_00452126
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,0_2_0045C999
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,0_2_00436ADE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00434BEE
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,0_2_00436D2D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00442E1F
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045DD7C FindFirstFileW,FindClose,0_2_0045DD7C
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,0_2_0044BD29
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_00475FE5
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_0044BF8D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,1_2_00452126
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,1_2_0045C999
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,1_2_00436ADE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00434BEE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,1_2_00436D2D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00442E1F
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0045DD7C FindFirstFileW,FindClose,1_2_0045DD7C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,1_2_0044BD29
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00475FE5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,1_2_0044BF8D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00452126 FindFirstFileW,Sleep,FindNextFileW,FindClose,4_2_00452126
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0045C999 FindFirstFileW,FindNextFileW,FindClose,4_2_0045C999
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00436ADE GetFileAttributesW,FindFirstFileW,FindClose,4_2_00436ADE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00434BEE FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00434BEE
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00436D2D FindFirstFileW,CreateFileW,SetFileTime,CloseHandle,SetFileTime,CloseHandle,4_2_00436D2D
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00442E1F SetCurrentDirectoryW,FindFirstFileW,SetCurrentDirectoryW,FindFirstFileW,FindNextFileW,FindClose,FindClose,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,4_2_00442E1F
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0045DD7C FindFirstFileW,FindClose,4_2_0045DD7C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044BD29 _wcscat,_wcscat,__wsplitpath,FindFirstFileW,CopyFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindClose,MoveFileW,FindNextFileW,FindClose,4_2_0044BD29
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00475FE5 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,4_2_00475FE5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0044BF8D _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,FindClose,4_2_0044BF8D
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Users\user\Desktop\Invoices #645473.exeAPI call chain: ExitProcess graph end nodegraph_0-83330
              Source: C:\Users\user\Desktop\Invoices #645473.exeAPI call chain: ExitProcess graph end nodegraph_0-83209
              Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E rdtsc 2_2_0347096E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004179F3 LdrLoadDll,2_2_004179F3
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0045A259 BlockInput,0_2_0045A259
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040EB70 LoadLibraryA,GetProcAddress,0_2_0040EB70
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_03F8A6D8 mov eax, dword ptr fs:[00000030h]0_2_03F8A6D8
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_03F8BD78 mov eax, dword ptr fs:[00000030h]0_2_03F8BD78
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_03F8BD18 mov eax, dword ptr fs:[00000030h]0_2_03F8BD18
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0403C308 mov eax, dword ptr fs:[00000030h]1_2_0403C308
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0403D948 mov eax, dword ptr fs:[00000030h]1_2_0403D948
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0403D9A8 mov eax, dword ptr fs:[00000030h]1_2_0403D9A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B2349 mov eax, dword ptr fs:[00000030h]2_2_034B2349
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov ecx, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B035C mov eax, dword ptr fs:[00000030h]2_2_034B035C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA352 mov eax, dword ptr fs:[00000030h]2_2_034FA352
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8350 mov ecx, dword ptr fs:[00000030h]2_2_034D8350
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350634F mov eax, dword ptr fs:[00000030h]2_2_0350634F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D437C mov eax, dword ptr fs:[00000030h]2_2_034D437C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A30B mov eax, dword ptr fs:[00000030h]2_2_0346A30B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C310 mov ecx, dword ptr fs:[00000030h]2_2_0342C310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450310 mov ecx, dword ptr fs:[00000030h]2_2_03450310
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov ecx, dword ptr fs:[00000030h]2_2_03508324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03508324 mov eax, dword ptr fs:[00000030h]2_2_03508324
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC3CD mov eax, dword ptr fs:[00000030h]2_2_034EC3CD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A3C0 mov eax, dword ptr fs:[00000030h]2_2_0343A3C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B63C0 mov eax, dword ptr fs:[00000030h]2_2_034B63C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov ecx, dword ptr fs:[00000030h]2_2_034DE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE3DB mov eax, dword ptr fs:[00000030h]2_2_034DE3DB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D43D4 mov eax, dword ptr fs:[00000030h]2_2_034D43D4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034403E9 mov eax, dword ptr fs:[00000030h]2_2_034403E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E3F0 mov eax, dword ptr fs:[00000030h]2_2_0344E3F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034663FF mov eax, dword ptr fs:[00000030h]2_2_034663FF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E388 mov eax, dword ptr fs:[00000030h]2_2_0342E388
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345438F mov eax, dword ptr fs:[00000030h]2_2_0345438F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428397 mov eax, dword ptr fs:[00000030h]2_2_03428397
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov eax, dword ptr fs:[00000030h]2_2_034B8243
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B8243 mov ecx, dword ptr fs:[00000030h]2_2_034B8243
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0350625D mov eax, dword ptr fs:[00000030h]2_2_0350625D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A250 mov eax, dword ptr fs:[00000030h]2_2_0342A250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436259 mov eax, dword ptr fs:[00000030h]2_2_03436259
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA250 mov eax, dword ptr fs:[00000030h]2_2_034EA250
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434260 mov eax, dword ptr fs:[00000030h]2_2_03434260
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342826B mov eax, dword ptr fs:[00000030h]2_2_0342826B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E0274 mov eax, dword ptr fs:[00000030h]2_2_034E0274
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342823B mov eax, dword ptr fs:[00000030h]2_2_0342823B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A2C3 mov eax, dword ptr fs:[00000030h]2_2_0343A2C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035062D6 mov eax, dword ptr fs:[00000030h]2_2_035062D6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402E1 mov eax, dword ptr fs:[00000030h]2_2_034402E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E284 mov eax, dword ptr fs:[00000030h]2_2_0346E284
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0283 mov eax, dword ptr fs:[00000030h]2_2_034B0283
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034402A0 mov eax, dword ptr fs:[00000030h]2_2_034402A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov ecx, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C62A0 mov eax, dword ptr fs:[00000030h]2_2_034C62A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov ecx, dword ptr fs:[00000030h]2_2_034C4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C4144 mov eax, dword ptr fs:[00000030h]2_2_034C4144
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C156 mov eax, dword ptr fs:[00000030h]2_2_0342C156
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C8158 mov eax, dword ptr fs:[00000030h]2_2_034C8158
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436154 mov eax, dword ptr fs:[00000030h]2_2_03436154
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504164 mov eax, dword ptr fs:[00000030h]2_2_03504164
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov eax, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DE10E mov ecx, dword ptr fs:[00000030h]2_2_034DE10E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov ecx, dword ptr fs:[00000030h]2_2_034DA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DA118 mov eax, dword ptr fs:[00000030h]2_2_034DA118
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F0115 mov eax, dword ptr fs:[00000030h]2_2_034F0115
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460124 mov eax, dword ptr fs:[00000030h]2_2_03460124
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F61C3 mov eax, dword ptr fs:[00000030h]2_2_034F61C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_034AE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE1D0 mov eax, dword ptr fs:[00000030h]2_2_034AE1D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_035061E5 mov eax, dword ptr fs:[00000030h]2_2_035061E5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034601F8 mov eax, dword ptr fs:[00000030h]2_2_034601F8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03470185 mov eax, dword ptr fs:[00000030h]2_2_03470185
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EC188 mov eax, dword ptr fs:[00000030h]2_2_034EC188
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4180 mov eax, dword ptr fs:[00000030h]2_2_034D4180
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B019F mov eax, dword ptr fs:[00000030h]2_2_034B019F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A197 mov eax, dword ptr fs:[00000030h]2_2_0342A197
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432050 mov eax, dword ptr fs:[00000030h]2_2_03432050
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6050 mov eax, dword ptr fs:[00000030h]2_2_034B6050
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345C073 mov eax, dword ptr fs:[00000030h]2_2_0345C073
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4000 mov ecx, dword ptr fs:[00000030h]2_2_034B4000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D2000 mov eax, dword ptr fs:[00000030h]2_2_034D2000
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E016 mov eax, dword ptr fs:[00000030h]2_2_0344E016
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A020 mov eax, dword ptr fs:[00000030h]2_2_0342A020
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C020 mov eax, dword ptr fs:[00000030h]2_2_0342C020
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6030 mov eax, dword ptr fs:[00000030h]2_2_034C6030
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B20DE mov eax, dword ptr fs:[00000030h]2_2_034B20DE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0342A0E3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034380E9 mov eax, dword ptr fs:[00000030h]2_2_034380E9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B60E0 mov eax, dword ptr fs:[00000030h]2_2_034B60E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C0F0 mov eax, dword ptr fs:[00000030h]2_2_0342C0F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034720F0 mov ecx, dword ptr fs:[00000030h]2_2_034720F0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343208A mov eax, dword ptr fs:[00000030h]2_2_0343208A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034280A0 mov eax, dword ptr fs:[00000030h]2_2_034280A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C80A8 mov eax, dword ptr fs:[00000030h]2_2_034C80A8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov eax, dword ptr fs:[00000030h]2_2_034F60B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F60B8 mov ecx, dword ptr fs:[00000030h]2_2_034F60B8
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov esi, dword ptr fs:[00000030h]2_2_0346674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346674D mov eax, dword ptr fs:[00000030h]2_2_0346674D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430750 mov eax, dword ptr fs:[00000030h]2_2_03430750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE75D mov eax, dword ptr fs:[00000030h]2_2_034BE75D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472750 mov eax, dword ptr fs:[00000030h]2_2_03472750
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B4755 mov eax, dword ptr fs:[00000030h]2_2_034B4755
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438770 mov eax, dword ptr fs:[00000030h]2_2_03438770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440770 mov eax, dword ptr fs:[00000030h]2_2_03440770
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C700 mov eax, dword ptr fs:[00000030h]2_2_0346C700
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430710 mov eax, dword ptr fs:[00000030h]2_2_03430710
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460710 mov eax, dword ptr fs:[00000030h]2_2_03460710
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C720 mov eax, dword ptr fs:[00000030h]2_2_0346C720
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov ecx, dword ptr fs:[00000030h]2_2_0346273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346273C mov eax, dword ptr fs:[00000030h]2_2_0346273C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AC730 mov eax, dword ptr fs:[00000030h]2_2_034AC730
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343C7C0 mov eax, dword ptr fs:[00000030h]2_2_0343C7C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B07C3 mov eax, dword ptr fs:[00000030h]2_2_034B07C3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034527ED mov eax, dword ptr fs:[00000030h]2_2_034527ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE7E1 mov eax, dword ptr fs:[00000030h]2_2_034BE7E1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034347FB mov eax, dword ptr fs:[00000030h]2_2_034347FB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D678E mov eax, dword ptr fs:[00000030h]2_2_034D678E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034307AF mov eax, dword ptr fs:[00000030h]2_2_034307AF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E47A0 mov eax, dword ptr fs:[00000030h]2_2_034E47A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344C640 mov eax, dword ptr fs:[00000030h]2_2_0344C640
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F866E mov eax, dword ptr fs:[00000030h]2_2_034F866E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A660 mov eax, dword ptr fs:[00000030h]2_2_0346A660
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03462674 mov eax, dword ptr fs:[00000030h]2_2_03462674
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE609 mov eax, dword ptr fs:[00000030h]2_2_034AE609
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344260B mov eax, dword ptr fs:[00000030h]2_2_0344260B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03472619 mov eax, dword ptr fs:[00000030h]2_2_03472619
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0344E627 mov eax, dword ptr fs:[00000030h]2_2_0344E627
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03466620 mov eax, dword ptr fs:[00000030h]2_2_03466620
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468620 mov eax, dword ptr fs:[00000030h]2_2_03468620
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343262C mov eax, dword ptr fs:[00000030h]2_2_0343262C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0346A6C7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A6C7 mov eax, dword ptr fs:[00000030h]2_2_0346A6C7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE6F2 mov eax, dword ptr fs:[00000030h]2_2_034AE6F2
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B06F1 mov eax, dword ptr fs:[00000030h]2_2_034B06F1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434690 mov eax, dword ptr fs:[00000030h]2_2_03434690
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C6A6 mov eax, dword ptr fs:[00000030h]2_2_0346C6A6
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034666B0 mov eax, dword ptr fs:[00000030h]2_2_034666B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438550 mov eax, dword ptr fs:[00000030h]2_2_03438550
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346656A mov eax, dword ptr fs:[00000030h]2_2_0346656A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6500 mov eax, dword ptr fs:[00000030h]2_2_034C6500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504500 mov eax, dword ptr fs:[00000030h]2_2_03504500
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440535 mov eax, dword ptr fs:[00000030h]2_2_03440535
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E53E mov eax, dword ptr fs:[00000030h]2_2_0345E53E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E5CF mov eax, dword ptr fs:[00000030h]2_2_0346E5CF
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034365D0 mov eax, dword ptr fs:[00000030h]2_2_034365D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A5D0 mov eax, dword ptr fs:[00000030h]2_2_0346A5D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345E5E7 mov eax, dword ptr fs:[00000030h]2_2_0345E5E7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034325E0 mov eax, dword ptr fs:[00000030h]2_2_034325E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346C5ED mov eax, dword ptr fs:[00000030h]2_2_0346C5ED
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov eax, dword ptr fs:[00000030h]2_2_03432582
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03432582 mov ecx, dword ptr fs:[00000030h]2_2_03432582
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464588 mov eax, dword ptr fs:[00000030h]2_2_03464588
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E59C mov eax, dword ptr fs:[00000030h]2_2_0346E59C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B05A7 mov eax, dword ptr fs:[00000030h]2_2_034B05A7
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034545B1 mov eax, dword ptr fs:[00000030h]2_2_034545B1
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346E443 mov eax, dword ptr fs:[00000030h]2_2_0346E443
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA456 mov eax, dword ptr fs:[00000030h]2_2_034EA456
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342645D mov eax, dword ptr fs:[00000030h]2_2_0342645D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345245A mov eax, dword ptr fs:[00000030h]2_2_0345245A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC460 mov ecx, dword ptr fs:[00000030h]2_2_034BC460
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345A470 mov eax, dword ptr fs:[00000030h]2_2_0345A470
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342E420 mov eax, dword ptr fs:[00000030h]2_2_0342E420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342C427 mov eax, dword ptr fs:[00000030h]2_2_0342C427
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B6420 mov eax, dword ptr fs:[00000030h]2_2_034B6420
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346A430 mov eax, dword ptr fs:[00000030h]2_2_0346A430
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034304E5 mov ecx, dword ptr fs:[00000030h]2_2_034304E5
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034EA49A mov eax, dword ptr fs:[00000030h]2_2_034EA49A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034364AB mov eax, dword ptr fs:[00000030h]2_2_034364AB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034644B0 mov ecx, dword ptr fs:[00000030h]2_2_034644B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BA4B0 mov eax, dword ptr fs:[00000030h]2_2_034BA4B0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4B4B mov eax, dword ptr fs:[00000030h]2_2_034E4B4B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03502B57 mov eax, dword ptr fs:[00000030h]2_2_03502B57
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6B40 mov eax, dword ptr fs:[00000030h]2_2_034C6B40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FAB40 mov eax, dword ptr fs:[00000030h]2_2_034FAB40
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D8B42 mov eax, dword ptr fs:[00000030h]2_2_034D8B42
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428B50 mov eax, dword ptr fs:[00000030h]2_2_03428B50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEB50 mov eax, dword ptr fs:[00000030h]2_2_034DEB50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0342CB7E mov eax, dword ptr fs:[00000030h]2_2_0342CB7E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504B00 mov eax, dword ptr fs:[00000030h]2_2_03504B00
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AEB1D mov eax, dword ptr fs:[00000030h]2_2_034AEB1D
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EB20 mov eax, dword ptr fs:[00000030h]2_2_0345EB20
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034F8B28 mov eax, dword ptr fs:[00000030h]2_2_034F8B28
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03450BCB mov eax, dword ptr fs:[00000030h]2_2_03450BCB
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430BCD mov eax, dword ptr fs:[00000030h]2_2_03430BCD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEBD0 mov eax, dword ptr fs:[00000030h]2_2_034DEBD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438BF0 mov eax, dword ptr fs:[00000030h]2_2_03438BF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EBFC mov eax, dword ptr fs:[00000030h]2_2_0345EBFC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCBF0 mov eax, dword ptr fs:[00000030h]2_2_034BCBF0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440BBE mov eax, dword ptr fs:[00000030h]2_2_03440BBE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034E4BB0 mov eax, dword ptr fs:[00000030h]2_2_034E4BB0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03436A50 mov eax, dword ptr fs:[00000030h]2_2_03436A50
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03440A5B mov eax, dword ptr fs:[00000030h]2_2_03440A5B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA6F mov eax, dword ptr fs:[00000030h]2_2_0346CA6F
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034DEA60 mov eax, dword ptr fs:[00000030h]2_2_034DEA60
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034ACA72 mov eax, dword ptr fs:[00000030h]2_2_034ACA72
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BCA11 mov eax, dword ptr fs:[00000030h]2_2_034BCA11
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA24 mov eax, dword ptr fs:[00000030h]2_2_0346CA24
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0345EA2E mov eax, dword ptr fs:[00000030h]2_2_0345EA2E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03454A35 mov eax, dword ptr fs:[00000030h]2_2_03454A35
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346CA38 mov eax, dword ptr fs:[00000030h]2_2_0346CA38
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486ACC mov eax, dword ptr fs:[00000030h]2_2_03486ACC
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03430AD0 mov eax, dword ptr fs:[00000030h]2_2_03430AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03464AD0 mov eax, dword ptr fs:[00000030h]2_2_03464AD0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0346AAEE mov eax, dword ptr fs:[00000030h]2_2_0346AAEE
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343EA80 mov eax, dword ptr fs:[00000030h]2_2_0343EA80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504A80 mov eax, dword ptr fs:[00000030h]2_2_03504A80
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03468A90 mov edx, dword ptr fs:[00000030h]2_2_03468A90
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03438AA0 mov eax, dword ptr fs:[00000030h]2_2_03438AA0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03486AA4 mov eax, dword ptr fs:[00000030h]2_2_03486AA4
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B0946 mov eax, dword ptr fs:[00000030h]2_2_034B0946
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03504940 mov eax, dword ptr fs:[00000030h]2_2_03504940
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03456962 mov eax, dword ptr fs:[00000030h]2_2_03456962
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov edx, dword ptr fs:[00000030h]2_2_0347096E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0347096E mov eax, dword ptr fs:[00000030h]2_2_0347096E
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034D4978 mov eax, dword ptr fs:[00000030h]2_2_034D4978
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC97C mov eax, dword ptr fs:[00000030h]2_2_034BC97C
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034AE908 mov eax, dword ptr fs:[00000030h]2_2_034AE908
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC912 mov eax, dword ptr fs:[00000030h]2_2_034BC912
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03428918 mov eax, dword ptr fs:[00000030h]2_2_03428918
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B892A mov eax, dword ptr fs:[00000030h]2_2_034B892A
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C892B mov eax, dword ptr fs:[00000030h]2_2_034C892B
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C69C0 mov eax, dword ptr fs:[00000030h]2_2_034C69C0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0343A9D0 mov eax, dword ptr fs:[00000030h]2_2_0343A9D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034649D0 mov eax, dword ptr fs:[00000030h]2_2_034649D0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034FA9D3 mov eax, dword ptr fs:[00000030h]2_2_034FA9D3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE9E0 mov eax, dword ptr fs:[00000030h]2_2_034BE9E0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034629F9 mov eax, dword ptr fs:[00000030h]2_2_034629F9
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034429A0 mov eax, dword ptr fs:[00000030h]2_2_034429A0
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034309AD mov eax, dword ptr fs:[00000030h]2_2_034309AD
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov esi, dword ptr fs:[00000030h]2_2_034B89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034B89B3 mov eax, dword ptr fs:[00000030h]2_2_034B89B3
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03442840 mov ecx, dword ptr fs:[00000030h]2_2_03442840
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03460854 mov eax, dword ptr fs:[00000030h]2_2_03460854
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03434859 mov eax, dword ptr fs:[00000030h]2_2_03434859
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BE872 mov eax, dword ptr fs:[00000030h]2_2_034BE872
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034C6870 mov eax, dword ptr fs:[00000030h]2_2_034C6870
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_034BC810 mov eax, dword ptr fs:[00000030h]2_2_034BC810
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov ecx, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03452835 mov eax, dword ptr fs:[00000030h]2_2_03452835
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00426DA1 CreateFileW,__lseeki64_nolock,__lseeki64_nolock,GetProcessHeap,HeapAlloc,__setmode_nolock,__write_nolock,__setmode_nolock,GetProcessHeap,HeapFree,__lseeki64_nolock,SetEndOfFile,GetLastError,__lseeki64_nolock,0_2_00426DA1
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0042202E SetUnhandledExceptionFilter,0_2_0042202E
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_004230F5
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00417D93
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00421FA7
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0042202E SetUnhandledExceptionFilter,1_2_0042202E
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_004230F5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00417D93
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00421FA7
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0042202E SetUnhandledExceptionFilter,4_2_0042202E
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004230F5 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_004230F5
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00417D93 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00417D93
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_00421FA7 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00421FA7

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Maps a DLL or memory area into another process
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 29B3008Jump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 29D2008Jump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0043916A LogonUserW,0_2_0043916A
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040D6D0 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetModuleFileNameW,GetForegroundWindow,ShellExecuteW,GetForegroundWindow,ShellExecuteW,0_2_0040D6D0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004375B0 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_004375B0
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00436431 __wcsicoll,mouse_event,__wcsicoll,mouse_event,0_2_00436431
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Invoices #645473.exe"Jump to behavior
              Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\camellin\translucently.exe "C:\Users\user\AppData\Local\camellin\translucently.exe" Jump to behavior
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\camellin\translucently.exe" Jump to behavior
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00445DD3 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_00445DD3
              Source: translucently.exeBinary or memory string: Shell_TrayWnd
              Source: Invoices #645473.exe, translucently.exe.0.drBinary or memory string: @3PDASCRWINUPRWINDOWNLWINUPLWINDOWNSHIFTUPSHIFTDOWNALTUPALTDOWNCTRLUPCTRLDOWNMOUSE_XBUTTON2MOUSE_XBUTTON1MOUSE_MBUTTONMOUSE_RBUTTONMOUSE_LBUTTONLAUNCH_APP2LAUNCH_APP1LAUNCH_MEDIALAUNCH_MAILMEDIA_PLAY_PAUSEMEDIA_STOPMEDIA_PREVMEDIA_NEXTVOLUME_UPVOLUME_DOWNVOLUME_MUTEBROWSER_HOMEBROWSER_FAVORTIESBROWSER_SEARCHBROWSER_STOPBROWSER_REFRESHBROWSER_FORWARDBROWSER_BACKNUMPADENTERSLEEPRSHIFTLSHIFTRALTLALTRCTRLLCTRLAPPSKEYNUMPADDIVNUMPADDOTNUMPADSUBNUMPADADDNUMPADMULTNUMPAD9NUMPAD8NUMPAD7NUMPAD6NUMPAD5NUMPAD4NUMPAD3NUMPAD2NUMPAD1NUMPAD0CAPSLOCKPAUSEBREAKNUMLOCKSCROLLLOCKRWINLWINPRINTSCREENUPTABSPACERIGHTPGUPPGDNLEFTINSERTINSHOMEF12F11F10F9F8F7F6F5F4F3F2F1ESCAPEESCENTERENDDOWNDELETEDELBSBACKSPACEALTONOFF0%d%dShell_TrayWndExitScript Pausedblankinfoquestionstopwarning
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_00410D10 cpuid 0_2_00410D10
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004223BC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_004223BC
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004711D2 GetUserNameW,0_2_004711D2
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0042039F __invoke_watson,__get_daylight,__invoke_watson,__get_daylight,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,0_2_0042039F
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0040E470 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0040E470
              Source: C:\Users\user\Desktop\Invoices #645473.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: translucently.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPWIN_2000InstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 6, 0USERPROFILEUSERDOMAINUSERDNSDOMAINDefaultGetSystemWow64DirectoryWSeDebugPrivilege:cdeclwinapistdcallnonestrwstrintbooluintlongulongdwordshortushortwordbyteubytebooleanfloatdoubleptrhwndhandlelresultlparamwparamint64uint64int_ptruint_ptrlong_ptrulong_ptrdword_ptridispatch64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYadvapi32.dllRegDeleteKeyExW+.-.+-\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]ISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXISTSEXPANDmsctls_statusbar321tooltips_class32AutoIt v3 GUI%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----
              Source: translucently.exeBinary or memory string: WIN_XP
              Source: translucently.exeBinary or memory string: WIN_XPe
              Source: translucently.exeBinary or memory string: WIN_VISTA
              Source: translucently.exeBinary or memory string: WIN_7

              Remote Access Functionality

              barindex
              Yara detected FormBook
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 5.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004741BB
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,0_2_0046483C
              Source: C:\Users\user\Desktop\Invoices #645473.exeCode function: 0_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,0_2_0047AD92
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_004741BB
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,1_2_0046483C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 1_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,1_2_0047AD92
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_004741BB socket,WSAGetLastError,bind,WSAGetLastError,closesocket,4_2_004741BB
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0046483C socket,WSAGetLastError,bind,WSAGetLastError,listen,WSAGetLastError,closesocket,4_2_0046483C
              Source: C:\Users\user\AppData\Local\camellin\translucently.exeCode function: 4_2_0047AD92 OleInitialize,_wcslen,CreateBindCtx,MkParseDisplayName,CLSIDFromProgID,GetActiveObject,4_2_0047AD92

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information111
              Scripting              		2
              Valid Accounts              		3
              Native API              		111
              Scripting              		1
              Exploitation for Privilege Escalation              		1
              Disable or Modify Tools              		21
              Input Capture              		2
              System Time Discovery              		Remote Services1
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory1
              Account Discovery              		Remote Desktop Protocol21
              Input Capture              		1
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt2
              Valid Accounts              		2
              Valid Accounts              		2
              Obfuscated Files or Information              		Security Account Manager2
              File and Directory Discovery              		SMB/Windows Admin Shares2
              Clipboard Data              		SteganographyAutomated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron2
              Registry Run Keys / Startup Folder              		21
              Access Token Manipulation              		1
              DLL Side-Loading              		NTDS116
              System Information Discovery              		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script212
              Process Injection              		1
              Masquerading              		LSA Secrets34
              Security Software Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts2
              Registry Run Keys / Startup Folder              		2
              Valid Accounts              		Cached Domain Credentials2
              Virtualization/Sandbox Evasion              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
              Virtualization/Sandbox Evasion              		DCSync3
              Process Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
              Access Token Manipulation              		Proc Filesystem1
              Application Window Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt212
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              Invoices #645473.exe63%ReversingLabsWin32.Trojan.AutoitInject
              Invoices #645473.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Local\camellin\translucently.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Local\camellin\translucently.exe63%ReversingLabsWin32.Trojan.AutoitInject

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              No contacted domains info

              World Map of Contacted IPs

              No contacted IP infos

              General Information

              Joe Sandbox version:41.0.0 Charoite
              Analysis ID:1544371
              Start date and time:2024-10-29 10:35:08 +01:00
              Joe Sandbox product:CloudBasic
              Overall analysis duration:0h 7m 51s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
              Number of analysed new started processes analysed:10
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample name:Invoices #645473.exe
              Detection:MAL
              Classification:mal100.troj.expl.evad.winEXE@10/3@0/0
              EGA Information:
              • Successful, ratio: 100%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 41
              • Number of non-executed functions: 323
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
              • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
              • Not all processes where analyzed, report is missing behavior information
              • Report creation exceeded maximum time and may have missing disassembly code information.
              • Report size exceeded maximum capacity and may have missing disassembly code.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • VT rate limit hit for: Invoices #645473.exe

              Simulations

              Behavior and APIs

              TimeTypeDescription
              05:36:55API Interceptor6x Sleep call for process: svchost.exe modified
              09:36:06AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs

              Joe Sandbox View / Context

              IPs

              No context

              Domains

              No context

              ASNs

              No context

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Temp\retrofits

              Download File
              Process:C:\Users\user\Desktop\Invoices #645473.exe
              File Type:data
              Category:dropped
              Size (bytes):288768
              Entropy (8bit):7.992986532748753
              Encrypted:true
              SSDEEP:6144:A5Ntxk9mQT8CwAN7S1GCgq/GYuqFsv/5HamkGPx8qTk4:0NtOmQTmpZHuqFa5HafGPx5N
              MD5:77D4001A061CE4D4383253AA24E8C8B2
              SHA1:DF842E562895022025C3DE22C1E080DB28BB8E09
              SHA-256:5DE910CB4D17DAF3DA51AB17EF227C726B9F782DEBEF96EF73705BEC7D76A560
              SHA-512:93D0DDA9B14FB2B4E138AF99536037F526CBDF23F8523259785713B1CDFBC8EADBE83B94475D55CF790B945B5BD79E7E93AE9280952BF702606F187BB838C5F6
              Malicious:false
              Reputation:low
              Preview:.m.a.PBZ1..0....{.OS...nSC..F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6.7G3AO.T1.Y...7..fg'91zA4?,K.[fT&]!?6zS#p9L!./Ygw..b7^"5e4B<b7G3OPBZHGY../Q..'T.m"=.\...uV!.]..~:V.J..&P.a&3*gQ!.K9O6F7G3..BZ}GQK8U&.7G3OPBZ1.PI8D7M7GeKPBZ1FPK9O.R7G3_PBZABPK9.6F'G3ORBZ7FPK9O6F1G3OPBZ1F O9O4F7G3OP@Zq.PK)O6V7G3O@BZ!FPK9O6V7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK.;S>CG3OT.^1F@K9O`B7G#OPBZ1FPK9O6F7G.OP"Z1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1FPK9O6F7G3OPBZ1F

              C:\Users\user\AppData\Local\camellin\translucently.exe

              Download File
              Process:C:\Users\user\Desktop\Invoices #645473.exe
              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
              Category:dropped
              Size (bytes):1338477
              Entropy (8bit):7.51813038021692
              Encrypted:false
              SSDEEP:24576:ffmMv6Ckr7Mny5QLDkem53L3gnPWfGeun6MqhZfNvtyn:f3v+7/5QLDkem538yGdndqh0
              MD5:7DA470614CD6B249CB23791BDDAA250F
              SHA1:8697882C8587AE8F2C3D13AC7D67D9B2AF63DD53
              SHA-256:B74738195E0A2CB8CB1FEFAED422BEACEA62264FE0A96195474464E65C221B3A
              SHA-512:CCE5A25C2FD60F8B315B9CAEC710A736B1FF0DC52C81F0B7DAFDBD3F73BE61547A08827A49F48702929803E9894F7518022DB7AB4683AB750D920FBB53BE0CEA
              Malicious:true
              Antivirus:
              • Antivirus: Joe Sandbox ML, Detection: 100%
              • Antivirus: ReversingLabs, Detection: 63%
              Reputation:low
              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i.i.i..9.k.`.:.w.`.,...`.+.P.N%.c.N%.H.i.d.`. ./.w.:.k.w.;.h.i.8.h.`.>.h.Richi.........................PE..L.....K..........#..................c....... ....@..........................P......5!........@.......@.....................<...T.................................................................................... ..@............................text............................... ..`.rdata..\.... ......................@..@.data............h..................@....rsrc................H..............@..@................................................................................................................................................................................................................................................................................................................................

              C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs

              Download File
              Process:C:\Users\user\AppData\Local\camellin\translucently.exe
              File Type:data
              Category:dropped
              Size (bytes):284
              Entropy (8bit):3.3901736576749317
              Encrypted:false
              SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1GlJD/iCQcDnriIM8lfQVn:DsO+vNloRKQ1CDNbmA2n
              MD5:06B2CCBDCD61EE562BECACC061250846
              SHA1:6341C60141099771F3E5A4F3EAC0CE210E4D2DBA
              SHA-256:E9E554137CB16EB9ABA0E3E55A00A80E8A53CE58CD7FFCA5F631AB47CFE48FA2
              SHA-512:29764F43C10FC30C7270FB24A99FE10B1CF34973137E3D63F90B9792D5DCE5BDCE98AC96315A25B9368E578FFEFCAF08289B2094EF2FBBE60B36F73EFD965F92
              Malicious:true
              Reputation:low
              Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.c.a.m.e.l.l.i.n.\.t.r.a.n.s.l.u.c.e.n.t.l.y...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

              Static File Info

              General

              File type:PE32 executable (GUI) Intel 80386, for MS Windows
              Entropy (8bit):7.51813038021692
              TrID:
              • Win32 Executable (generic) a (10002005/4) 95.11%
              • AutoIt3 compiled script executable (510682/80) 4.86%
              • Generic Win/DOS Executable (2004/3) 0.02%
              • DOS Executable Generic (2002/1) 0.02%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:Invoices #645473.exe
              File size:1'338'477 bytes
              MD5:7da470614cd6b249cb23791bddaa250f
              SHA1:8697882c8587ae8f2c3d13ac7d67d9b2af63dd53
              SHA256:b74738195e0a2cb8cb1fefaed422beacea62264fe0a96195474464e65c221b3a
              SHA512:cce5a25c2fd60f8b315b9caec710a736b1ff0dc52c81f0b7dafdbd3f73be61547a08827a49f48702929803e9894f7518022db7ab4683ab750d920fbb53be0cea
              SSDEEP:24576:ffmMv6Ckr7Mny5QLDkem53L3gnPWfGeun6MqhZfNvtyn:f3v+7/5QLDkem538yGdndqh0
              TLSH:4055F112F3D680F6D9A33970293BF72AEB3575194723C48B67E02E769F111409B3A762
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-...i...i...i.....9.k...`.:.w...`.,.....`.+.P...N%..c...N%..H...i...d...`. ./...w.:.k...w.;.h...i.8.h...`.>.h...Richi..........

              File Icon

              Icon Hash:1733312925935517

              Static PE Info

              General

              Entrypoint:0x416310
              Entrypoint Section:.text
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
              DLL Characteristics:TERMINAL_SERVER_AWARE
              Time Stamp:0x4B93CF87 [Sun Mar 7 16:08:39 2010 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:5
              OS Version Minor:0
              File Version Major:5
              File Version Minor:0
              Subsystem Version Major:5
              Subsystem Version Minor:0
              Import Hash:aaaa8913c89c8aa4a5d93f06853894da

              Entrypoint Preview

              Instruction
              call 00007F1D587DC30Ch
              jmp 00007F1D587D00DEh
              int3
              int3
              int3
              int3
              int3
              int3
              push ebp
              mov ebp, esp
              push edi
              push esi
              mov esi, dword ptr [ebp+0Ch]
              mov ecx, dword ptr [ebp+10h]
              mov edi, dword ptr [ebp+08h]
              mov eax, ecx
              mov edx, ecx
              add eax, esi
              cmp edi, esi
              jbe 00007F1D587D026Ah
              cmp edi, eax
              jc 00007F1D587D040Ah
              cmp ecx, 00000100h
              jc 00007F1D587D0281h
              cmp dword ptr [004A94E0h], 00000000h
              je 00007F1D587D0278h
              push edi
              push esi
              and edi, 0Fh
              and esi, 0Fh
              cmp edi, esi
              pop esi
              pop edi
              jne 00007F1D587D026Ah
              pop esi
              pop edi
              pop ebp
              jmp 00007F1D587D06CAh
              test edi, 00000003h
              jne 00007F1D587D0277h
              shr ecx, 02h
              and edx, 03h
              cmp ecx, 08h
              jc 00007F1D587D028Ch
              rep movsd
              jmp dword ptr [00416494h+edx*4]
              nop
              mov eax, edi
              mov edx, 00000003h
              sub ecx, 04h
              jc 00007F1D587D026Eh
              and eax, 03h
              add ecx, eax
              jmp dword ptr [004163A8h+eax*4]
              jmp dword ptr [004164A4h+ecx*4]
              nop
              jmp dword ptr [00416428h+ecx*4]
              nop
              mov eax, E4004163h
              arpl word ptr [ecx+00h], ax
              or byte ptr [ecx+eax*2+00h], ah
              and edx, ecx
              mov al, byte ptr [esi]
              mov byte ptr [edi], al
              mov al, byte ptr [esi+01h]
              mov byte ptr [edi+01h], al
              mov al, byte ptr [esi+02h]
              shr ecx, 02h
              mov byte ptr [edi+02h], al
              add esi, 03h
              add edi, 03h
              cmp ecx, 08h
              jc 00007F1D587D022Eh

              Rich Headers

              Programming Language:
              • [ASM] VS2008 SP1 build 30729
              • [ C ] VS2008 SP1 build 30729
              • [C++] VS2008 SP1 build 30729
              • [ C ] VS2005 build 50727
              • [IMP] VS2005 build 50727
              • [ASM] VS2008 build 21022
              • [RES] VS2008 build 21022
              • [LNK] VS2008 SP1 build 30729

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x8cd3c0x154.rdata
              IMAGE_DIRECTORY_ENTRY_RESOURCE0xab0000x9298.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x820000x840.rdata
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x10000x800170x802006c20c6bf686768b6f134f5bd508171bcFalse0.5602991615853659data6.634688230255595IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rdata0x820000xd95c0xda00f979966509a93083729d23cdfd2a6f2dFalse0.36256450688073394data4.880040824124099IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .data0x900000x1a5180x6800e5d77411f751d28c6eee48a743606795False0.1600060096153846data2.2017649896261107IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
              .rsrc0xab0000x92980x9400f6be76de0ef2c68f397158bf01bdef3eFalse0.4896801097972973data5.530303089784181IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountryZLIB Complexity
              RT_ICON0xab5c80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
              RT_ICON0xab6f00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
              RT_ICON0xab8180x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
              RT_ICON0xab9400x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishGreat Britain0.48109756097560974
              RT_ICON0xabfa80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishGreat Britain0.5672043010752689
              RT_ICON0xac2900x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishGreat Britain0.6418918918918919
              RT_ICON0xac3b80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishGreat Britain0.7044243070362474
              RT_ICON0xad2600x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishGreat Britain0.8077617328519856
              RT_ICON0xadb080x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishGreat Britain0.5903179190751445
              RT_ICON0xae0700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishGreat Britain0.5503112033195021
              RT_ICON0xb06180x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishGreat Britain0.6050656660412758
              RT_ICON0xb16c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishGreat Britain0.7553191489361702
              RT_MENU0xb1b280x50dataEnglishGreat Britain0.9
              RT_DIALOG0xb1b780xfcdataEnglishGreat Britain0.6507936507936508
              RT_STRING0xb1c780x530dataEnglishGreat Britain0.33960843373493976
              RT_STRING0xb21a80x690dataEnglishGreat Britain0.26964285714285713
              RT_STRING0xb28380x43adataEnglishGreat Britain0.3733826247689464
              RT_STRING0xb2c780x5fcdataEnglishGreat Britain0.3087467362924282
              RT_STRING0xb32780x65cdataEnglishGreat Britain0.34336609336609336
              RT_STRING0xb38d80x388dataEnglishGreat Britain0.377212389380531
              RT_STRING0xb3c600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishUnited States0.502906976744186
              RT_GROUP_ICON0xb3db80x84dataEnglishGreat Britain0.6439393939393939
              RT_GROUP_ICON0xb3e400x14dataEnglishGreat Britain1.15
              RT_GROUP_ICON0xb3e580x14dataEnglishGreat Britain1.25
              RT_GROUP_ICON0xb3e700x14dataEnglishGreat Britain1.25
              RT_VERSION0xb3e880x19cdataEnglishGreat Britain0.5339805825242718
              RT_MANIFEST0xb40280x26cASCII text, with CRLF line terminatorsEnglishUnited States0.5145161290322581

              Imports

              DLLImport
              WSOCK32.dll__WSAFDIsSet, setsockopt, ntohs, recvfrom, sendto, htons, select, listen, WSAStartup, bind, closesocket, connect, socket, send, WSACleanup, ioctlsocket, accept, WSAGetLastError, inet_addr, gethostbyname, gethostname, recv
              VERSION.dllVerQueryValueW, GetFileVersionInfoW, GetFileVersionInfoSizeW
              WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
              COMCTL32.dllImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_ReplaceIcon, ImageList_Create, InitCommonControlsEx, ImageList_Destroy
              MPR.dllWNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W, WNetUseConnectionW
              WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetConnectW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetQueryOptionW, InternetQueryDataAvailable
              PSAPI.DLLEnumProcesses, GetModuleBaseNameW, GetProcessMemoryInfo, EnumProcessModules
              USERENV.dllCreateEnvironmentBlock, DestroyEnvironmentBlock, UnloadUserProfile, LoadUserProfileW
              KERNEL32.dllHeapAlloc, Sleep, GetCurrentThreadId, RaiseException, MulDiv, GetVersionExW, GetSystemInfo, MultiByteToWideChar, WideCharToMultiByte, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, DeleteFileW, FindNextFileW, lstrcmpiW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, GetProcessHeap, OutputDebugStringW, GetLocalTime, CompareStringW, CompareStringA, InterlockedIncrement, InterlockedDecrement, DeleteCriticalSection, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, GetTempPathW, GetTempFileNameW, VirtualFree, FormatMessageW, GetExitCodeProcess, SetErrorMode, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, DeviceIoControl, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetComputerNameW, GetWindowsDirectoryW, GetSystemDirectoryW, GetCurrentProcessId, GetCurrentThread, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, LoadLibraryExW, HeapFree, WaitForSingleObject, CreateThread, DuplicateHandle, GetLastError, CloseHandle, GetCurrentProcess, GetProcAddress, LoadLibraryA, FreeLibrary, GetModuleFileNameW, GetFullPathNameW, ExitProcess, ExitThread, GetSystemTimeAsFileTime, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, ResumeThread, GetStartupInfoW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, SetLastError, HeapSize, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetModuleFileNameA, HeapReAlloc, HeapCreate, SetHandleCount, GetFileType, GetStartupInfoA, SetStdHandle, GetConsoleCP, GetConsoleMode, LCMapStringW, LCMapStringA, RtlUnwind, SetFilePointer, GetTimeZoneInformation, GetTimeFormatA, GetDateFormatA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetTickCount, GetStringTypeA, GetStringTypeW, GetLocaleInfoA, GetModuleHandleA, WriteConsoleA, GetConsoleOutputCP, WriteConsoleW, CreateFileA, SetEndOfFile, EnumResourceNamesW, SetEnvironmentVariableA
              USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, ReleaseCapture, SetCapture, WindowFromPoint, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, CheckMenuRadioItem, CopyImage, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, SystemParametersInfoW, PeekMessageW, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, GetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, MessageBoxW, DefWindowProcW, MoveWindow, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, GetMenuItemID, TranslateMessage, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, UnregisterHotKey, CharLowerBuffW, MonitorFromRect, keybd_event, LoadImageW, GetWindowLongW
              GDI32.dllDeleteObject, GetObjectW, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, PolyDraw, BeginPath, Rectangle, GetDeviceCaps, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, GetStockObject, CreateDCW, GetPixel, DeleteDC, SetViewportOrgEx
              COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
              ADVAPI32.dllRegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegConnectRegistryW, RegEnumKeyExW, CloseServiceHandle, UnlockServiceDatabase, LockServiceDatabase, OpenSCManagerW, InitiateSystemShutdownExW, AdjustTokenPrivileges, RegCloseKey, RegQueryValueExW, RegOpenKeyExW, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, InitializeSecurityDescriptor, InitializeAcl, GetLengthSid, SetSecurityDescriptorDacl, CopySid, LogonUserW, GetTokenInformation, GetAclInformation, GetAce, AddAce, GetSecurityDescriptorDacl
              SHELL32.dllDragQueryPoint, ShellExecuteExW, SHGetFolderPathW, DragQueryFileW, SHEmptyRecycleBinW, SHBrowseForFolderW, SHFileOperationW, SHGetPathFromIDListW, SHGetDesktopFolder, SHGetMalloc, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
              ole32.dllOleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoInitialize, CoUninitialize, CoCreateInstance, CreateStreamOnHGlobal, CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, StringFromCLSID, IIDFromString, StringFromIID, OleInitialize, CreateBindCtx, CLSIDFromProgID, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket, OleUninitialize
              OLEAUT32.dllSafeArrayAllocData, SafeArrayAllocDescriptorEx, SysAllocString, OleLoadPicture, SafeArrayGetVartype, SafeArrayDestroyData, SafeArrayAccessData, VarR8FromDec, VariantTimeToSystemTime, VariantClear, VariantCopy, VariantInit, SafeArrayDestroyDescriptor, LoadRegTypeLib, GetActiveObject, SafeArrayUnaccessData

              Possible Origin

              Language of compilation systemCountry where language is spokenMap
              EnglishGreat Britain
              EnglishUnited States

              Network Behavior

              No network behavior found

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:0
              Start time:05:36:00
              Start date:29/10/2024
              Path:C:\Users\user\Desktop\Invoices #645473.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Invoices #645473.exe"
              Imagebase:0x400000
              File size:1'338'477 bytes
              MD5 hash:7DA470614CD6B249CB23791BDDAA250F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:1
              Start time:05:36:02
              Start date:29/10/2024
              Path:C:\Users\user\AppData\Local\camellin\translucently.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Invoices #645473.exe"
              Imagebase:0x400000
              File size:1'338'477 bytes
              MD5 hash:7DA470614CD6B249CB23791BDDAA250F
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Antivirus matches:
              • Detection: 100%, Joe Sandbox ML
              • Detection: 63%, ReversingLabs
              Reputation:low
              Has exited:true

              General

              Target ID:2
              Start time:05:36:04
              Start date:29/10/2024
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\Desktop\Invoices #645473.exe"
              Imagebase:0x6f0000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2247231382.0000000003100000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.2246944733.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:true

              General

              Target ID:3
              Start time:05:36:14
              Start date:29/10/2024
              Path:C:\Windows\System32\wscript.exe
              Wow64 process (32bit):false
              Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\translucently.vbs"
              Imagebase:0x7ff623a80000
              File size:170'496 bytes
              MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:high
              Has exited:true

              General

              Target ID:4
              Start time:05:36:15
              Start date:29/10/2024
              Path:C:\Users\user\AppData\Local\camellin\translucently.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\camellin\translucently.exe"
              Imagebase:0x400000
              File size:1'338'477 bytes
              MD5 hash:7DA470614CD6B249CB23791BDDAA250F
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Reputation:low
              Has exited:true

              General

              Target ID:5
              Start time:05:36:17
              Start date:29/10/2024
              Path:C:\Windows\SysWOW64\svchost.exe
              Wow64 process (32bit):true
              Commandline:"C:\Users\user\AppData\Local\camellin\translucently.exe"
              Imagebase:0x6f0000
              File size:46'504 bytes
              MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
              Has elevated privileges:false
              Has administrator privileges:false
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2366314493.00000000030D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.2366028789.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
              Reputation:high
              Has exited:true

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:2.7%
                Dynamic/Decrypted Code Coverage:1.3%
                Signature Coverage:3.8%
                Total number of Nodes:1407
                Total number of Limit Nodes:31
                execution_graph 83140 40f110 RegOpenKeyExW 83141 40f13c RegQueryValueExW RegCloseKey 83140->83141 83142 40f15f 83140->83142 83141->83142 83143 429212 83148 410b90 83143->83148 83149 410b9a __write_nolock 83148->83149 83168 41171a 83149->83168 83153 410c66 _wcsncat 83183 413e3c 83153->83183 83156 41171a 75 API calls 83157 410ca3 _wcscpy 83156->83157 83158 410cd1 RegOpenKeyExW 83157->83158 83159 429bc3 RegQueryValueExW 83158->83159 83160 410cf7 83158->83160 83161 429cd9 RegCloseKey 83159->83161 83163 429bf2 _wcscat _wcslen _wcsncpy 83159->83163 83165 411421 83160->83165 83162 41171a 75 API calls 83162->83163 83163->83162 83164 429cd8 83163->83164 83164->83161 83258 4113e5 83165->83258 83167 41142e 83170 411724 83168->83170 83171 410c31 GetModuleFileNameW 83170->83171 83174 411740 std::bad_alloc::bad_alloc 83170->83174 83186 4138ba 83170->83186 83204 411afc 6 API calls __decode_pointer 83170->83204 83180 413db0 83171->83180 83177 411421 __cinit 74 API calls 83174->83177 83179 411766 83174->83179 83175 411770 83206 41805b RaiseException 83175->83206 83177->83179 83178 41177e 83205 4116fd 67 API calls std::exception::exception 83179->83205 83216 413b95 83180->83216 83246 41abec 83183->83246 83187 41396d 83186->83187 83198 4138cc 83186->83198 83214 411afc 6 API calls __decode_pointer 83187->83214 83189 413973 83215 417f23 67 API calls __getptd_noexit 83189->83215 83192 413965 83192->83170 83195 413929 RtlAllocateHeap 83195->83198 83196 4138dd 83196->83198 83207 418252 67 API calls 2 library calls 83196->83207 83208 4180a7 67 API calls 7 library calls 83196->83208 83209 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83196->83209 83198->83192 83198->83195 83198->83196 83199 413959 83198->83199 83202 41395e 83198->83202 83210 41386b 67 API calls 4 library calls 83198->83210 83211 411afc 6 API calls __decode_pointer 83198->83211 83212 417f23 67 API calls __getptd_noexit 83199->83212 83213 417f23 67 API calls __getptd_noexit 83202->83213 83204->83170 83205->83175 83206->83178 83207->83196 83208->83196 83210->83198 83211->83198 83212->83202 83213->83192 83214->83189 83215->83192 83217 413c2f 83216->83217 83221 413bae 83216->83221 83218 413d60 83217->83218 83219 413d7b 83217->83219 83242 417f23 67 API calls __getptd_noexit 83218->83242 83244 417f23 67 API calls __getptd_noexit 83219->83244 83221->83217 83232 413c1d 83221->83232 83238 41ab19 67 API calls 2 library calls 83221->83238 83223 413d65 83228 413cfb 83223->83228 83243 417ebb 6 API calls 2 library calls 83223->83243 83226 413d03 83226->83217 83226->83228 83229 413d8e 83226->83229 83227 413cb9 83227->83217 83230 413cd6 83227->83230 83240 41ab19 67 API calls 2 library calls 83227->83240 83228->83153 83245 41ab19 67 API calls 2 library calls 83229->83245 83230->83217 83230->83228 83234 413cef 83230->83234 83232->83217 83237 413c9b 83232->83237 83239 41ab19 67 API calls 2 library calls 83232->83239 83241 41ab19 67 API calls 2 library calls 83234->83241 83237->83226 83237->83227 83238->83232 83239->83237 83240->83230 83241->83228 83242->83223 83244->83223 83245->83228 83247 41ac02 83246->83247 83248 41abfd 83246->83248 83255 417f23 67 API calls __getptd_noexit 83247->83255 83248->83247 83254 41ac22 83248->83254 83250 41ac07 83256 417ebb 6 API calls 2 library calls 83250->83256 83253 410c99 83253->83156 83254->83253 83257 417f23 67 API calls __getptd_noexit 83254->83257 83255->83250 83257->83250 83259 4113f1 _fprintf 83258->83259 83266 41181b 83259->83266 83265 411412 _fprintf 83265->83167 83292 418407 83266->83292 83268 4113f6 83269 4112fa 83268->83269 83357 4169e9 TlsGetValue 83269->83357 83272 4169e9 __decode_pointer 6 API calls 83273 41131e 83272->83273 83284 4113a1 83273->83284 83367 4170e7 68 API calls 6 library calls 83273->83367 83275 41696e __encode_pointer 6 API calls 83279 411396 83275->83279 83276 41133c 83277 411357 83276->83277 83278 411366 83276->83278 83288 411388 83276->83288 83368 417047 73 API calls _realloc 83277->83368 83281 411360 83278->83281 83278->83284 83282 41696e __encode_pointer 6 API calls 83279->83282 83281->83278 83285 41137c 83281->83285 83369 417047 73 API calls _realloc 83281->83369 83282->83284 83289 41141b 83284->83289 83370 41696e TlsGetValue 83285->83370 83286 411376 83286->83284 83286->83285 83288->83275 83382 411824 83289->83382 83293 41841c 83292->83293 83294 41842f EnterCriticalSection 83292->83294 83299 418344 83293->83299 83294->83268 83296 418422 83296->83294 83327 4117af 67 API calls 3 library calls 83296->83327 83298 41842e 83298->83294 83300 418350 _fprintf 83299->83300 83301 418360 83300->83301 83302 418378 83300->83302 83328 418252 67 API calls 2 library calls 83301->83328 83308 418386 _fprintf 83302->83308 83331 416fb6 83302->83331 83304 418365 83329 4180a7 67 API calls 7 library calls 83304->83329 83308->83296 83309 41836c 83330 411803 GetModuleHandleW GetProcAddress ExitProcess ___crtCorExitProcess 83309->83330 83310 4183a7 83312 418407 __lock 67 API calls 83310->83312 83311 418398 83337 417f23 67 API calls __getptd_noexit 83311->83337 83315 4183ae 83312->83315 83317 4183e2 83315->83317 83318 4183b6 83315->83318 83320 413a88 __crtLCMapStringA_stat 67 API calls 83317->83320 83338 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83318->83338 83322 4183d3 83320->83322 83321 4183c1 83321->83322 83339 413a88 83321->83339 83353 4183fe LeaveCriticalSection _doexit 83322->83353 83325 4183cd 83352 417f23 67 API calls __getptd_noexit 83325->83352 83327->83298 83328->83304 83329->83309 83334 416fbf 83331->83334 83332 4138ba _malloc 66 API calls 83332->83334 83333 416ff5 83333->83310 83333->83311 83334->83332 83334->83333 83335 416fd6 Sleep 83334->83335 83336 416feb 83335->83336 83336->83333 83336->83334 83337->83308 83338->83321 83341 413a94 _fprintf 83339->83341 83340 413b0d __dosmaperr _fprintf 83340->83325 83341->83340 83342 413ad3 83341->83342 83344 418407 __lock 65 API calls 83341->83344 83342->83340 83343 413ae8 RtlFreeHeap 83342->83343 83343->83340 83345 413afa 83343->83345 83348 413aab ___sbh_find_block 83344->83348 83356 417f23 67 API calls __getptd_noexit 83345->83356 83347 413aff GetLastError 83347->83340 83351 413ac5 83348->83351 83354 419f9d __VEC_memcpy VirtualFree VirtualFree HeapFree __fptostr 83348->83354 83355 413ade LeaveCriticalSection _doexit 83351->83355 83352->83322 83353->83308 83354->83351 83355->83342 83356->83347 83358 416a01 83357->83358 83359 416a22 GetModuleHandleW 83357->83359 83358->83359 83360 416a0b TlsGetValue 83358->83360 83361 416a32 83359->83361 83362 416a3d GetProcAddress 83359->83362 83365 416a16 83360->83365 83380 41177f Sleep GetModuleHandleW 83361->83380 83364 41130e 83362->83364 83364->83272 83365->83359 83365->83364 83366 416a38 83366->83362 83366->83364 83367->83276 83368->83281 83369->83286 83371 4169a7 GetModuleHandleW 83370->83371 83372 416986 83370->83372 83374 4169c2 GetProcAddress 83371->83374 83375 4169b7 83371->83375 83372->83371 83373 416990 TlsGetValue 83372->83373 83377 41699b 83373->83377 83379 41699f 83374->83379 83381 41177f Sleep GetModuleHandleW 83375->83381 83377->83371 83377->83379 83378 4169bd 83378->83374 83378->83379 83379->83288 83380->83366 83381->83378 83385 41832d LeaveCriticalSection 83382->83385 83384 411420 83384->83265 83385->83384 83386 409030 83400 409110 117 API calls 83386->83400 83388 42ceb6 83414 410ae0 VariantClear ctype 83388->83414 83390 42cebf 83391 42cea9 83413 45e62e 116 API calls 3 library calls 83391->83413 83393 40906e 83393->83388 83393->83391 83394 4090a4 83393->83394 83401 404160 83394->83401 83397 4090f0 ctype 83399 4090be ctype 83399->83397 83409 4092c0 83399->83409 83400->83393 83402 4092c0 VariantClear 83401->83402 83403 40416e 83402->83403 83415 404120 83403->83415 83405 40419b 83419 40efe0 83405->83419 83427 4734b7 83405->83427 83406 4041c6 83406->83388 83406->83399 83410 4092c8 ctype 83409->83410 83411 429db0 VariantClear 83410->83411 83412 4092d5 ctype 83410->83412 83411->83412 83412->83399 83413->83388 83414->83390 83416 40412e 83415->83416 83417 4092c0 VariantClear 83416->83417 83418 404138 83417->83418 83418->83405 83420 40eff5 CreateFileW 83419->83420 83421 4299bf 83419->83421 83422 40f017 83420->83422 83421->83422 83423 4299c4 CreateFileW 83421->83423 83422->83406 83423->83422 83424 4299ea 83423->83424 83471 40e0d0 SetFilePointerEx SetFilePointerEx 83424->83471 83426 4299f5 83426->83422 83472 453063 83427->83472 83430 473545 83476 463c42 83430->83476 83431 47350c 83433 4092c0 VariantClear 83431->83433 83439 473514 83433->83439 83434 473558 83435 47355c 83434->83435 83451 473595 83434->83451 83436 4092c0 VariantClear 83435->83436 83445 473564 83436->83445 83437 473616 83489 463d7e 83437->83489 83439->83406 83440 473622 83442 473697 83440->83442 83443 47362c 83440->83443 83441 453063 111 API calls 83441->83451 83523 457838 83442->83523 83446 4092c0 VariantClear 83443->83446 83445->83406 83449 473634 83446->83449 83449->83406 83450 473655 83454 4092c0 VariantClear 83450->83454 83451->83437 83451->83441 83451->83450 83535 462f5a 87 API calls __wcsicoll 83451->83535 83463 47365d 83454->83463 83455 4736b0 83536 45e62e 116 API calls 3 library calls 83455->83536 83456 4736c9 83537 40e7e0 76 API calls 83456->83537 83459 4736ba GetCurrentProcess TerminateProcess 83459->83456 83460 4736db 83464 4736ff 83460->83464 83538 40d030 76 API calls 83460->83538 83462 4736f1 83539 46b945 134 API calls 2 library calls 83462->83539 83463->83406 83465 473731 83464->83465 83540 40d030 76 API calls 83464->83540 83541 46b945 134 API calls 2 library calls 83464->83541 83468 473744 FreeLibrary 83465->83468 83469 47374b 83465->83469 83468->83469 83469->83406 83471->83426 83473 45306e 83472->83473 83474 45307a 83472->83474 83473->83474 83542 452e2a 111 API calls 5 library calls 83473->83542 83474->83430 83474->83431 83543 45335b 76 API calls 83476->83543 83478 463c5d 83544 442c52 80 API calls _wcslen 83478->83544 83480 463c72 83488 463cac 83480->83488 83545 40c060 83480->83545 83485 463ca4 83551 40c740 83485->83551 83487 463cf7 83487->83434 83488->83487 83556 462f5a 87 API calls __wcsicoll 83488->83556 83490 453063 111 API calls 83489->83490 83491 463d99 83490->83491 83492 463de0 83491->83492 83493 463dca 83491->83493 83568 40c760 78 API calls 83492->83568 83567 453081 111 API calls 83493->83567 83496 463de7 83511 463e19 83496->83511 83569 40c760 78 API calls 83496->83569 83497 463dd0 LoadLibraryW 83498 463e09 83497->83498 83500 463e3e 83498->83500 83498->83511 83502 463e4e 83500->83502 83503 463e7b 83500->83503 83501 463dfb 83501->83511 83570 40c760 78 API calls 83501->83570 83571 40d500 75 API calls 83502->83571 83573 40c760 78 API calls 83503->83573 83507 463e57 83572 45efe7 77 API calls ctype 83507->83572 83508 463e82 GetProcAddress 83512 463e90 83508->83512 83510 463e62 GetProcAddress 83514 463e79 83510->83514 83511->83440 83512->83511 83513 463edf 83512->83513 83512->83514 83513->83511 83517 463eef FreeLibrary 83513->83517 83514->83512 83574 403470 75 API calls _memcpy_s 83514->83574 83516 463eb4 83575 40d500 75 API calls 83516->83575 83517->83511 83519 463ebd 83576 45efe7 77 API calls ctype 83519->83576 83521 463ec8 GetProcAddress 83577 401330 ctype 83521->83577 83524 457a4c 83523->83524 83530 45785f _strcat _wcslen _wcscpy ctype 83523->83530 83531 410d40 83524->83531 83525 443576 78 API calls 83525->83530 83526 40c760 78 API calls 83526->83530 83527 453081 111 API calls 83527->83530 83528 4138ba 67 API calls _malloc 83528->83530 83530->83524 83530->83525 83530->83526 83530->83527 83530->83528 83578 40f580 83530->83578 83533 410d55 83531->83533 83532 410ded VirtualProtect 83534 410dbb 83532->83534 83533->83532 83533->83534 83534->83455 83534->83456 83535->83451 83536->83459 83537->83460 83538->83462 83539->83464 83540->83464 83541->83464 83542->83474 83543->83478 83544->83480 83546 41171a 75 API calls 83545->83546 83547 40c088 83546->83547 83548 41171a 75 API calls 83547->83548 83549 40c096 83548->83549 83550 4608ce 75 API calls _memcpy_s 83549->83550 83550->83485 83552 40c752 83551->83552 83553 40c747 83551->83553 83552->83488 83553->83552 83557 402ae0 83553->83557 83555 42a572 _memcpy_s 83555->83488 83556->83487 83558 42a06a 83557->83558 83559 402aef 83557->83559 83564 401380 83558->83564 83559->83555 83561 42a072 83562 41171a 75 API calls 83561->83562 83563 42a095 _memcpy_s 83562->83563 83563->83555 83565 41171a 75 API calls 83564->83565 83566 401387 83565->83566 83566->83561 83567->83497 83568->83496 83569->83501 83570->83498 83571->83507 83572->83510 83573->83508 83574->83516 83575->83519 83576->83521 83577->83513 83579 429440 83578->83579 83580 40f589 _wcslen 83578->83580 83581 40f58f WideCharToMultiByte 83580->83581 83582 40f5d8 83581->83582 83583 40f5ad 83581->83583 83582->83530 83584 41171a 75 API calls 83583->83584 83585 40f5bb WideCharToMultiByte 83584->83585 83585->83530 83586 4444e4 83591 40d900 83586->83591 83588 4444ee 83595 43723d 83588->83595 83590 444504 83592 40d917 83591->83592 83593 40d909 83591->83593 83592->83593 83594 40d91c CloseHandle 83592->83594 83593->83588 83594->83588 83596 40d900 CloseHandle 83595->83596 83597 437247 ctype 83596->83597 83597->83590 83598 3f8ac18 83612 3f88828 83598->83612 83600 3f8acc9 83615 3f8ab08 83600->83615 83602 3f8acf2 CreateFileW 83604 3f8ad46 83602->83604 83611 3f8ad41 83602->83611 83605 3f8ad5d VirtualAlloc 83604->83605 83604->83611 83606 3f8ad7e ReadFile 83605->83606 83605->83611 83607 3f8ad99 83606->83607 83606->83611 83608 3f89898 12 API calls 83607->83608 83609 3f8adb3 83608->83609 83610 3f89b08 GetPEB GetPEB 83609->83610 83610->83611 83618 3f8bd18 GetPEB 83612->83618 83614 3f88eb3 83614->83600 83616 3f8ab11 Sleep 83615->83616 83617 3f8ab1f 83616->83617 83619 3f8bd42 83618->83619 83619->83614 83620 4034b0 83621 4034b9 83620->83621 83622 4034bd 83620->83622 83623 42a0ba 83622->83623 83624 41171a 75 API calls 83622->83624 83625 4034fe _memcpy_s ctype 83624->83625 83626 4161c2 83627 4161d3 83626->83627 83661 41aa31 HeapCreate 83627->83661 83630 416212 83663 416e29 GetModuleHandleW 83630->83663 83634 416223 __RTC_Initialize 83697 41b669 83634->83697 83637 416231 83638 41623d GetCommandLineW 83637->83638 83766 4117af 67 API calls 3 library calls 83637->83766 83712 42235f GetEnvironmentStringsW 83638->83712 83641 41623c 83641->83638 83642 41624c 83718 4222b1 GetModuleFileNameW 83642->83718 83644 416256 83645 416261 83644->83645 83767 4117af 67 API calls 3 library calls 83644->83767 83722 422082 83645->83722 83649 416272 83735 41186e 83649->83735 83652 416279 83654 416284 __wwincmdln 83652->83654 83769 4117af 67 API calls 3 library calls 83652->83769 83741 40d7f0 83654->83741 83657 4162b3 83771 411a4b 67 API calls _doexit 83657->83771 83660 4162b8 _fprintf 83662 416206 83661->83662 83662->83630 83764 41616a 67 API calls 3 library calls 83662->83764 83664 416e44 83663->83664 83665 416e3d 83663->83665 83667 416fac 83664->83667 83668 416e4e GetProcAddress GetProcAddress GetProcAddress GetProcAddress 83664->83668 83772 41177f Sleep GetModuleHandleW 83665->83772 83782 416ad5 70 API calls 2 library calls 83667->83782 83670 416e97 TlsAlloc 83668->83670 83669 416e43 83669->83664 83673 416218 83670->83673 83674 416ee5 TlsSetValue 83670->83674 83673->83634 83765 41616a 67 API calls 3 library calls 83673->83765 83674->83673 83675 416ef6 83674->83675 83773 411a69 6 API calls 4 library calls 83675->83773 83677 416efb 83678 41696e __encode_pointer 6 API calls 83677->83678 83679 416f06 83678->83679 83680 41696e __encode_pointer 6 API calls 83679->83680 83681 416f16 83680->83681 83682 41696e __encode_pointer 6 API calls 83681->83682 83683 416f26 83682->83683 83684 41696e __encode_pointer 6 API calls 83683->83684 83685 416f36 83684->83685 83774 41828b InitializeCriticalSectionAndSpinCount __mtinitlocknum 83685->83774 83687 416f43 83687->83667 83688 4169e9 __decode_pointer 6 API calls 83687->83688 83689 416f57 83688->83689 83689->83667 83775 416ffb 83689->83775 83692 4169e9 __decode_pointer 6 API calls 83693 416f8a 83692->83693 83693->83667 83694 416f91 83693->83694 83781 416b12 67 API calls 5 library calls 83694->83781 83696 416f99 GetCurrentThreadId 83696->83673 83801 41718c 83697->83801 83699 41b675 GetStartupInfoA 83700 416ffb __calloc_crt 67 API calls 83699->83700 83707 41b696 83700->83707 83701 41b8b4 _fprintf 83701->83637 83702 41b831 GetStdHandle 83706 41b7fb 83702->83706 83703 416ffb __calloc_crt 67 API calls 83703->83707 83704 41b896 SetHandleCount 83704->83701 83705 41b843 GetFileType 83705->83706 83706->83701 83706->83702 83706->83704 83706->83705 83803 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83706->83803 83707->83701 83707->83703 83707->83706 83709 41b77e 83707->83709 83709->83701 83709->83706 83710 41b7a7 GetFileType 83709->83710 83802 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 83709->83802 83710->83709 83713 422370 83712->83713 83714 422374 83712->83714 83713->83642 83715 416fb6 __malloc_crt 67 API calls 83714->83715 83716 422395 _memcpy_s 83715->83716 83717 42239c FreeEnvironmentStringsW 83716->83717 83717->83642 83719 4222e6 _wparse_cmdline 83718->83719 83720 416fb6 __malloc_crt 67 API calls 83719->83720 83721 422329 _wparse_cmdline 83719->83721 83720->83721 83721->83644 83723 42209a _wcslen 83722->83723 83727 416267 83722->83727 83724 416ffb __calloc_crt 67 API calls 83723->83724 83730 4220be _wcslen 83724->83730 83725 422123 83726 413a88 __crtLCMapStringA_stat 67 API calls 83725->83726 83726->83727 83727->83649 83768 4117af 67 API calls 3 library calls 83727->83768 83728 416ffb __calloc_crt 67 API calls 83728->83730 83729 422149 83731 413a88 __crtLCMapStringA_stat 67 API calls 83729->83731 83730->83725 83730->83727 83730->83728 83730->83729 83733 422108 83730->83733 83804 426349 67 API calls 2 library calls 83730->83804 83731->83727 83733->83730 83805 417d93 10 API calls 2 library calls 83733->83805 83736 41187c __IsNonwritableInCurrentImage 83735->83736 83806 418486 83736->83806 83738 41189a __initterm_e 83739 411421 __cinit 74 API calls 83738->83739 83740 4118b9 __IsNonwritableInCurrentImage __initterm 83738->83740 83739->83740 83740->83652 83742 431bcb 83741->83742 83743 40d80c 83741->83743 83744 4092c0 VariantClear 83743->83744 83745 40d847 83744->83745 83810 40eb50 83745->83810 83748 40d877 83813 411ac6 67 API calls 4 library calls 83748->83813 83751 40d888 83814 411b24 67 API calls 2 library calls 83751->83814 83753 40d891 83815 40f370 SystemParametersInfoW SystemParametersInfoW 83753->83815 83755 40d89f 83816 40d6d0 GetCurrentDirectoryW 83755->83816 83757 40d8a7 SystemParametersInfoW 83758 40d8d4 83757->83758 83759 40d8cd FreeLibrary 83757->83759 83760 4092c0 VariantClear 83758->83760 83759->83758 83761 40d8dd 83760->83761 83762 4092c0 VariantClear 83761->83762 83763 40d8e6 83762->83763 83763->83657 83770 411a1f 67 API calls _doexit 83763->83770 83764->83630 83765->83634 83766->83641 83767->83645 83768->83649 83769->83654 83770->83657 83771->83660 83772->83669 83773->83677 83774->83687 83776 417004 83775->83776 83778 416f70 83776->83778 83779 417022 Sleep 83776->83779 83783 422452 83776->83783 83778->83667 83778->83692 83780 417037 83779->83780 83780->83776 83780->83778 83781->83696 83782->83673 83784 42245e _fprintf 83783->83784 83785 422476 83784->83785 83795 422495 _memset 83784->83795 83796 417f23 67 API calls __getptd_noexit 83785->83796 83787 42247b 83797 417ebb 6 API calls 2 library calls 83787->83797 83789 422507 HeapAlloc 83789->83795 83791 418407 __lock 66 API calls 83791->83795 83792 42248b _fprintf 83792->83776 83795->83789 83795->83791 83795->83792 83798 41a74c 5 API calls 2 library calls 83795->83798 83799 42254e LeaveCriticalSection _doexit 83795->83799 83800 411afc 6 API calls __decode_pointer 83795->83800 83796->83787 83798->83795 83799->83795 83800->83795 83801->83699 83802->83709 83803->83706 83804->83730 83805->83733 83808 41848c 83806->83808 83807 41696e __encode_pointer 6 API calls 83807->83808 83808->83807 83809 4184a4 83808->83809 83809->83738 83854 40eb70 83810->83854 83813->83751 83814->83753 83815->83755 83858 401f80 83816->83858 83818 40d6f1 IsDebuggerPresent 83819 431a9d MessageBoxA 83818->83819 83820 40d6ff 83818->83820 83821 431ab6 83819->83821 83820->83821 83822 40d71f 83820->83822 83960 403e90 75 API calls 3 library calls 83821->83960 83928 40f3b0 83822->83928 83826 40d73a GetFullPathNameW 83958 401440 127 API calls _wcscat 83826->83958 83828 40d77a 83829 40d782 83828->83829 83831 431b09 SetCurrentDirectoryW 83828->83831 83830 40d78b 83829->83830 83961 43604b 6 API calls 83829->83961 83940 4101f0 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 83830->83940 83831->83829 83834 431b28 83834->83830 83836 431b30 GetModuleFileNameW 83834->83836 83838 431ba4 GetForegroundWindow ShellExecuteW 83836->83838 83839 431b4c 83836->83839 83842 40d7c7 83838->83842 83962 401b70 83839->83962 83840 40d795 83848 40d7a8 83840->83848 83948 40e1e0 83840->83948 83845 40d7d1 SetCurrentDirectoryW 83842->83845 83845->83757 83847 431b66 83969 40d3b0 75 API calls 2 library calls 83847->83969 83848->83842 83959 401000 Shell_NotifyIconW _memset 83848->83959 83851 431b72 GetForegroundWindow ShellExecuteW 83852 431b9f 83851->83852 83852->83842 83853 40eba0 LoadLibraryA GetProcAddress 83853->83748 83855 40d86e 83854->83855 83856 40eb76 LoadLibraryA 83854->83856 83855->83748 83855->83853 83856->83855 83857 40eb87 GetProcAddress 83856->83857 83857->83855 83970 40e680 83858->83970 83862 401fa2 GetModuleFileNameW 83988 40ff90 83862->83988 83864 401fbd 84000 4107b0 83864->84000 83867 401b70 75 API calls 83868 401fe4 83867->83868 84003 4019e0 83868->84003 83870 401ff2 83871 4092c0 VariantClear 83870->83871 83872 402002 83871->83872 83873 401b70 75 API calls 83872->83873 83874 40201c 83873->83874 83875 4019e0 76 API calls 83874->83875 83876 40202c 83875->83876 83877 401b70 75 API calls 83876->83877 83878 40203c 83877->83878 84011 40c3e0 83878->84011 83880 40204d 83881 40c060 75 API calls 83880->83881 83882 402061 83881->83882 84029 401a70 83882->84029 83884 40206e 84036 4115d0 83884->84036 83887 42c174 83889 401a70 75 API calls 83887->83889 83888 402088 83890 4115d0 __wcsicoll 79 API calls 83888->83890 83891 42c189 83889->83891 83892 402093 83890->83892 83894 401a70 75 API calls 83891->83894 83892->83891 83893 40209e 83892->83893 83895 4115d0 __wcsicoll 79 API calls 83893->83895 83896 42c1a7 83894->83896 83897 4020a9 83895->83897 83898 42c1b0 GetModuleFileNameW 83896->83898 83897->83898 83899 4020b4 83897->83899 83901 401a70 75 API calls 83898->83901 83900 4115d0 __wcsicoll 79 API calls 83899->83900 83903 4020bf 83900->83903 83902 42c1e2 83901->83902 84048 40df50 75 API calls 83902->84048 83904 402107 83903->83904 83908 401a70 75 API calls 83903->83908 83913 42c20a _wcscpy 83903->83913 83907 402119 83904->83907 83904->83913 83906 42c1f1 83909 401a70 75 API calls 83906->83909 83910 42c243 83907->83910 84044 40e7e0 76 API calls 83907->84044 83911 4020e5 _wcscpy 83908->83911 83912 42c201 83909->83912 83918 401a70 75 API calls 83911->83918 83912->83913 83915 401a70 75 API calls 83913->83915 83923 402148 83915->83923 83916 402132 84045 40d030 76 API calls 83916->84045 83918->83904 83919 40213e 83920 4092c0 VariantClear 83919->83920 83920->83923 83921 402184 83925 4092c0 VariantClear 83921->83925 83923->83921 83926 401a70 75 API calls 83923->83926 84046 40d030 76 API calls 83923->84046 84047 40e640 76 API calls 83923->84047 83927 402196 ctype 83925->83927 83926->83923 83927->83818 83929 42ccf4 _memset 83928->83929 83930 40f3c9 83928->83930 83932 42cd05 GetOpenFileNameW 83929->83932 84731 40ffb0 76 API calls ctype 83930->84731 83932->83930 83935 40d732 83932->83935 83933 40f3d2 84732 410130 SHGetMalloc 83933->84732 83935->83826 83935->83828 83936 40f3d9 84737 410020 88 API calls __wcsicoll 83936->84737 83938 40f3e7 84738 40f400 83938->84738 83941 42b9d3 83940->83941 83942 41025a LoadImageW RegisterClassExW 83940->83942 84791 443e8f EnumResourceNamesW LoadImageW 83941->84791 84790 4102f0 7 API calls 83942->84790 83945 40d790 83947 4103e0 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 83945->83947 83946 42b9da 83947->83840 83950 40e207 _memset 83948->83950 83949 40e262 83951 40e2a4 83949->83951 84814 43737d 84 API calls __wcsicoll 83949->84814 83950->83949 83952 42aa14 DestroyIcon 83950->83952 83954 40e2c0 Shell_NotifyIconW 83951->83954 83955 42aa50 Shell_NotifyIconW 83951->83955 83952->83949 84792 401be0 83954->84792 83957 40e2da 83957->83848 83958->83828 83959->83842 83960->83828 83961->83834 83963 401b76 _wcslen 83962->83963 83964 401bc5 83963->83964 83965 41171a 75 API calls 83963->83965 83968 40d3b0 75 API calls 2 library calls 83964->83968 83966 401bad _memcpy_s 83965->83966 83967 41171a 75 API calls 83966->83967 83967->83964 83968->83847 83969->83851 83971 40c060 75 API calls 83970->83971 83972 401f90 83971->83972 83973 402940 83972->83973 83974 40294a __write_nolock 83973->83974 84049 4021e0 83974->84049 83977 402972 83987 4029a4 83977->83987 84061 401cf0 83977->84061 83978 402ae0 75 API calls 83978->83987 83979 402a8c 83980 401b70 75 API calls 83979->83980 83986 402abe 83979->83986 83982 402ab3 83980->83982 83981 401b70 75 API calls 83981->83987 84065 40d970 75 API calls 2 library calls 83982->84065 83984 401cf0 75 API calls 83984->83987 83986->83862 83987->83978 83987->83979 83987->83981 83987->83984 84064 40d970 75 API calls 2 library calls 83987->84064 84067 40f5e0 83988->84067 83991 40ffa6 83991->83864 83993 42b6d8 83996 42b6e6 83993->83996 84123 434fe1 83993->84123 83995 413a88 __crtLCMapStringA_stat 67 API calls 83997 42b6f5 83995->83997 83996->83995 83998 434fe1 106 API calls 83997->83998 83999 42b702 83998->83999 83999->83864 84001 41171a 75 API calls 84000->84001 84002 401fd6 84001->84002 84002->83867 84004 401a03 84003->84004 84009 4019e5 84003->84009 84005 401a1a 84004->84005 84004->84009 84720 404260 76 API calls 84005->84720 84007 4019ff 84007->83870 84008 401a26 84008->83870 84009->84007 84719 404260 76 API calls 84009->84719 84012 40c3e4 84011->84012 84013 40c42c 84011->84013 84016 40c3f0 84012->84016 84017 42a475 84012->84017 84014 42a422 84013->84014 84015 40c435 84013->84015 84021 42a427 84014->84021 84022 42a445 84014->84022 84018 40c441 84015->84018 84019 42a455 84015->84019 84721 4042f0 75 API calls __cinit 84016->84721 84726 453155 75 API calls 84017->84726 84722 4042f0 75 API calls __cinit 84018->84722 84725 453155 75 API calls 84019->84725 84025 40c3fb 84021->84025 84723 453155 75 API calls 84021->84723 84724 453155 75 API calls 84022->84724 84025->83880 84030 401a90 84029->84030 84031 401a77 84029->84031 84032 4021e0 75 API calls 84030->84032 84033 401a8d 84031->84033 84727 404080 75 API calls _memcpy_s 84031->84727 84034 401a9c 84032->84034 84033->83884 84034->83884 84037 4115e1 84036->84037 84038 411650 84036->84038 84043 40207d 84037->84043 84728 417f23 67 API calls __getptd_noexit 84037->84728 84730 4114bf 79 API calls 4 library calls 84038->84730 84041 4115ed 84729 417ebb 6 API calls 2 library calls 84041->84729 84043->83887 84043->83888 84044->83916 84045->83919 84046->83923 84047->83923 84048->83906 84050 4021f1 _wcslen 84049->84050 84051 42a598 84049->84051 84053 402205 84050->84053 84054 402226 84050->84054 84052 40c740 75 API calls 84051->84052 84056 42a5a2 84052->84056 84066 404020 75 API calls ctype 84053->84066 84055 401380 75 API calls 84054->84055 84058 40222d 84055->84058 84058->84056 84060 41171a 75 API calls 84058->84060 84059 40220c _memcpy_s 84059->83977 84060->84059 84062 402ae0 75 API calls 84061->84062 84063 401cf7 84062->84063 84063->83977 84064->83987 84065->83986 84066->84059 84068 40f580 77 API calls 84067->84068 84069 40f5f8 _strcat ctype 84068->84069 84127 40f6d0 84069->84127 84074 42b2ee 84156 4151b0 84074->84156 84076 40f679 84076->84074 84078 40f681 84076->84078 84143 414e94 84078->84143 84082 40f68b 84082->83991 84086 452574 84082->84086 84083 42b31d 84162 415484 84083->84162 84085 42b33d 84087 41557c _fseek 105 API calls 84086->84087 84088 4525df 84087->84088 84664 4523ce 84088->84664 84091 4525fc 84091->83993 84092 4151b0 __fread_nolock 81 API calls 84093 45261d 84092->84093 84094 4151b0 __fread_nolock 81 API calls 84093->84094 84095 45262e 84094->84095 84096 4151b0 __fread_nolock 81 API calls 84095->84096 84097 452649 84096->84097 84098 4151b0 __fread_nolock 81 API calls 84097->84098 84099 452666 84098->84099 84100 41557c _fseek 105 API calls 84099->84100 84101 452682 84100->84101 84102 4138ba _malloc 67 API calls 84101->84102 84103 45268e 84102->84103 84104 4138ba _malloc 67 API calls 84103->84104 84105 45269b 84104->84105 84106 4151b0 __fread_nolock 81 API calls 84105->84106 84107 4526ac 84106->84107 84108 44afdc GetSystemTimeAsFileTime 84107->84108 84109 4526bf 84108->84109 84110 4526d5 84109->84110 84111 4526fd 84109->84111 84112 413a88 __crtLCMapStringA_stat 67 API calls 84110->84112 84113 452704 84111->84113 84114 45275b 84111->84114 84115 4526df 84112->84115 84670 44b195 84113->84670 84117 413a88 __crtLCMapStringA_stat 67 API calls 84114->84117 84118 413a88 __crtLCMapStringA_stat 67 API calls 84115->84118 84120 452759 84117->84120 84121 4526e8 84118->84121 84119 452753 84122 413a88 __crtLCMapStringA_stat 67 API calls 84119->84122 84120->83993 84121->83993 84122->84120 84124 434ff1 84123->84124 84125 434feb 84123->84125 84124->83996 84126 414e94 __fcloseall 106 API calls 84125->84126 84126->84124 84128 40f6dd _strlen 84127->84128 84175 40f790 84128->84175 84131 414e06 84195 414d40 84131->84195 84133 40f666 84133->84074 84134 40f450 84133->84134 84138 40f45a _strcat _memcpy_s __write_nolock 84134->84138 84135 4151b0 __fread_nolock 81 API calls 84135->84138 84137 42936d 84139 41557c _fseek 105 API calls 84137->84139 84138->84135 84138->84137 84142 40f531 84138->84142 84278 41557c 84138->84278 84140 429394 84139->84140 84141 4151b0 __fread_nolock 81 API calls 84140->84141 84141->84142 84142->84076 84144 414ea0 _fprintf 84143->84144 84145 414ed1 84144->84145 84146 414eb4 84144->84146 84148 415965 __lock_file 68 API calls 84145->84148 84150 414ec9 _fprintf 84145->84150 84417 417f23 67 API calls __getptd_noexit 84146->84417 84151 414ee9 84148->84151 84149 414eb9 84418 417ebb 6 API calls 2 library calls 84149->84418 84150->84082 84401 414e1d 84151->84401 84486 41511a 84156->84486 84158 4151c8 84159 44afdc 84158->84159 84657 4431e0 84159->84657 84161 44affd 84161->84083 84163 415490 _fprintf 84162->84163 84164 4154bb 84163->84164 84165 41549e 84163->84165 84167 415965 __lock_file 68 API calls 84164->84167 84661 417f23 67 API calls __getptd_noexit 84165->84661 84169 4154c3 84167->84169 84168 4154a3 84662 417ebb 6 API calls 2 library calls 84168->84662 84171 4152e7 __ftell_nolock 71 API calls 84169->84171 84172 4154cf 84171->84172 84663 4154e8 LeaveCriticalSection LeaveCriticalSection _ftell 84172->84663 84174 4154b3 _fprintf 84174->84085 84177 40f7ae _memset 84175->84177 84176 42a349 84177->84176 84179 40f628 84177->84179 84180 415258 84177->84180 84179->84131 84181 415285 84180->84181 84182 415268 84180->84182 84181->84182 84184 41528c 84181->84184 84191 417f23 67 API calls __getptd_noexit 84182->84191 84193 41c551 103 API calls 15 library calls 84184->84193 84185 41526d 84192 417ebb 6 API calls 2 library calls 84185->84192 84188 4152b2 84189 41527d 84188->84189 84194 4191c9 101 API calls 6 library calls 84188->84194 84189->84177 84191->84185 84193->84188 84194->84189 84198 414d4c _fprintf 84195->84198 84196 414d5f 84247 417f23 67 API calls __getptd_noexit 84196->84247 84198->84196 84200 414d95 84198->84200 84199 414d64 84248 417ebb 6 API calls 2 library calls 84199->84248 84214 41e28c 84200->84214 84203 414d9a 84204 414da1 84203->84204 84205 414dae 84203->84205 84249 417f23 67 API calls __getptd_noexit 84204->84249 84207 414dd6 84205->84207 84208 414db6 84205->84208 84232 41dfd8 84207->84232 84250 417f23 67 API calls __getptd_noexit 84208->84250 84211 414d74 @_EH4_CallFilterFunc@8 _fprintf 84211->84133 84215 41e298 _fprintf 84214->84215 84216 418407 __lock 67 API calls 84215->84216 84229 41e2a6 84216->84229 84217 41e31b 84252 41e3bb 84217->84252 84218 41e322 84220 416fb6 __malloc_crt 67 API calls 84218->84220 84222 41e32c 84220->84222 84221 41e3b0 _fprintf 84221->84203 84222->84217 84257 4189e6 InitializeCriticalSectionAndSpinCount _fprintf 84222->84257 84224 418344 __mtinitlocknum 67 API calls 84224->84229 84226 41e351 84227 41e35c 84226->84227 84228 41e36f EnterCriticalSection 84226->84228 84230 413a88 __crtLCMapStringA_stat 67 API calls 84227->84230 84228->84217 84229->84217 84229->84218 84229->84224 84255 4159a6 68 API calls __lock 84229->84255 84256 415a14 LeaveCriticalSection LeaveCriticalSection _doexit 84229->84256 84230->84217 84241 41dffb __wopenfile 84232->84241 84233 41e015 84262 417f23 67 API calls __getptd_noexit 84233->84262 84234 41e1e9 84234->84233 84237 41e247 84234->84237 84236 41e01a 84263 417ebb 6 API calls 2 library calls 84236->84263 84259 425db0 84237->84259 84241->84233 84241->84234 84264 4136bc 79 API calls 3 library calls 84241->84264 84243 41e1e2 84243->84234 84265 4136bc 79 API calls 3 library calls 84243->84265 84245 41e201 84245->84234 84266 4136bc 79 API calls 3 library calls 84245->84266 84247->84199 84249->84211 84250->84211 84251 414dfc LeaveCriticalSection LeaveCriticalSection _ftell 84251->84211 84258 41832d LeaveCriticalSection 84252->84258 84254 41e3c2 84254->84221 84255->84229 84256->84229 84257->84226 84258->84254 84267 425ce4 84259->84267 84261 414de1 84261->84251 84262->84236 84264->84243 84265->84245 84266->84234 84270 425cf0 _fprintf 84267->84270 84268 425d03 84269 417f23 _malloc 67 API calls 84268->84269 84271 425d08 84269->84271 84270->84268 84272 425d41 84270->84272 84273 417ebb _memcpy_s 6 API calls 84271->84273 84274 4255c4 __tsopen_nolock 132 API calls 84272->84274 84277 425d17 _fprintf 84273->84277 84275 425d5b 84274->84275 84276 425d82 __sopen_helper LeaveCriticalSection 84275->84276 84276->84277 84277->84261 84279 415588 _fprintf 84278->84279 84280 415596 84279->84280 84281 4155c4 84279->84281 84309 417f23 67 API calls __getptd_noexit 84280->84309 84291 415965 84281->84291 84283 41559b 84310 417ebb 6 API calls 2 library calls 84283->84310 84290 4155ab _fprintf 84290->84138 84292 415977 84291->84292 84293 415999 EnterCriticalSection 84291->84293 84292->84293 84294 41597f 84292->84294 84295 4155cc 84293->84295 84296 418407 __lock 67 API calls 84294->84296 84297 4154f2 84295->84297 84296->84295 84298 415512 84297->84298 84299 415502 84297->84299 84303 415524 84298->84303 84312 4152e7 84298->84312 84366 417f23 67 API calls __getptd_noexit 84299->84366 84329 41486c 84303->84329 84308 415507 84311 4155f7 LeaveCriticalSection LeaveCriticalSection _ftell 84308->84311 84309->84283 84311->84290 84313 41531a 84312->84313 84314 4152fa 84312->84314 84316 41453a __fileno 67 API calls 84313->84316 84367 417f23 67 API calls __getptd_noexit 84314->84367 84318 415320 84316->84318 84317 4152ff 84368 417ebb 6 API calls 2 library calls 84317->84368 84320 41efd4 __locking 71 API calls 84318->84320 84321 415335 84320->84321 84322 4153a9 84321->84322 84324 415364 84321->84324 84328 41530f 84321->84328 84369 417f23 67 API calls __getptd_noexit 84322->84369 84325 41efd4 __locking 71 API calls 84324->84325 84324->84328 84326 415404 84325->84326 84327 41efd4 __locking 71 API calls 84326->84327 84326->84328 84327->84328 84328->84303 84330 414885 84329->84330 84334 4148a7 84329->84334 84331 41453a __fileno 67 API calls 84330->84331 84330->84334 84332 4148a0 84331->84332 84370 41c3cf 101 API calls 7 library calls 84332->84370 84335 41453a 84334->84335 84336 414549 84335->84336 84340 41455e 84335->84340 84371 417f23 67 API calls __getptd_noexit 84336->84371 84338 41454e 84372 417ebb 6 API calls 2 library calls 84338->84372 84341 41efd4 84340->84341 84342 41efe0 _fprintf 84341->84342 84343 41f003 84342->84343 84344 41efe8 84342->84344 84345 41f011 84343->84345 84350 41f052 84343->84350 84393 417f36 67 API calls __getptd_noexit 84344->84393 84395 417f36 67 API calls __getptd_noexit 84345->84395 84348 41efed 84394 417f23 67 API calls __getptd_noexit 84348->84394 84349 41f016 84396 417f23 67 API calls __getptd_noexit 84349->84396 84373 41ba3b 84350->84373 84354 41f01d 84397 417ebb 6 API calls 2 library calls 84354->84397 84355 41f058 84357 41f065 84355->84357 84358 41f07b 84355->84358 84383 41ef5f 84357->84383 84398 417f23 67 API calls __getptd_noexit 84358->84398 84361 41eff5 _fprintf 84361->84308 84362 41f073 84400 41f0a6 LeaveCriticalSection __unlock_fhandle 84362->84400 84363 41f080 84399 417f36 67 API calls __getptd_noexit 84363->84399 84366->84308 84367->84317 84369->84328 84370->84334 84371->84338 84375 41ba47 _fprintf 84373->84375 84374 41baa2 84377 41bac4 _fprintf 84374->84377 84378 41baa7 EnterCriticalSection 84374->84378 84375->84374 84376 418407 __lock 67 API calls 84375->84376 84379 41ba73 84376->84379 84377->84355 84378->84377 84380 41ba8a 84379->84380 84381 4189e6 __mtinitlocknum InitializeCriticalSectionAndSpinCount 84379->84381 84382 41bad2 ___lock_fhandle LeaveCriticalSection 84380->84382 84381->84380 84382->84374 84384 41b9c4 __commit 67 API calls 84383->84384 84385 41ef6e 84384->84385 84386 41ef84 SetFilePointer 84385->84386 84387 41ef74 84385->84387 84388 41ef9b GetLastError 84386->84388 84390 41efa3 84386->84390 84389 417f23 _malloc 67 API calls 84387->84389 84388->84390 84391 41ef79 84389->84391 84390->84391 84392 417f49 __dosmaperr 67 API calls 84390->84392 84391->84362 84392->84391 84393->84348 84394->84361 84395->84349 84396->84354 84398->84363 84399->84362 84400->84361 84402 414e31 84401->84402 84403 414e4d 84401->84403 84447 417f23 67 API calls __getptd_noexit 84402->84447 84406 41486c __flush 101 API calls 84403->84406 84415 414e46 84403->84415 84405 414e36 84448 417ebb 6 API calls 2 library calls 84405->84448 84408 414e59 84406->84408 84420 41e680 84408->84420 84411 41453a __fileno 67 API calls 84412 414e67 84411->84412 84424 41e5b3 84412->84424 84414 414e6d 84414->84415 84416 413a88 __crtLCMapStringA_stat 67 API calls 84414->84416 84419 414f08 LeaveCriticalSection LeaveCriticalSection _ftell 84415->84419 84416->84415 84417->84149 84419->84150 84421 41e690 84420->84421 84423 414e61 84420->84423 84422 413a88 __crtLCMapStringA_stat 67 API calls 84421->84422 84421->84423 84422->84423 84423->84411 84425 41e5bf _fprintf 84424->84425 84426 41e5e2 84425->84426 84427 41e5c7 84425->84427 84428 41e5f0 84426->84428 84433 41e631 84426->84433 84464 417f36 67 API calls __getptd_noexit 84427->84464 84466 417f36 67 API calls __getptd_noexit 84428->84466 84431 41e5cc 84465 417f23 67 API calls __getptd_noexit 84431->84465 84432 41e5f5 84467 417f23 67 API calls __getptd_noexit 84432->84467 84436 41ba3b ___lock_fhandle 68 API calls 84433->84436 84438 41e637 84436->84438 84437 41e5fc 84468 417ebb 6 API calls 2 library calls 84437->84468 84440 41e652 84438->84440 84441 41e644 84438->84441 84469 417f23 67 API calls __getptd_noexit 84440->84469 84449 41e517 84441->84449 84443 41e5d4 _fprintf 84443->84414 84445 41e64c 84470 41e676 LeaveCriticalSection __unlock_fhandle 84445->84470 84447->84405 84471 41b9c4 84449->84471 84451 41e57d 84484 41b93e 68 API calls 2 library calls 84451->84484 84453 41e527 84453->84451 84454 41e55b 84453->84454 84457 41b9c4 __commit 67 API calls 84453->84457 84454->84451 84455 41b9c4 __commit 67 API calls 84454->84455 84458 41e567 CloseHandle 84455->84458 84456 41e585 84459 41e5a7 84456->84459 84485 417f49 67 API calls 3 library calls 84456->84485 84460 41e552 84457->84460 84458->84451 84461 41e573 GetLastError 84458->84461 84459->84445 84463 41b9c4 __commit 67 API calls 84460->84463 84461->84451 84463->84454 84464->84431 84465->84443 84466->84432 84467->84437 84469->84445 84470->84443 84472 41b9d1 84471->84472 84475 41b9e9 84471->84475 84473 417f36 __commit 67 API calls 84472->84473 84474 41b9d6 84473->84474 84477 417f23 _malloc 67 API calls 84474->84477 84476 417f36 __commit 67 API calls 84475->84476 84478 41ba2e 84475->84478 84479 41ba17 84476->84479 84480 41b9de 84477->84480 84478->84453 84481 417f23 _malloc 67 API calls 84479->84481 84480->84453 84482 41ba1e 84481->84482 84483 417ebb _memcpy_s 6 API calls 84482->84483 84483->84478 84484->84456 84485->84459 84487 415126 _fprintf 84486->84487 84488 41513a _memset 84487->84488 84489 41516f 84487->84489 84490 415164 _fprintf 84487->84490 84515 417f23 67 API calls __getptd_noexit 84488->84515 84491 415965 __lock_file 68 API calls 84489->84491 84490->84158 84493 415177 84491->84493 84499 414f10 84493->84499 84494 415154 84516 417ebb 6 API calls 2 library calls 84494->84516 84502 414f2e _memset 84499->84502 84505 414f4c 84499->84505 84500 414f37 84568 417f23 67 API calls __getptd_noexit 84500->84568 84502->84500 84503 414f8b 84502->84503 84502->84505 84503->84505 84507 4150d5 _memset 84503->84507 84508 4150a9 _memset 84503->84508 84510 41453a __fileno 67 API calls 84503->84510 84518 41ed9e 84503->84518 84548 41e6b1 84503->84548 84570 41ee9b 67 API calls 3 library calls 84503->84570 84517 4151a6 LeaveCriticalSection LeaveCriticalSection _ftell 84505->84517 84572 417f23 67 API calls __getptd_noexit 84507->84572 84571 417f23 67 API calls __getptd_noexit 84508->84571 84510->84503 84513 414f3c 84569 417ebb 6 API calls 2 library calls 84513->84569 84515->84494 84517->84490 84519 41edaa _fprintf 84518->84519 84520 41edb2 84519->84520 84521 41edcd 84519->84521 84642 417f36 67 API calls __getptd_noexit 84520->84642 84523 41eddb 84521->84523 84527 41ee1c 84521->84527 84644 417f36 67 API calls __getptd_noexit 84523->84644 84524 41edb7 84643 417f23 67 API calls __getptd_noexit 84524->84643 84526 41ede0 84645 417f23 67 API calls __getptd_noexit 84526->84645 84530 41ee29 84527->84530 84531 41ee3d 84527->84531 84647 417f36 67 API calls __getptd_noexit 84530->84647 84534 41ba3b ___lock_fhandle 68 API calls 84531->84534 84532 41ede7 84646 417ebb 6 API calls 2 library calls 84532->84646 84536 41ee43 84534->84536 84535 41ee2e 84648 417f23 67 API calls __getptd_noexit 84535->84648 84537 41ee50 84536->84537 84538 41ee66 84536->84538 84573 41e7dc 84537->84573 84649 417f23 67 API calls __getptd_noexit 84538->84649 84541 41edbf _fprintf 84541->84503 84544 41ee5e 84651 41ee91 LeaveCriticalSection __unlock_fhandle 84544->84651 84545 41ee6b 84650 417f36 67 API calls __getptd_noexit 84545->84650 84549 41e6c1 84548->84549 84550 41e6de 84548->84550 84655 417f23 67 API calls __getptd_noexit 84549->84655 84555 41e713 84550->84555 84560 41e6d6 84550->84560 84652 423600 84550->84652 84552 41e6c6 84656 417ebb 6 API calls 2 library calls 84552->84656 84556 41453a __fileno 67 API calls 84555->84556 84557 41e727 84556->84557 84558 41ed9e __read 79 API calls 84557->84558 84559 41e72e 84558->84559 84559->84560 84561 41453a __fileno 67 API calls 84559->84561 84560->84503 84562 41e751 84561->84562 84562->84560 84563 41453a __fileno 67 API calls 84562->84563 84564 41e75d 84563->84564 84564->84560 84565 41453a __fileno 67 API calls 84564->84565 84566 41e769 84565->84566 84567 41453a __fileno 67 API calls 84566->84567 84567->84560 84568->84513 84570->84503 84571->84513 84572->84513 84574 41e813 84573->84574 84575 41e7f8 84573->84575 84576 41e822 84574->84576 84578 41e849 84574->84578 84577 417f36 __commit 67 API calls 84575->84577 84579 417f36 __commit 67 API calls 84576->84579 84580 41e7fd 84577->84580 84583 41e868 84578->84583 84594 41e87c 84578->84594 84582 41e827 84579->84582 84581 417f23 _malloc 67 API calls 84580->84581 84595 41e805 84581->84595 84585 417f23 _malloc 67 API calls 84582->84585 84586 417f36 __commit 67 API calls 84583->84586 84584 41e8d4 84588 417f36 __commit 67 API calls 84584->84588 84587 41e82e 84585->84587 84589 41e86d 84586->84589 84590 417ebb _memcpy_s 6 API calls 84587->84590 84591 41e8d9 84588->84591 84592 417f23 _malloc 67 API calls 84589->84592 84590->84595 84596 417f23 _malloc 67 API calls 84591->84596 84593 41e874 84592->84593 84598 417ebb _memcpy_s 6 API calls 84593->84598 84594->84584 84594->84595 84597 41e8b0 84594->84597 84599 41e8f5 84594->84599 84595->84544 84596->84593 84597->84584 84602 41e8bb ReadFile 84597->84602 84598->84595 84601 416fb6 __malloc_crt 67 API calls 84599->84601 84603 41e90b 84601->84603 84604 41ed62 GetLastError 84602->84604 84605 41e9e7 84602->84605 84608 41e931 84603->84608 84609 41e913 84603->84609 84606 41ebe8 84604->84606 84607 41ed6f 84604->84607 84605->84604 84612 41e9fb 84605->84612 84617 417f49 __dosmaperr 67 API calls 84606->84617 84622 41eb6d 84606->84622 84610 417f23 _malloc 67 API calls 84607->84610 84613 423462 __lseeki64_nolock 69 API calls 84608->84613 84611 417f23 _malloc 67 API calls 84609->84611 84615 41ed74 84610->84615 84616 41e918 84611->84616 84621 41ec2d 84612->84621 84612->84622 84623 41ea17 84612->84623 84614 41e93d 84613->84614 84614->84602 84618 417f36 __commit 67 API calls 84615->84618 84619 417f36 __commit 67 API calls 84616->84619 84617->84622 84618->84622 84619->84595 84620 413a88 __crtLCMapStringA_stat 67 API calls 84620->84595 84621->84622 84625 41eca5 ReadFile 84621->84625 84622->84595 84622->84620 84624 41ea7d ReadFile 84623->84624 84634 41eafa 84623->84634 84629 41eaa5 84624->84629 84630 41ea9b GetLastError 84624->84630 84626 41ecc4 GetLastError 84625->84626 84627 41ecce 84625->84627 84626->84621 84626->84627 84627->84621 84637 423462 __lseeki64_nolock 69 API calls 84627->84637 84628 41ebbe MultiByteToWideChar 84628->84622 84631 41ebe2 GetLastError 84628->84631 84629->84623 84636 423462 __lseeki64_nolock 69 API calls 84629->84636 84630->84623 84630->84629 84631->84606 84632 41eb75 84638 41ebac 84632->84638 84639 41eb32 84632->84639 84633 41eb68 84635 417f23 _malloc 67 API calls 84633->84635 84634->84622 84634->84632 84634->84633 84634->84639 84635->84622 84636->84629 84637->84627 84640 423462 __lseeki64_nolock 69 API calls 84638->84640 84639->84628 84641 41ebbb 84640->84641 84641->84628 84642->84524 84643->84541 84644->84526 84645->84532 84647->84535 84648->84532 84649->84545 84650->84544 84651->84541 84653 416fb6 __malloc_crt 67 API calls 84652->84653 84654 423615 84653->84654 84654->84555 84655->84552 84660 414cef GetSystemTimeAsFileTime __aulldiv 84657->84660 84659 4431ef 84659->84161 84660->84659 84661->84168 84663->84174 84665 4523e1 _wcscpy 84664->84665 84666 4151b0 81 API calls __fread_nolock 84665->84666 84667 44afdc GetSystemTimeAsFileTime 84665->84667 84668 452553 84665->84668 84669 41557c 105 API calls _fseek 84665->84669 84666->84665 84667->84665 84668->84091 84668->84092 84669->84665 84671 44b1b4 84670->84671 84672 44b1a6 84670->84672 84674 44b1ca 84671->84674 84675 414e06 138 API calls 84671->84675 84676 44b1c2 84671->84676 84673 414e06 138 API calls 84672->84673 84673->84671 84705 4352d1 81 API calls 2 library calls 84674->84705 84677 44b2c1 84675->84677 84676->84119 84677->84674 84679 44b2cf 84677->84679 84681 44b2dc 84679->84681 84684 414e94 __fcloseall 106 API calls 84679->84684 84680 44b20d 84682 44b211 84680->84682 84683 44b23b 84680->84683 84681->84119 84686 44b21e 84682->84686 84689 414e94 __fcloseall 106 API calls 84682->84689 84706 43526e 84683->84706 84684->84681 84687 44b22e 84686->84687 84690 414e94 __fcloseall 106 API calls 84686->84690 84687->84119 84688 44b242 84691 44b270 84688->84691 84692 44b248 84688->84692 84689->84686 84690->84687 84716 44b0af 111 API calls 84691->84716 84694 44b255 84692->84694 84696 414e94 __fcloseall 106 API calls 84692->84696 84697 44b265 84694->84697 84699 414e94 __fcloseall 106 API calls 84694->84699 84695 44b276 84717 43522c 67 API calls __crtLCMapStringA_stat 84695->84717 84696->84694 84697->84119 84699->84697 84700 44b27c 84701 44b289 84700->84701 84702 414e94 __fcloseall 106 API calls 84700->84702 84703 44b299 84701->84703 84704 414e94 __fcloseall 106 API calls 84701->84704 84702->84701 84703->84119 84704->84703 84705->84680 84707 4138ba _malloc 67 API calls 84706->84707 84708 43527d 84707->84708 84709 4138ba _malloc 67 API calls 84708->84709 84710 43528d 84709->84710 84711 4138ba _malloc 67 API calls 84710->84711 84712 43529d 84711->84712 84714 4352bc 84712->84714 84718 43522c 67 API calls __crtLCMapStringA_stat 84712->84718 84714->84688 84715 4352c8 84715->84688 84716->84695 84717->84700 84718->84715 84719->84007 84720->84008 84721->84025 84722->84025 84723->84025 84724->84019 84725->84025 84726->84025 84727->84033 84728->84041 84730->84043 84731->83933 84733 410148 SHGetDesktopFolder 84732->84733 84736 4101a3 _wcscpy 84732->84736 84734 41015a _wcscpy 84733->84734 84733->84736 84735 41018a SHGetPathFromIDListW 84734->84735 84734->84736 84735->84736 84736->83936 84737->83938 84739 40f5e0 152 API calls 84738->84739 84740 40f417 84739->84740 84741 42ca37 84740->84741 84742 40f42c 84740->84742 84743 42ca1f 84740->84743 84744 452574 140 API calls 84741->84744 84786 4037e0 139 API calls 7 library calls 84742->84786 84787 43717f 110 API calls _printf 84743->84787 84747 42ca50 84744->84747 84750 42ca76 84747->84750 84751 42ca54 84747->84751 84748 40f446 84748->83935 84749 42ca2d 84749->84741 84752 41171a 75 API calls 84750->84752 84753 434fe1 106 API calls 84751->84753 84765 42cacc ctype 84752->84765 84754 42ca5e 84753->84754 84788 43717f 110 API calls _printf 84754->84788 84756 42ca6c 84756->84750 84757 42ccc3 84758 413a88 __crtLCMapStringA_stat 67 API calls 84757->84758 84759 42cccd 84758->84759 84760 434fe1 106 API calls 84759->84760 84761 42ccda 84760->84761 84765->84757 84766 401b70 75 API calls 84765->84766 84769 445051 84765->84769 84772 44b408 84765->84772 84779 402cc0 75 API calls 2 library calls 84765->84779 84780 4026a0 84765->84780 84789 44c80c 87 API calls 3 library calls 84765->84789 84766->84765 84770 41171a 75 API calls 84769->84770 84771 445080 _memcpy_s 84770->84771 84771->84765 84771->84771 84774 44b414 84772->84774 84773 41171a 75 API calls 84775 44b42b 84773->84775 84774->84773 84776 44b449 84775->84776 84777 401b70 75 API calls 84775->84777 84776->84765 84778 44b43f 84777->84778 84778->84765 84779->84765 84781 40276b 84780->84781 84782 4026af 84780->84782 84781->84765 84782->84781 84783 41171a 75 API calls 84782->84783 84784 4026ee ctype 84782->84784 84783->84784 84784->84781 84785 41171a 75 API calls 84784->84785 84785->84784 84786->84748 84787->84749 84788->84756 84789->84765 84790->83945 84791->83946 84793 401bfb 84792->84793 84813 401cde 84792->84813 84815 4013a0 84793->84815 84796 42a9a0 LoadStringW 84799 42a9bb 84796->84799 84797 401c18 84798 4021e0 75 API calls 84797->84798 84800 401c2d 84798->84800 84821 40df50 75 API calls 84799->84821 84802 401c3a 84800->84802 84803 42a9cd 84800->84803 84802->84799 84804 401c44 84802->84804 84822 40d3b0 75 API calls 2 library calls 84803->84822 84820 40d3b0 75 API calls 2 library calls 84804->84820 84807 42a9dc 84808 42a9f0 84807->84808 84810 401c53 _memset _wcscpy _wcsncpy 84807->84810 84823 40d3b0 75 API calls 2 library calls 84808->84823 84812 401cc2 Shell_NotifyIconW 84810->84812 84811 42a9fe 84812->84813 84813->83957 84814->83951 84816 41171a 75 API calls 84815->84816 84817 4013c4 84816->84817 84818 401380 75 API calls 84817->84818 84819 4013d3 84818->84819 84819->84796 84819->84797 84820->84810 84821->84810 84822->84807 84823->84811 84824 444343 84827 444326 84824->84827 84826 44434e WriteFile 84828 444340 84827->84828 84829 4442c7 84827->84829 84828->84826 84834 40e190 SetFilePointerEx 84829->84834 84831 4442e0 SetFilePointerEx 84835 40e190 SetFilePointerEx 84831->84835 84833 4442ff 84833->84826 84834->84831 84835->84833 84836 46d22f 84839 46d098 84836->84839 84838 46d241 84840 46d0b5 84839->84840 84841 46d115 84840->84841 84842 46d0b9 84840->84842 84886 45c216 78 API calls 84841->84886 84844 41171a 75 API calls 84842->84844 84846 46d0c0 84844->84846 84845 46d126 84848 46d0f8 84845->84848 84854 46d142 84845->84854 84847 46d0cc 84846->84847 84883 40d940 76 API calls 84846->84883 84851 453063 111 API calls 84847->84851 84850 4092c0 VariantClear 84848->84850 84852 46d0fd 84850->84852 84853 46d0dd 84851->84853 84852->84838 84884 40dfa0 83 API calls 84853->84884 84855 46d1c8 84854->84855 84858 46d158 84854->84858 84891 4676a3 78 API calls 84855->84891 84861 453063 111 API calls 84858->84861 84859 46d0ea 84859->84854 84862 46d0ee 84859->84862 84860 46d1ce 84892 4444c2 SetFilePointerEx SetFilePointerEx WriteFile 84860->84892 84870 46d15e 84861->84870 84862->84848 84885 44ade5 CloseHandle ctype 84862->84885 84863 46d18d 84887 467fce 82 API calls 84863->84887 84867 46d196 84869 4013a0 75 API calls 84867->84869 84868 46d1e7 84872 4092c0 VariantClear 84868->84872 84881 46d194 84868->84881 84871 46d1a2 84869->84871 84870->84863 84870->84867 84888 40df50 75 API calls 84871->84888 84872->84881 84874 46d1ac 84889 40d3b0 75 API calls 2 library calls 84874->84889 84876 46d224 84876->84838 84877 46d1b8 84890 467fce 82 API calls 84877->84890 84878 40d900 CloseHandle 84880 46d216 84878->84880 84893 44ade5 CloseHandle ctype 84880->84893 84881->84876 84881->84878 84883->84847 84884->84859 84885->84848 84886->84845 84887->84881 84888->84874 84889->84877 84890->84881 84891->84860 84892->84868 84893->84876 84894 42919b 84899 40ef10 84894->84899 84897 411421 __cinit 74 API calls 84898 4291aa 84897->84898 84900 41171a 75 API calls 84899->84900 84901 40ef17 84900->84901 84902 42ad48 84901->84902 84907 40ef40 74 API calls __cinit 84901->84907 84904 40ef2a 84908 40e470 84904->84908 84907->84904 84909 40c060 75 API calls 84908->84909 84910 40e483 GetVersionExW 84909->84910 84911 4021e0 75 API calls 84910->84911 84912 40e4bb 84911->84912 84934 40e600 84912->84934 84918 42accc 84920 42ad28 GetSystemInfo 84918->84920 84924 42ad38 GetSystemInfo 84920->84924 84921 40e557 GetCurrentProcess 84954 40ee30 LoadLibraryA GetProcAddress 84921->84954 84922 40e56c 84922->84924 84947 40eee0 84922->84947 84927 40e5c9 84951 40eea0 84927->84951 84930 40e5e0 84932 40e5f1 FreeLibrary 84930->84932 84933 40e5f4 84930->84933 84931 40e5dd FreeLibrary 84931->84930 84932->84933 84933->84897 84935 40e60b 84934->84935 84936 40c740 75 API calls 84935->84936 84937 40e4c2 84936->84937 84938 40e620 84937->84938 84939 40e62a 84938->84939 84940 42ac93 84939->84940 84941 40c740 75 API calls 84939->84941 84942 40e4ce 84941->84942 84942->84918 84943 40ee70 84942->84943 84944 40e551 84943->84944 84945 40ee76 LoadLibraryA 84943->84945 84944->84921 84944->84922 84945->84944 84946 40ee87 GetProcAddress 84945->84946 84946->84944 84948 40e5bf 84947->84948 84949 40eee6 LoadLibraryA 84947->84949 84948->84920 84948->84927 84949->84948 84950 40eef7 GetProcAddress 84949->84950 84950->84948 84955 40eec0 LoadLibraryA GetProcAddress 84951->84955 84953 40e5d3 GetNativeSystemInfo 84953->84930 84953->84931 84954->84922 84955->84953 84956 40116e 84957 401119 DefWindowProcW 84956->84957

                Executed Functions

                Function 0040D6D0 Relevance: 28.1, APIs: 11, Strings: 5, Instructions: 141windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetCurrentDirectoryW.KERNEL32(00000104,?,00000001,?,00000000), ref: 0040D6E5
                  • Part of subcall function 00401F80: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Invoices #645473.exe,00000104,?,?,?,?,00000000), ref: 00401FAD
                  • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 00402078
                  • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 0040208E
                  • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020A4
                  • Part of subcall function 00401F80: __wcsicoll.LIBCMT ref: 004020BA
                  • Part of subcall function 00401F80: _wcscpy.LIBCMT ref: 004020EF
                • IsDebuggerPresent.KERNEL32(?), ref: 0040D6F1
                • GetFullPathNameW.KERNEL32(C:\Users\user\Desktop\Invoices #645473.exe,00000104,?,004A7CF8,004A7CFC), ref: 0040D763
                  • Part of subcall function 00401440: GetFullPathNameW.KERNEL32(?,00000104,?,00000000), ref: 00401483
                • SetCurrentDirectoryW.KERNEL32(?,00000001,C:\Users\user\Desktop\Invoices #645473.exe,00000004), ref: 0040D7D6
                • MessageBoxA.USER32(00000000,This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.,004846D6,00000010), ref: 00431AAB
                • SetCurrentDirectoryW.KERNEL32(?,C:\Users\user\Desktop\Invoices #645473.exe,00000004), ref: 00431B0E
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,C:\Users\user\Desktop\Invoices #645473.exe,00000004), ref: 00431B3F
                • GetForegroundWindow.USER32(runas,?,?,?,00000001), ref: 00431B8B
                • ShellExecuteW.SHELL32(00000000), ref: 00431B92
                  • Part of subcall function 004101F0: GetSysColorBrush.USER32(0000000F), ref: 004101F9
                  • Part of subcall function 004101F0: LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                  • Part of subcall function 004101F0: LoadIconW.USER32(?,00000063), ref: 0041021F
                  • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A4), ref: 00410232
                  • Part of subcall function 004101F0: LoadIconW.USER32(?,000000A2), ref: 00410245
                  • Part of subcall function 004101F0: LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                  • Part of subcall function 004101F0: RegisterClassExW.USER32 ref: 004102C6
                  • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                  • Part of subcall function 004103E0: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                  • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 00410454
                  • Part of subcall function 004103E0: ShowWindow.USER32(?,00000000), ref: 0041045E
                  • Part of subcall function 0040E1E0: _memset.LIBCMT ref: 0040E202
                  • Part of subcall function 0040E1E0: Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: LoadWindow$IconName__wcsicoll$CurrentDirectory$CreateFileFullModulePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memset_wcscpy
                • String ID: @GH$@GH$C:\Users\user\Desktop\Invoices #645473.exe$This is a compiled AutoIt script. AV researchers please email avsupport@autoitscript.com for support.$runas
                • API String ID: 2493088469-1740648355
                • Opcode ID: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                • Instruction ID: f6e0ab4c143dd9a1f797559286fb6c41f0380d60009eb7dc722615656bf0e84e
                • Opcode Fuzzy Hash: ba2e87c3f8820592b330de56266d8528cb530a4dab1fa245838381ec475db17a
                • Instruction Fuzzy Hash: 0341F731618341ABD320F7A19C49BAF3BA4AB96704F04493FF941672D1DBBC9949C72E
                Function 0040E470 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 165COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 200 40e470-40e500 call 40c060 GetVersionExW call 4021e0 call 40e600 call 40e620 209 40e506-40e509 200->209 210 42accc-42acd1 200->210 211 40e540-40e555 call 40ee70 209->211 212 40e50b-40e51c 209->212 213 42acd3-42acdb 210->213 214 42acdd-42ace0 210->214 231 40e557-40e573 GetCurrentProcess call 40ee30 211->231 232 40e579-40e5a8 211->232 217 40e522-40e525 212->217 218 42ac9b-42aca7 212->218 220 42ad12-42ad20 213->220 215 42ace2-42aceb 214->215 216 42aced-42acf0 214->216 215->220 216->220 221 42acf2-42ad06 216->221 217->211 222 40e527-40e537 217->222 224 42acb2-42acba 218->224 225 42aca9-42acad 218->225 230 42ad28-42ad2d GetSystemInfo 220->230 226 42ad08-42ad0c 221->226 227 42ad0e 221->227 228 42acbf-42acc7 222->228 229 40e53d 222->229 224->211 225->211 226->220 227->220 228->211 229->211 234 42ad38-42ad3d GetSystemInfo 230->234 231->232 242 40e575 231->242 232->234 235 40e5ae-40e5c3 call 40eee0 232->235 235->230 239 40e5c9-40e5db call 40eea0 GetNativeSystemInfo 235->239 244 40e5e0-40e5ef 239->244 245 40e5dd-40e5de FreeLibrary 239->245 242->232 246 40e5f1-40e5f2 FreeLibrary 244->246 247 40e5f4-40e5ff 244->247 245->244 246->247
                APIs
                • GetVersionExW.KERNEL32 ref: 0040E495
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • GetCurrentProcess.KERNEL32(?,?), ref: 0040E560
                • GetNativeSystemInfo.KERNELBASE(?,?), ref: 0040E5D3
                • FreeLibrary.KERNEL32(?), ref: 0040E5DE
                • FreeLibrary.KERNEL32(?), ref: 0040E5F2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FreeLibrary$CurrentInfoNativeProcessSystemVersion_wcslen
                • String ID: pMH
                • API String ID: 2923339712-2522892712
                • Opcode ID: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                • Instruction ID: 31d199e0849a18b4fe3a20375a839c17b1fda7a8e5a404adfed2e153d323e8b3
                • Opcode Fuzzy Hash: 3f36deb7b7369dd68d3c05326faf84e57561e58110467ef3184d2bc56fc1d5cf
                • Instruction Fuzzy Hash: D4612E71508792AEC311CB69C44425ABFE07B6A308F580E6EE48483A42D379E568C7AB
                Function 0040EB70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNELBASE(uxtheme.dll,0040EB55,0040D86E), ref: 0040EB7B
                • GetProcAddress.KERNEL32(00000000,IsThemeActive), ref: 0040EB8D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: IsThemeActive$uxtheme.dll
                • API String ID: 2574300362-3542929980
                • Opcode ID: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                • Instruction ID: e8120cabfd18d8fe06d2f96d8b82b2b5a4bcadd10797c678d2963416b1e4c3b8
                • Opcode Fuzzy Hash: 9e55e894ab04f38af4b02d6559f2dae0f2ca0bab174211e780b997e8b6ae5f43
                • Instruction Fuzzy Hash: 05D0C9B49407039AD7306F72C918B0A7BE4AB50342F204C3EF996A1694DBBCD0508B28
                Function 00410B90 Relevance: 28.2, APIs: 13, Strings: 3, Instructions: 167registryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00410C44
                • __wsplitpath.LIBCMT ref: 00410C61
                  • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                • _wcsncat.LIBCMT ref: 00410C78
                • __wmakepath.LIBCMT ref: 00410C94
                  • Part of subcall function 00413E3C: __wmakepath_s.LIBCMT ref: 00413E52
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                • _wcscpy.LIBCMT ref: 00410CCC
                • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00020019,?), ref: 00410CE9
                • RegQueryValueExW.ADVAPI32 ref: 00429BE4
                • _wcscat.LIBCMT ref: 00429C43
                • _wcslen.LIBCMT ref: 00429C55
                • _wcslen.LIBCMT ref: 00429C66
                • _wcscat.LIBCMT ref: 00429C80
                • _wcsncpy.LIBCMT ref: 00429CC0
                • RegCloseKey.ADVAPI32(?), ref: 00429CDE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscat_wcslen$CloseException@8FileModuleNameOpenQueryThrowValue__wmakepath__wmakepath_s__wsplitpath__wsplitpath_helper_malloc_wcscpy_wcsncat_wcsncpystd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID: Include$Software\AutoIt v3\AutoIt$\
                • API String ID: 1004883554-2276155026
                • Opcode ID: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                • Instruction ID: ef4714a7fd58501e566ba693257e1f196c1b97611c18bc9c35ab262cfa7686fb
                • Opcode Fuzzy Hash: bd70d1de0bf944503d0c9583a27c2bfe501ff96b935e7e88766a5686d489513a
                • Instruction Fuzzy Hash: B961B3B1508340DFC300EF65EC8599BBBE8FB99704F44882EF544C3261EBB59948CB5A
                Function 004161C2 Relevance: 21.1, APIs: 14, Instructions: 86COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __amsg_exit$_fast_error_exit$CommandInitializeLine__cinit__ioinit__mtinit__wsetargv__wsetenvp__wwincmdln
                • String ID:
                • API String ID: 2477803136-0
                • Opcode ID: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                • Instruction ID: 5d71fe406d9f608d9de966b229f2038f561e79c4b175df4472a1e640f9164680
                • Opcode Fuzzy Hash: 5c6ad9204277a855c32b49e0d8ca3a5fd5782e976c2a5896ff1cb7bad4d5bdf3
                • Instruction Fuzzy Hash: 6A21A671D00315A9DB14BBB2A9467EE2664AF1074CF1144AFF9056A2D3EEBCC8C1461D
                Function 004523CE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 145COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __fread_nolock$_fseek_wcscpy
                • String ID: FILE
                • API String ID: 3888824918-3121273764
                • Opcode ID: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                • Instruction ID: c0f9aeb359a44d31a21a8716142a7f32772eb03c7b5129f1ec28ea3a2d041f76
                • Opcode Fuzzy Hash: e8200e6015bbe3313da03f0c122791b2111f624a8fcd35516e511649d5e709ac
                • Instruction Fuzzy Hash: D541EFB1504300BBD310EB55CC81FEB73A9AFC8718F54491EFA8457181F679E644C7AA
                Function 004102F0 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32 ref: 00410326
                • RegisterClassExW.USER32 ref: 00410359
                • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                • InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                • LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                • ImageList_ReplaceIcon.COMCTL32(00ACE6F8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                • API String ID: 2914291525-1005189915
                • Opcode ID: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                • Instruction ID: c8c51aded5b6d43d10953d3ded2c15c159303f3bf9a059b11759766ceadcbce4
                • Opcode Fuzzy Hash: b078764552fc12f322907e2d646497bc841117f43cad8f480623bc49e689b681
                • Instruction Fuzzy Hash: 9F2129B4518301AFD340DF64D888B4EBFF4FB89704F008A2EF685962A0E7B58144CF5A
                Function 004101F0 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 74windowregistryCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • GetSysColorBrush.USER32(0000000F), ref: 004101F9
                • LoadCursorW.USER32(00000000,00007F00), ref: 00410209
                • LoadIconW.USER32(?,00000063), ref: 0041021F
                • LoadIconW.USER32(?,000000A4), ref: 00410232
                • LoadIconW.USER32(?,000000A2), ref: 00410245
                • LoadImageW.USER32(?,00000063,00000001,00000010,00000010,00000000), ref: 0041026A
                • RegisterClassExW.USER32 ref: 004102C6
                  • Part of subcall function 004102F0: GetSysColorBrush.USER32 ref: 00410326
                  • Part of subcall function 004102F0: RegisterClassExW.USER32 ref: 00410359
                  • Part of subcall function 004102F0: RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,?), ref: 0041036A
                  • Part of subcall function 004102F0: InitCommonControlsEx.COMCTL32(0000000F,?,?,?,?,?,?), ref: 0041038A
                  • Part of subcall function 004102F0: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,?,?,?,?,?,?), ref: 0041039A
                  • Part of subcall function 004102F0: LoadIconW.USER32(00400000,000000A9), ref: 004103B1
                  • Part of subcall function 004102F0: ImageList_ReplaceIcon.COMCTL32(00ACE6F8,000000FF,00000000,?,?,?,?,?,?), ref: 004103C1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                • String ID: #$0$PGH
                • API String ID: 423443420-3673556320
                • Opcode ID: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                • Instruction ID: 6be78a7d21e01e6533eb66d2751721d4fd39e3055bf34e10baa21603515e7cea
                • Opcode Fuzzy Hash: 1033d1e55498f891403c4089579710d7d6683e73571bc8446147a2c837657170
                • Instruction Fuzzy Hash: 60216DB5A18300AFD310CF59EC84A4A7FE4FB99710F00497FF648972A0D7B599408B99
                Function 00452574 Relevance: 13.7, APIs: 9, Instructions: 171COMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • _fseek.LIBCMT ref: 004525DA
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                  • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                  • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                • __fread_nolock.LIBCMT ref: 00452618
                • __fread_nolock.LIBCMT ref: 00452629
                • __fread_nolock.LIBCMT ref: 00452644
                • __fread_nolock.LIBCMT ref: 00452661
                • _fseek.LIBCMT ref: 0045267D
                • _malloc.LIBCMT ref: 00452689
                • _malloc.LIBCMT ref: 00452696
                • __fread_nolock.LIBCMT ref: 004526A7
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __fread_nolock$_fseek_malloc_wcscpy
                • String ID:
                • API String ID: 1911931848-0
                • Opcode ID: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                • Instruction ID: daf5751c9f96f1f9c2235ce4d63c31b1673d17b5fb5ed0b9a51dc370059b243a
                • Opcode Fuzzy Hash: 3570a21b3fd7755177810c9e6035fea9311faeeb4ffbf150b354229a8e607498
                • Instruction Fuzzy Hash: 47514CB1A08340AFD310DF5AD881A9BF7E9FFC8704F40492EF68887241D77AE5448B5A
                Function 0040F450 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 290 40f450-40f45c call 425210 293 40f460-40f478 290->293 293->293 294 40f47a-40f4a8 call 413990 call 410f70 293->294 299 40f4b0-40f4d1 call 4151b0 294->299 302 40f531 299->302 303 40f4d3-40f4da 299->303 306 40f536-40f540 302->306 304 40f4dc-40f4de 303->304 305 40f4fd-40f517 call 41557c 303->305 307 40f4e0-40f4e2 304->307 310 40f51c-40f51f 305->310 309 40f4e6-40f4ed 307->309 311 40f521-40f52c 309->311 312 40f4ef-40f4f2 309->312 310->299 315 40f543-40f54e 311->315 316 40f52e-40f52f 311->316 313 42937a-4293a0 call 41557c call 4151b0 312->313 314 40f4f8-40f4fb 312->314 327 4293a5-4293c3 call 4151d0 313->327 314->305 314->307 318 40f550-40f553 315->318 319 40f555-40f560 315->319 316->312 318->312 321 429372 319->321 322 40f566-40f571 319->322 321->313 323 429361-429367 322->323 324 40f577-40f57a 322->324 323->309 326 42936d 323->326 324->312 326->321 327->306
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __fread_nolock_fseek_strcat
                • String ID: AU3!$EA06
                • API String ID: 3818483258-2658333250
                • Opcode ID: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                • Instruction ID: a326fe91d6bb541f17a8cee8b09d92be642ba4032c5aa5fe266a96c6f27d1a6c
                • Opcode Fuzzy Hash: 61a815b4762265f9d00ad5303640aa958846bc8ab5516fbcebd88596bc1aced3
                • Instruction Fuzzy Hash: 2B416C7160C340ABC331DA24C841AEB77A59B95308F68087EF5C597683E578E44A876B
                Function 00410130 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 76COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 330 410130-410142 SHGetMalloc 331 410148-410158 SHGetDesktopFolder 330->331 332 42944f-429459 call 411691 330->332 333 4101d1-4101e0 331->333 334 41015a-410188 call 411691 331->334 333->332 340 4101e6-4101ee 333->340 342 4101c5-4101ce 334->342 343 41018a-4101a1 SHGetPathFromIDListW 334->343 342->333 344 4101a3-4101b1 call 411691 343->344 345 4101b4-4101c0 343->345 344->345 345->342
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscpy$DesktopFolderFromListMallocPath
                • String ID: C:\Users\user\Desktop\Invoices #645473.exe
                • API String ID: 192938534-1170910240
                • Opcode ID: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                • Instruction ID: 2fe23ff91bf644c1e681f842d3c1e96d6f0f177144f23c1ad52f1bdc7517ad48
                • Opcode Fuzzy Hash: 41672701d810a85b6866b378b1839c38d53fca73f5daf9d2a63f2dfb0070f590
                • Instruction Fuzzy Hash: 822179B5604211AFC210EB64DC84DABB3ECEFC8704F14891DF94987210E739ED46CBA6
                Function 00414F10 Relevance: 10.7, APIs: 7, Instructions: 189COMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 348 414f10-414f2c 349 414f4f 348->349 350 414f2e-414f31 348->350 352 414f51-414f55 349->352 350->349 351 414f33-414f35 350->351 353 414f37-414f46 call 417f23 351->353 354 414f56-414f5b 351->354 366 414f47-414f4c call 417ebb 353->366 356 414f6a-414f6d 354->356 357 414f5d-414f68 354->357 358 414f7a-414f7c 356->358 359 414f6f-414f77 call 4131f0 356->359 357->356 361 414f8b-414f9e 357->361 358->353 363 414f7e-414f89 358->363 359->358 364 414fa0-414fa6 361->364 365 414fa8 361->365 363->353 363->361 368 414faf-414fb1 364->368 365->368 366->349 370 4150a1-4150a4 368->370 371 414fb7-414fbe 368->371 370->352 373 414fc0-414fc5 371->373 374 415004-415007 371->374 373->374 377 414fc7 373->377 375 415071-415072 call 41e6b1 374->375 376 415009-41500d 374->376 383 415077-41507b 375->383 379 41500f-415018 376->379 380 41502e-415035 376->380 381 415102 377->381 382 414fcd-414fd1 377->382 384 415023-415028 379->384 385 41501a-415021 379->385 387 415037 380->387 388 415039-41503c 380->388 386 415106-41510f 381->386 389 414fd3 382->389 390 414fd5-414fd8 382->390 383->386 391 415081-415085 383->391 392 41502a-41502c 384->392 385->392 386->352 387->388 393 415042-41504e call 41453a call 41ed9e 388->393 394 4150d5-4150d9 388->394 389->390 395 4150a9-4150af 390->395 396 414fde-414fff call 41ee9b 390->396 391->394 400 415087-415096 391->400 392->388 416 415053-415058 393->416 398 4150eb-4150fd call 417f23 394->398 399 4150db-4150e8 call 4131f0 394->399 401 4150b1-4150bd call 4131f0 395->401 402 4150c0-4150d0 call 417f23 395->402 407 415099-41509b 396->407 398->366 399->398 400->407 401->402 402->366 407->370 407->371 417 415114-415118 416->417 418 41505e-415061 416->418 417->386 418->381 419 415067-41506f 418->419 419->407
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _memset$__filbuf__fileno__getptd_noexit__read_memcpy_s
                • String ID:
                • API String ID: 3886058894-0
                • Opcode ID: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                • Instruction ID: 085ef53bf2cba992f8731f00f2d52beda6aca72a1b803249d76dffc069a60243
                • Opcode Fuzzy Hash: b117a392f3759847975495debe7ea87102f8b7de0bc78f8cbc322732e1c6b221
                • Instruction Fuzzy Hash: CA510830900604EFCB208FA9C8445DFBBB5EFC5324F24825BF82596290D7799ED2CB99
                Function 03F89148 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 420 3f89148-3f8919a call 3f89048 CreateFileW 423 3f8919c-3f8919e 420->423 424 3f891a3-3f891b0 420->424 425 3f892fc-3f89300 423->425 427 3f891b2-3f891be 424->427 428 3f891c3-3f891da VirtualAlloc 424->428 427->425 429 3f891dc-3f891de 428->429 430 3f891e3-3f89209 CreateFileW 428->430 429->425 432 3f8920b-3f89228 430->432 433 3f8922d-3f89247 ReadFile 430->433 432->425 434 3f89249-3f89266 433->434 435 3f8926b-3f8926f 433->435 434->425 436 3f89290-3f892a7 WriteFile 435->436 437 3f89271-3f8928e 435->437 439 3f892a9-3f892d0 436->439 440 3f892d2-3f892f7 CloseHandle VirtualFree 436->440 437->425 439->425 440->425
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 03F8918D
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                • Instruction ID: 8d7bef7d1616a2f3204fd7fdebeee65c57e8bff337e677fa3351554e10557db5
                • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                • Instruction Fuzzy Hash: 1F510A75A50209FBEF64EFA4CC89FEF7778AF48700F108554F60AEA180DBB496458B60
                Function 00401BE0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 90windowCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                • LoadStringW.USER32(?,00000065,?,0000007F), ref: 0042A9B0
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • _memset.LIBCMT ref: 00401C62
                • _wcsncpy.LIBCMT ref: 00401CA1
                • _wcscpy.LIBCMT ref: 00401CBD
                • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: IconLoadNotifyShell_String_memset_wcscpy_wcslen_wcsncpy
                • String ID: Line:
                • API String ID: 1620655955-1585850449
                • Opcode ID: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                • Instruction ID: a4e7cf3abc31881c2b93aaae0beefbbd48c64772eea77d32b53e92a0700a02c6
                • Opcode Fuzzy Hash: b1e388f5f21e32c190c1b7412400e6ffb6374e41c1d48bdcdb7aece10813d053
                • Instruction Fuzzy Hash: 7431D47151C301ABD324EB11DC41BDB77E8AF94314F04493FF989521A1DB78AA49C79B
                Function 004103E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 43COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 483 4103e0-410461 CreateWindowExW * 2 ShowWindow * 2
                APIs
                • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,?,00000000), ref: 00410415
                • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,?,00000000), ref: 0041043E
                • ShowWindow.USER32(?,00000000), ref: 00410454
                • ShowWindow.USER32(?,00000000), ref: 0041045E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$CreateShow
                • String ID: AutoIt v3$edit
                • API String ID: 1584632944-3779509399
                • Opcode ID: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                • Instruction ID: daa3d4afae2654ee996124117597f48fa5c574a0ac4b96d00400a8ba476d7f73
                • Opcode Fuzzy Hash: 2f6e2284bb2ae2ba7cf4e865adc3bced08dc322388bda6343c860b78a8eff359
                • Instruction Fuzzy Hash: F3F0A975BE4310BAF6609754AC43F592B59A765F00F3445ABB700BF1D0D6E478408B9C
                Function 00413A88 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 484 413a88-413a99 call 41718c 487 413b10-413b15 call 4171d1 484->487 488 413a9b-413aa2 484->488 489 413aa4-413abc call 418407 call 419f6d 488->489 490 413ae7 488->490 502 413ac7-413ad7 call 413ade 489->502 503 413abe-413ac6 call 419f9d 489->503 492 413ae8-413af8 RtlFreeHeap 490->492 492->487 495 413afa-413b0f call 417f23 GetLastError call 417ee1 492->495 495->487 502->487 509 413ad9-413adc 502->509 503->502 509->492
                APIs
                • __lock.LIBCMT ref: 00413AA6
                  • Part of subcall function 00418407: __mtinitlocknum.LIBCMT ref: 0041841D
                  • Part of subcall function 00418407: __amsg_exit.LIBCMT ref: 00418429
                  • Part of subcall function 00418407: EnterCriticalSection.KERNEL32(?,?,?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001), ref: 00418431
                • ___sbh_find_block.LIBCMT ref: 00413AB1
                • ___sbh_free_block.LIBCMT ref: 00413AC0
                • RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                • GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                • String ID:
                • API String ID: 2714421763-0
                • Opcode ID: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                • Instruction ID: 54fb22c17cbd059cfb8714ef359fce415cc636064f476ff80f42ef981757bf49
                • Opcode Fuzzy Hash: 1be655156b84d1756d47887b3dc267bc1ef03bd4322eaa0c22e254cdcea9361a
                • Instruction Fuzzy Hash: 7401A731A08301BADF206F71AC09BDF3B64AF00759F10052FF544A6182DB7D9AC19B9C
                Function 03F8AC18 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 149fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 03F8AB08: Sleep.KERNELBASE(000001F4), ref: 03F8AB19
                • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 03F8AD35
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateFileSleep
                • String ID: F7G3OPBZ1FPK9O6
                • API String ID: 2694422964-2857685465
                • Opcode ID: 284f9428605049ad4f8c68cbd6c50afe5b259098e0de8e0c64f3638d92fd45a3
                • Instruction ID: 67624ba061979a80e94d9fd4fa7c6da74f11949439d1813487dcd9bcfa79d8f9
                • Opcode Fuzzy Hash: 284f9428605049ad4f8c68cbd6c50afe5b259098e0de8e0c64f3638d92fd45a3
                • Instruction Fuzzy Hash: 55518D31D14259EBEF15EBA4C814BEEBB79EF09300F004599E608BB2C0D7795B49CBA5
                Function 0040F5E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 91COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040F580: _wcslen.LIBCMT ref: 0040F58A
                  • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,?), ref: 0040F5A3
                  • Part of subcall function 0040F580: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,?,-00000010,00000001,?,?,?,?), ref: 0040F5CC
                • _strcat.LIBCMT ref: 0040F603
                  • Part of subcall function 0040F6A0: _memset.LIBCMT ref: 0040F6A8
                  • Part of subcall function 0040F6D0: _strlen.LIBCMT ref: 0040F6D8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ByteCharMultiWide$_memset_strcat_strlen_wcslen
                • String ID: HH
                • API String ID: 1194219731-2761332787
                • Opcode ID: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                • Instruction ID: 1fd31f67f6889806bd2ce24d6488871f5ee50ddf162d20410a363c4a19aba518
                • Opcode Fuzzy Hash: ee47fd20779ff5886c3c730aa44a1efa7791f275b5868e90dcef310a8da63108
                • Instruction Fuzzy Hash: 022158B260825067C724EF7A9C8266EF7D8AF85308F148C3FF554D2282F638D555879A
                Function 0040E1E0 Relevance: 6.1, APIs: 4, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0040E202
                • Shell_NotifyIconW.SHELL32(00000000,?), ref: 0040E2C7
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: IconNotifyShell__memset
                • String ID:
                • API String ID: 928536360-0
                • Opcode ID: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                • Instruction ID: 9c6d99eda8392314e00a4319cd3b9f491a6d528882fc0aac3328a2d60ab56ec1
                • Opcode Fuzzy Hash: 27b28fb85d639681eb8fd2a3c2bcd9dc0bb82ef5f5c365fc5a47124cd6911170
                • Instruction Fuzzy Hash: FC318170608701DFD320DF25D845B97BBF8BB45304F00486EE99A93380E778A958CF5A
                Function 0041171A Relevance: 6.0, APIs: 4, Instructions: 34COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                  • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                  • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                • std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 004116B0: std::exception::exception.LIBCMT ref: 004116BC
                • std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                • __CxxThrowException@8.LIBCMT ref: 00411779
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AllocateException@8HeapThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exceptionstd::exception::exception
                • String ID:
                • API String ID: 1411284514-0
                • Opcode ID: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                • Instruction ID: c554e94cc15d94fff19a40754e7570613bf3612ee9c26c673f8185df9075a277
                • Opcode Fuzzy Hash: ca7221cdd9cc9326792a0c346bb7c35cd30f9974032eaa45b6addcc39664c516
                • Instruction Fuzzy Hash: 6FF0E23550060A66CF08B723EC06ADE3B649F11798B10403BFA20552F2DF6DADC9865C
                Function 03F89828 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                Download Yara Rule
                APIs
                • CreateProcessW.KERNELBASE(?,00000000), ref: 03F8986D
                • ExitProcess.KERNEL32(00000000), ref: 03F8988C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$CreateExit
                • String ID: D
                • API String ID: 126409537-2746444292
                • Opcode ID: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                • Instruction ID: 419174c959845ce1a0d5c36cbdabf0bcae8943fb5b900bc7ffa03e2616104ea8
                • Opcode Fuzzy Hash: 8e3ba9fc2c51f8adf90e9822168422d2e6d76900810f8c5233ba2e98edbc58fa
                • Instruction Fuzzy Hash: 21F0E17694024DABDB64EFE0CD49FFE777CBF44701F448909BA0A9A144DB7495088761
                Function 004734B7 Relevance: 4.7, APIs: 3, Instructions: 234COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                • Instruction ID: a1f682be926937ece900e9fcc50ccc13891f43ead78ba7c6857800eee9f0599c
                • Opcode Fuzzy Hash: c2b84d901eedfcb5732c73c427cf3e6a40f349a1394e6728fcd5bdf3f2a5d4d9
                • Instruction Fuzzy Hash: EC81D2756043009FC310EF65C985B6AB7E4EF84315F008D2EF988AB392D779E909CB96
                Function 0040F110 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.KERNELBASE(80000001,0040F0EE,00000000,00000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F132
                • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F14F
                • RegCloseKey.KERNELBASE(00000000,?,?,00000000,00000000,80000001,80000001,?,0040F0EE,80000001,Control Panel\Mouse,SwapMouseButtons,00000004,?,?,0044BA28), ref: 0040F159
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID:
                • API String ID: 3677997916-0
                • Opcode ID: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                • Instruction ID: 6acd5c45b0bc896a902747136fbadff1bb775023c46fd22fba7b324c5144c726
                • Opcode Fuzzy Hash: 2fc94d7b08a1a7677ebb25c0c676948635cded20fa34e442ec21f1e1bf5971ab
                • Instruction Fuzzy Hash: 60F0BDB0204202ABD614DF54DD88E6BB7F9EF88704F10492DB585D7250D7B4A804CB26
                Function 0043526E Relevance: 4.5, APIs: 3, Instructions: 26COMMON
                Download Yara Rule
                APIs
                • _malloc.LIBCMT ref: 00435278
                  • Part of subcall function 004138BA: __FF_MSGBANNER.LIBCMT ref: 004138DD
                  • Part of subcall function 004138BA: __NMSG_WRITE.LIBCMT ref: 004138E4
                  • Part of subcall function 004138BA: RtlAllocateHeap.NTDLL(00000000,0041172A,?,?,?,?,00411739,?,00401C0B), ref: 00413931
                • _malloc.LIBCMT ref: 00435288
                • _malloc.LIBCMT ref: 00435298
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _malloc$AllocateHeap
                • String ID:
                • API String ID: 680241177-0
                • Opcode ID: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                • Instruction ID: 30b75876ff52ae1c35022de4a6700901ba1db26c97f4d16f7fcf584af9a5a73f
                • Opcode Fuzzy Hash: d11b1792ef3d24f06ef5636d78d46cf58a843b0d423fa777cd48d8e801ebef30
                • Instruction Fuzzy Hash: E5F0A0B1500F0046E660AB3198457C7A2E09B14307F00186FB6855618ADA7C69C4CEAC
                Function 00401B70 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00401B71
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Exception@8Throw_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID: @EXITCODE
                • API String ID: 580348202-3436989551
                • Opcode ID: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
                • Instruction ID: 288ad252d7dad0c090ff8240dee62855692e698d70424b42c0a66861a7771545
                • Opcode Fuzzy Hash: 4145ab2d07bf19a354fff2d5031cf88e997e0915ee9c5273387e54f5573defd1
                • Instruction Fuzzy Hash: 73F06DF2A002025BD7649B35DC0276776E4AB44704F18C83EE14AC7791F6BDE8829B15
                Function 0040EFE0 Relevance: 3.1, APIs: 2, Instructions: 51fileCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 0040F00A
                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000,?,0040DFD2,?,00000001,00403843,?), ref: 004299D9
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                • Instruction ID: 855a981e3d87b0586b227f36a287a9e63fe5cd358b5bfab8de368ff291d46a89
                • Opcode Fuzzy Hash: 7605a8ea73ac57d11bec7dd1d6207c313580f8ed20fa142c5c15d61e0266fbc2
                • Instruction Fuzzy Hash: 67011D703803107AF2311F28AD5BF5632546B44B24F244B39FBD5BE2E2D2F86885970C
                Function 0041511A Relevance: 3.0, APIs: 2, Instructions: 46COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __lock_file_memset
                • String ID:
                • API String ID: 26237723-0
                • Opcode ID: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                • Instruction ID: c8a12bf2a45d0ac11074f8cac28b928f9e20b60047ac9024d749846706a082ab
                • Opcode Fuzzy Hash: c74911371e76cb9dc4786cfdbe28690debad29cef5acae8c4501fea9e7903076
                • Instruction Fuzzy Hash: 32012971C00609FBCF22AF65DC029DF3B31AF44714F04815BF82416261D7798AA2DF99
                Function 00414E94 Relevance: 3.0, APIs: 2, Instructions: 39COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                  • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                  • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                • __lock_file.LIBCMT ref: 00414EE4
                  • Part of subcall function 00415965: __lock.LIBCMT ref: 0041598A
                • __fclose_nolock.LIBCMT ref: 00414EEE
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __decode_pointer__fclose_nolock__getptd_noexit__lock__lock_file
                • String ID:
                • API String ID: 717694121-0
                • Opcode ID: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                • Instruction ID: 225a509e04b880138f2478077c57af59103cae2c072c29012e7845c0956b1514
                • Opcode Fuzzy Hash: 6051778e024176e7de16a1974b8d1b3b80c3b8a23747dfcb666cdf4e7799d8f6
                • Instruction Fuzzy Hash: DEF06270D0470499C721BB6A9802ADE7AB0AFC1338F21864FE479A72D1C77C46C29F5D
                Function 03F89898 Relevance: 1.7, APIs: 1, Instructions: 173COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 03F89108: GetFileAttributesW.KERNELBASE(?), ref: 03F89113
                • CreateDirectoryW.KERNELBASE(?,00000000), ref: 03F89A0F
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: AttributesCreateDirectoryFile
                • String ID:
                • API String ID: 3401506121-0
                • Opcode ID: fb20ec58c994161b34d62fbe72ef015e4cd8afd538c8b405b3832f256e80dd7c
                • Instruction ID: 52ffd2cbdd65f87110ea88f24edd66085219ec3d68db9e2b624ef240e38e1a33
                • Opcode Fuzzy Hash: fb20ec58c994161b34d62fbe72ef015e4cd8afd538c8b405b3832f256e80dd7c
                • Instruction Fuzzy Hash: 3B61C431E1020997EF14EFB0D844BEF733AEF58700F005569A60DEB290EB769A44CBA5
                Function 00410D40 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction ID: fb1d736feddc8336b94c661b4f3a99b04f66f7614ca83ae43ac4a02a862e88ab
                • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                • Instruction Fuzzy Hash: 1331D574A00105DFC718DF99E490AAAFBA6FB49304B2486A6E409CB751D774EDC1CBC5
                Function 004092C0 Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                • Instruction ID: 573dba848690e0cdfd4c9be45b5663ff9194aa529e9341154cf92adfcd841cf8
                • Opcode Fuzzy Hash: 0d8ad4d875158e0120ed104e09085659f42b86f6d600f5d33fa38308f41241bf
                • Instruction Fuzzy Hash: 5E11C374200200ABC7249FAAD8D5F2A73A5AF45304B244C6FE845E7392D73CEC81EB5E
                Function 00401108 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ProcWindow
                • String ID:
                • API String ID: 181713994-0
                • Opcode ID: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                • Instruction ID: 72bdf1ad184d721e15e17473fba0dc1faec6c1a9a9d1f3fcb71c15abd8c9f185
                • Opcode Fuzzy Hash: 2bcff8431ba1ff294e2b1c33dceaa93ee25f984dfbecb3b506615433fd530346
                • Instruction Fuzzy Hash: FDF05436700118A7DF38995CE89ACFF632AD7ED350F418227FD152B3A6813C5C41966E
                Function 0041AA31 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                Download Yara Rule
                APIs
                • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0041AA46
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateHeap
                • String ID:
                • API String ID: 10892065-0
                • Opcode ID: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                • Instruction ID: 99ddfbee892492b32903703907324a593b21f4d4a70cf9c354be63060b8faba1
                • Opcode Fuzzy Hash: 715419928b85d2867e9ba06f33a68846dd0d9c70f7b25bc38942ce62b1fa172d
                • Instruction Fuzzy Hash: 56D05E325543449EDF009F71AC087663FDCE788395F008836BC1CC6150E778C950CA08
                Function 03F89108 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 03F89113
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction ID: 8a18414ca85bf5c2b3eb32dad508be25ee7ea67565dd20b41e691507bd5a2d90
                • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                • Instruction Fuzzy Hash: 87E08631919508DBCB58EBA88D086BA73B8A705310F004658E405C31C0D6748900E750
                Function 00444343 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00444326: SetFilePointerEx.KERNEL32(00000000,00000001,00000000,00000000,00000001,?,?,0044434E,?,?,00429A83,?,00487174,00000003,0040DFEE,?), ref: 004442F3
                • WriteFile.KERNELBASE(?,?,00000001,?,00000000,?,?,00429A83,?,00487174,00000003,0040DFEE,?,?,00000001,00403843), ref: 00444362
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: File$PointerWrite
                • String ID:
                • API String ID: 539440098-0
                • Opcode ID: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                • Instruction ID: 4a339a6eb5dfef6003722c1615037f540bc53d76d7f4c43935d02bdd90bbdfc9
                • Opcode Fuzzy Hash: 35769b91a3a7bdb08b20991cec1574ff36ffa6c1adc4d20a0c17b9033c9b0ad0
                • Instruction Fuzzy Hash: 7CE09275104311AFD250DF54D944F9BB3F8AF88714F108D0EF59587241D7B4A9848BA6
                Function 03F890D8 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNELBASE(?), ref: 03F890E3
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: AttributesFile
                • String ID:
                • API String ID: 3188754299-0
                • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction ID: 02d4b4d962368768c6fea64949191da58ffbaa8f90c0b525846ac6a4983bc3bf
                • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                • Instruction Fuzzy Hash: 94D0A73190920CEBCB10DFB89D089EE77ACE7053B0F004754FD15C32C0D6729A049750
                Function 0040116E Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                Download Yara Rule
                APIs
                • DefWindowProcW.USER32(?,?,?,?), ref: 00401123
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ProcWindow
                • String ID:
                • API String ID: 181713994-0
                • Opcode ID: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                • Instruction ID: 4c36cba44089d0e03573cc5e8dee84df23505be31ebc2729507753268ee0d302
                • Opcode Fuzzy Hash: 837c1f5b160989e4bc04331483680d437582dbd9ffcfcea34caefcb6c1da81af
                • Instruction Fuzzy Hash: C3C08C72100008BB8700DE04EC44CFBB72CEBD8310700C20BBC0586201C230885097A1
                Function 00414E06 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wfsopen
                • String ID:
                • API String ID: 197181222-0
                • Opcode ID: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                • Instruction ID: 6225ca515e7db1e5d7746fb8cf1e0ad45b41b4d1817cc5a1d8a93eb941133566
                • Opcode Fuzzy Hash: d1a4d26266dcb7911ef956bf4afcad96e19892d5a9e8770749e386b2bd63db79
                • Instruction Fuzzy Hash: EDC09B7644010C77CF122943FC02E453F1997C0764F044011FB1C1D561D577D5619589
                Function 0040D900 Relevance: 1.3, APIs: 1, Instructions: 22COMMON
                Download Yara Rule
                APIs
                • CloseHandle.KERNELBASE(00000000,?,0040DF8E), ref: 0040D91D
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseHandle
                • String ID:
                • API String ID: 2962429428-0
                • Opcode ID: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                • Instruction ID: 397672216df932ca6c22f29d52987cd2165f63c791f69eb8015935d900cfb6d9
                • Opcode Fuzzy Hash: b0db0cc9728059d6acb69f925b284233246e7185417bf28957a0aabd78f307cc
                • Instruction Fuzzy Hash: 16E0DEB5900B019EC7318F6AE544416FBF8AEE46213248E2FD4E6D2A64D3B4A5898F54
                Function 03F8AB04 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 03F8AB19
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction ID: de1b9f9f5f6a7f72585c7e8ebeeeb2a0aa9057f2a48202910f8e3b8ea877db78
                • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                • Instruction Fuzzy Hash: 72E0BF7494110DEFDB00EFA8D5496DD7BB4EF04312F1005A1FD05D7680DB309E548A62
                Function 03F8AB08 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNELBASE(000001F4), ref: 03F8AB19
                Memory Dump Source
                • Source File: 00000000.00000002.1701541027.0000000003F88000.00000040.00000020.00020000.00000000.sdmp, Offset: 03F88000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_3f88000_Invoices #645473.jbxd
                Similarity
                • API ID: Sleep
                • String ID:
                • API String ID: 3472027048-0
                • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction ID: 2163bddc4477763466c46b0f27fba9b8639cca0f946cad90393dd916643ae578
                • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                • Instruction Fuzzy Hash: 5BE0E67494110DDFDB00EFB8D54969D7BF4EF04302F1001A1FD01D2280D6309D508A62

                Non-executed Functions

                Function 004045E0 Relevance: 81.9, Strings: 63, Instructions: 3193COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: PF$PF$"DF$$JG$&F$&F$'HG$'|G$*"D$*nF$*vG$+%F$0wE$4rE$5CG$6MG$6NF$6tE$7eF$<HF$<G$ApG$BnE$DvE$F)G$GSG$IqE$K@G$LbF$MdF$MuE$NgF$O*F$PIF$QbG$R+F$RnG$YlE$YtG$Z9G$ZPG$^[F$^oE$_7G$_?G$b"D$fH$i}G$j)F$kQG$lE$rTG$vjE$}eE$~mE$*F$.F$3G$_G$`F$mE$pE$wG
                • API String ID: 0-4260964411
                • Opcode ID: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                • Instruction ID: b1e67458769bbea4a86cd8903524db5b6e79558e2e7ab8c51025fc7bd56032a7
                • Opcode Fuzzy Hash: bb854585b2a8d25cf70b859c951904b6599901827447d171664d6ae6ba41e592
                • Instruction Fuzzy Hash: 118366F1905B409FC351DFAAF984605BAE1F3AA3157A2857FC5088B731D7B8194A8F4C
                Function 0047C08E Relevance: 74.2, APIs: 40, Strings: 2, Instructions: 676windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C158
                • DefDlgProcW.USER32(?,0000004E,?,?,004A83D8,?,004A83D8,?), ref: 0047C173
                • GetKeyState.USER32(00000011), ref: 0047C1A4
                • GetKeyState.USER32(00000009), ref: 0047C1AD
                • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0047C1C0
                • GetKeyState.USER32(00000010), ref: 0047C1CA
                • GetWindowLongW.USER32(00000002,000000F0), ref: 0047C1DE
                • SendMessageW.USER32(00000002,0000110A,00000009,00000000), ref: 0047C20A
                • SendMessageW.USER32(00000002,0000113E,00000000,?), ref: 0047C22D
                • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0047C2D6
                • SendMessageW.USER32 ref: 0047C2FB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$State$LongProcWindow
                • String ID: @GUI_DRAGID$F
                • API String ID: 1562745308-4164748364
                • Opcode ID: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                • Instruction ID: f40edf6d5039c675f00343e7880f865f139be9e64e9b8d530a61de5f06f6045f
                • Opcode Fuzzy Hash: dcc01cbd87ddd492c2c278cbacd50e58f25e8ccd866e9ebab9dee97b514268e5
                • Instruction Fuzzy Hash: C6429F702042019FD714CF54C884FAB77A5EB89B04F548A6EFA48AB291DBB4EC45CB5A
                Function 004375B0 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 126threadkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32(00000000,?,?,004448AF,?), ref: 004375B3
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 004375D8
                • IsIconic.USER32(?), ref: 004375E1
                • ShowWindow.USER32(?,00000009,?,?,004448AF,?), ref: 004375EE
                • SetForegroundWindow.USER32(?), ref: 004375FD
                • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00437615
                • GetCurrentThreadId.KERNEL32 ref: 00437619
                • GetWindowThreadProcessId.USER32(?,00000000), ref: 00437624
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437632
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 00437638
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,004448AF,?), ref: 0043763E
                • SetForegroundWindow.USER32(?), ref: 00437645
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437654
                • keybd_event.USER32(00000012,00000000), ref: 0043765D
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 0043766B
                • keybd_event.USER32(00000012,00000000), ref: 00437674
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437682
                • keybd_event.USER32(00000012,00000000), ref: 0043768B
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 00437699
                • keybd_event.USER32(00000012,00000000), ref: 004376A2
                • SetForegroundWindow.USER32(?), ref: 004376AD
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376CD
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D3
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,004448AF), ref: 004376D9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconicShow
                • String ID: Shell_TrayWnd
                • API String ID: 3778422247-2988720461
                • Opcode ID: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                • Instruction ID: 6108fbe056c1a000d5481f33e03d330ccc862392245923d3170deea12ea07584
                • Opcode Fuzzy Hash: ec12ba9e870cc2e5dd85ad52799cb15a6745d125a488419c4f0ebb71fc1ee38e
                • Instruction Fuzzy Hash: AC31A4712803157FE6245BA59D0EF7F3F9CEB48B51F10082EFA02EA1D1DAE458009B79
                Function 004461ED Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 227processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0044621B
                • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 00446277
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044628A
                • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 004462A4
                • GetProcessWindowStation.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462BD
                • SetProcessWindowStation.USER32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004462C8
                • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 004462E4
                • _wcslen.LIBCMT ref: 0044639E
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • _wcsncpy.LIBCMT ref: 004463C7
                • LoadUserProfileW.USERENV(?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 004463E7
                • CreateEnvironmentBlock.USERENV(?,?,00000000,00000000,?,?,00000000,?,?,?,?), ref: 00446408
                • CreateProcessAsUserW.ADVAPI32(?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00000000,?,?,00000000,?), ref: 00446446
                • UnloadUserProfile.USERENV(?,?,?,?,?,?,?), ref: 00446483
                • CloseWindowStation.USER32(00000000,?,?,?,?), ref: 00446497
                • CloseDesktop.USER32(00000000,?,?,?,?), ref: 0044649E
                • SetProcessWindowStation.USER32(?,?,?,?,?), ref: 004464A9
                • CloseHandle.KERNEL32(?,?,?,?,?), ref: 004464B4
                • DestroyEnvironmentBlock.USERENV(?,?,?,?,?,?), ref: 004464C8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: StationWindow$CloseProcess$User$BlockCreateDesktopEnvironmentHandleOpenProfile$DestroyDuplicateLoadTokenUnload_malloc_memset_wcslen_wcsncpy
                • String ID: $default$winsta0
                • API String ID: 2173856841-1027155976
                • Opcode ID: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                • Instruction ID: eafd5d154f9bcf2590b8f8eb1e0f3d39b01f77f2fd200ee1cb9c7344d9c52646
                • Opcode Fuzzy Hash: 46fbf0c91f7472a5aacc8247470ef491aaba77adfafaecf219e6b528db50d2b4
                • Instruction Fuzzy Hash: DD819170208341AFE724DF65C848B6FBBE8AF89744F04491DF69097291DBB8D805CB6B
                Function 00409A40 Relevance: 32.2, APIs: 15, Strings: 2, Instructions: 2432COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00409A61
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID: 0vH$4RH
                • API String ID: 1143807570-2085553193
                • Opcode ID: 88a19b4cc9c9a9d83f3f9e2de6433f25e45d54e9704eefe367a70e6a3dd99c42
                • Instruction ID: 7c8f52bff4b3ea9a641e6aac08ab5e1c8beb32691f0f21fab5f23224d73a3634
                • Opcode Fuzzy Hash: 88a19b4cc9c9a9d83f3f9e2de6433f25e45d54e9704eefe367a70e6a3dd99c42
                • Instruction Fuzzy Hash: 34238170A043109FD724DF25D480A6BB7E1BF89304F54896EE84A9B391D739EC46CB9B
                Function 0044BD29 Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 178filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Invoices #645473.exe,?,C:\Users\user\Desktop\Invoices #645473.exe,004A8E80,C:\Users\user\Desktop\Invoices #645473.exe,0040F3D2), ref: 0040FFCA
                  • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A45
                  • Part of subcall function 00436A1D: __wsplitpath.LIBCMT ref: 00436A6C
                  • Part of subcall function 00436A1D: __wcsicoll.LIBCMT ref: 00436A93
                  • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                • _wcscat.LIBCMT ref: 0044BD96
                • _wcscat.LIBCMT ref: 0044BDBF
                • __wsplitpath.LIBCMT ref: 0044BDEC
                • FindFirstFileW.KERNEL32(?,?), ref: 0044BE04
                • _wcscpy.LIBCMT ref: 0044BE73
                • _wcscat.LIBCMT ref: 0044BE85
                • _wcscat.LIBCMT ref: 0044BE97
                • lstrcmpiW.KERNEL32(?,?), ref: 0044BEC3
                • DeleteFileW.KERNEL32(?), ref: 0044BED5
                • MoveFileW.KERNEL32(?,?), ref: 0044BEF5
                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF0C
                • DeleteFileW.KERNEL32(?), ref: 0044BF17
                • CopyFileW.KERNEL32(?,?,00000000), ref: 0044BF2E
                • FindClose.KERNEL32(00000000), ref: 0044BF35
                • MoveFileW.KERNEL32(?,?), ref: 0044BF51
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 0044BF66
                • FindClose.KERNEL32(00000000), ref: 0044BF7E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: File$Find_wcscat$__wsplitpath$CloseCopyDeleteMove$AttributesFirstFullNameNextPath__wcsicoll_wcscpylstrcmpi
                • String ID: \*.*
                • API String ID: 2188072990-1173974218
                • Opcode ID: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                • Instruction ID: 14f7055b3521afb04026f42b490306401b0ba37f80ed0ea0ca267746d8cc4687
                • Opcode Fuzzy Hash: 37b83e77465c63a9a0fc5a2f65b261a2e9867c78515d1bc57cb11e6e3b171851
                • Instruction Fuzzy Hash: CA5166B2008344AAD720DBA4DC44FDF73E8AB85314F448D1EF68982141EB79D64CCBAA
                Function 0042039F Relevance: 30.0, APIs: 16, Strings: 1, Instructions: 282timeCOMMON
                Download Yara Rule
                APIs
                • __invoke_watson.LIBCMT ref: 004203A4
                  • Part of subcall function 00417D93: _memset.LIBCMT ref: 00417DBB
                  • Part of subcall function 00417D93: IsDebuggerPresent.KERNEL32(?,?,00000314), ref: 00417E6F
                  • Part of subcall function 00417D93: SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,00000314), ref: 00417E79
                  • Part of subcall function 00417D93: UnhandledExceptionFilter.KERNEL32(?,?,?,00000314), ref: 00417E86
                  • Part of subcall function 00417D93: GetCurrentProcess.KERNEL32(C0000417,?,?,00000314), ref: 00417EA1
                  • Part of subcall function 00417D93: TerminateProcess.KERNEL32(00000000,?,?,00000314), ref: 00417EA8
                • __get_daylight.LIBCMT ref: 004203B0
                • __invoke_watson.LIBCMT ref: 004203BF
                • __get_daylight.LIBCMT ref: 004203CB
                • __invoke_watson.LIBCMT ref: 004203DA
                • ____lc_codepage_func.LIBCMT ref: 004203E2
                • _strlen.LIBCMT ref: 00420442
                • __malloc_crt.LIBCMT ref: 00420449
                • _strlen.LIBCMT ref: 0042045F
                • _strcpy_s.LIBCMT ref: 0042046D
                • __invoke_watson.LIBCMT ref: 00420482
                • GetTimeZoneInformation.KERNEL32(00496C28), ref: 004204AA
                • WideCharToMultiByte.KERNEL32(?,?,00496C2C,?,?,0000003F,?,?), ref: 00420528
                • WideCharToMultiByte.KERNEL32(?,?,00496C80,000000FF,?,0000003F,?,?,?,00496C2C,?,?,0000003F,?,?), ref: 0042055C
                  • Part of subcall function 00413A88: __lock.LIBCMT ref: 00413AA6
                  • Part of subcall function 00413A88: ___sbh_find_block.LIBCMT ref: 00413AB1
                  • Part of subcall function 00413A88: ___sbh_free_block.LIBCMT ref: 00413AC0
                  • Part of subcall function 00413A88: RtlFreeHeap.NTDLL(00000000,00411739,0048C758,0000000C,004183E8,00000000,0048CA38,0000000C,00418422,00411739,?,?,004224D3,00000004,0048CCA0,0000000C), ref: 00413AF0
                  • Part of subcall function 00413A88: GetLastError.KERNEL32(?,004224D3,00000004,0048CCA0,0000000C,00417011,00411739,?,00000000,00000000,00000000,?,00416C24,00000001,00000214), ref: 00413B01
                • __invoke_watson.LIBCMT ref: 004205CC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __invoke_watson$ByteCharExceptionFilterMultiProcessUnhandledWide__get_daylight_strlen$CurrentDebuggerErrorFreeHeapInformationLastPresentTerminateTimeZone____lc_codepage_func___sbh_find_block___sbh_free_block__lock__malloc_crt_memset_strcpy_s
                • String ID: S\
                • API String ID: 4084823496-393906132
                • Opcode ID: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                • Instruction ID: b357f19af7064e56bcdb8625987f67de7edc2332d57e558cb2e7b84f91b73af7
                • Opcode Fuzzy Hash: dc5610741a0148f7786b6b9dfa96f50a6ae589fbdbcd52e429fe3139d0279a48
                • Instruction Fuzzy Hash: 6A91D371E00125AFDB20EF65EC819AE7BE9EF55300B95003BF540A7253DA3C89828F5C
                Function 00434D50 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 114fileCOMMON
                Download Yara Rule
                APIs
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00434D75
                • __swprintf.LIBCMT ref: 00434D91
                • _wcslen.LIBCMT ref: 00434D9B
                • _wcslen.LIBCMT ref: 00434DB0
                • _wcslen.LIBCMT ref: 00434DC5
                • CreateDirectoryW.KERNEL32(?,00000000), ref: 00434DD7
                • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00434E0A
                • _memset.LIBCMT ref: 00434E27
                • _wcslen.LIBCMT ref: 00434E3C
                • _wcsncpy.LIBCMT ref: 00434E6F
                • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00434EA9
                • CloseHandle.KERNEL32(00000000), ref: 00434EB4
                • RemoveDirectoryW.KERNEL32(?), ref: 00434EBB
                • CloseHandle.KERNEL32(00000000), ref: 00434ECE
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                • String ID: :$\$\??\%s
                • API String ID: 302090198-3457252023
                • Opcode ID: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                • Instruction ID: 730b2dca1b6b09bd6b76555d3316dee95f4818bcffb97f26f8f03165767cfd2f
                • Opcode Fuzzy Hash: 1623bec2b974bb3ee5261838648fb58b2a9d6db5aa255760d49714c370e47f4e
                • Instruction Fuzzy Hash: 30416676604340ABE330EB64DC49FEF73E8AFD8714F00891EF649921D1E7B4A645876A
                Function 00464422 Relevance: 28.2, APIs: 15, Strings: 1, Instructions: 193threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00444233: _wcslen.LIBCMT ref: 0044424E
                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0046449E
                • GetLastError.KERNEL32 ref: 004644B4
                • GetCurrentThread.KERNEL32 ref: 004644C8
                • OpenThreadToken.ADVAPI32(00000000), ref: 004644CF
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004644E0
                • OpenProcessToken.ADVAPI32(00000000), ref: 004644E7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: OpenProcess$CurrentThreadToken$ErrorLast_wcslen
                • String ID: SeDebugPrivilege
                • API String ID: 1312810259-2896544425
                • Opcode ID: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                • Instruction ID: c3f5e6af55eb0da9fa74db60d4f5a84adac3a89a74612fbe59a223ef38337450
                • Opcode Fuzzy Hash: bb2abcbadcb50e0008f3b1fe3e217bfa736f6ade076d8095da49bf04f95d98f8
                • Instruction Fuzzy Hash: 0E51A171200201AFD710DF65DD85F5BB7A8AB84704F10892EFB44DB2C1D7B8E844CBAA
                Function 004037E0 Relevance: 24.9, APIs: 10, Strings: 4, Instructions: 359COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • GetCurrentDirectoryW.KERNEL32(00000104,?,?), ref: 00403871
                • GetFullPathNameW.KERNEL32(?,00000104,?,?), ref: 00403887
                • __wsplitpath.LIBCMT ref: 004038B2
                  • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                • _wcscpy.LIBCMT ref: 004038C7
                • _wcscat.LIBCMT ref: 004038DC
                • SetCurrentDirectoryW.KERNEL32(?), ref: 004038EC
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                  • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,?,?,0040397D,?,?,00000010), ref: 00403F54
                  • Part of subcall function 00403F40: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,00000010), ref: 00403F8B
                • _wcscpy.LIBCMT ref: 004039C2
                • _wcslen.LIBCMT ref: 00403A53
                • _wcslen.LIBCMT ref: 00403AAA
                Strings
                • #include depth exceeded. Make sure there are no recursive includes, xrefs: 0042B87B
                • Error opening the file, xrefs: 0042B8AC
                • Unterminated string, xrefs: 0042B9BA
                • _, xrefs: 00403B48
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$ByteCharCurrentDirectoryMultiWide_wcscpy$Exception@8FullNamePathThrow__wsplitpath__wsplitpath_helper_malloc_wcscatstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID: #include depth exceeded. Make sure there are no recursive includes$Error opening the file$Unterminated string$_
                • API String ID: 4115725249-188983378
                • Opcode ID: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                • Instruction ID: dca64db042171ec5605b2d10b6a92a42a2076cc25022adee7b8115af8a15fc96
                • Opcode Fuzzy Hash: 03e6ea20781e53ba093b2e4e1cf17e7e885813b4a055a64ca381d3f5bd1a9c3d
                • Instruction Fuzzy Hash: 16D1D5B15083019AD710EF65C841AEB77E8AF95308F04492FF5C563292DB78DA49C7AB
                Function 00434BEE Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 139fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,?), ref: 00434C12
                • GetFileAttributesW.KERNEL32(?), ref: 00434C4F
                • SetFileAttributesW.KERNEL32(?,?), ref: 00434C65
                • FindNextFileW.KERNEL32(00000000,?), ref: 00434C77
                • FindClose.KERNEL32(00000000), ref: 00434C88
                • FindClose.KERNEL32(00000000), ref: 00434C9C
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00434CB7
                • SetCurrentDirectoryW.KERNEL32(?), ref: 00434CFE
                • SetCurrentDirectoryW.KERNEL32(0048A090), ref: 00434D22
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00434D2A
                • FindClose.KERNEL32(00000000), ref: 00434D35
                • FindClose.KERNEL32(00000000), ref: 00434D43
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Find$File$Close$AttributesCurrentDirectoryFirstNext
                • String ID: *.*
                • API String ID: 1409584000-438819550
                • Opcode ID: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                • Instruction ID: 399dbb17912f16e5170155dcc5475d9346bc7ba5aa4a4c8a0ea4d4714b2c7a66
                • Opcode Fuzzy Hash: 55a9fa3bdb603958be151e0ad833d8004315071fb05557dfda8e1c4e562a15c1
                • Instruction Fuzzy Hash: 4141D8726042086BD710EF64DC45AEFB3A8AAC9311F14592FFD54C3280EB79E915C7B9
                Function 00444078 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 94timesleepCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Timetime$Sleep
                • String ID: BUTTON
                • API String ID: 4176159691-3405671355
                • Opcode ID: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                • Instruction ID: 32c89cc89acb3c111fc3cc5f781edb0c57d51ec263d79eeef99f8852f1a29925
                • Opcode Fuzzy Hash: c9fcf2e0d9fa6a0073e84c27d550d5c6e5d49d4b0adb2218bf3fff485548fdb5
                • Instruction Fuzzy Hash: CB21B7723843016BE330DB74FD4DF5A7B94A7A5B51F244876F600E6290D7A5D442876C
                Function 00442E1F Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 134fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(?,74DE8FB0,74DE8FB0,?,?,00000000), ref: 00442E40
                • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 00442EA4
                • FindClose.KERNEL32(00000000,?,00000000), ref: 00442EB5
                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00442ED1
                • FindFirstFileW.KERNEL32(*.*,?), ref: 00442EF0
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00442F3B
                • SetCurrentDirectoryW.KERNEL32(0048A090,?,?,?,00000000), ref: 00442F6D
                • FindNextFileW.KERNEL32(00000000,00000010), ref: 00442F75
                • FindClose.KERNEL32(00000000), ref: 00442F80
                  • Part of subcall function 00436D2D: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                • FindClose.KERNEL32(00000000,?,?,?,00000000), ref: 00442F92
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Find$File$Close$CurrentDirectoryFirstNext$Create
                • String ID: *.*
                • API String ID: 2640511053-438819550
                • Opcode ID: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                • Instruction ID: 5fd3b3f399b1dfd6b0a62b5043663bf11a2259675d3c80dc16c90576bc2ddb84
                • Opcode Fuzzy Hash: 9379a40a392f11a7e453a238fddec55769e51d026bd73d4c4d0da232c8837110
                • Instruction Fuzzy Hash: 0F41E8326083046BD620FA64DD85BEFB3A89BC5311F54492FF95483280E7FEA50D8779
                Function 00445DD3 Relevance: 18.2, APIs: 12, Instructions: 179COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 004392DE
                  • Part of subcall function 004392BC: GetLastError.KERNEL32 ref: 004392E4
                  • Part of subcall function 004392BC: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0043930B
                  • Part of subcall function 0043928B: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004392A5
                • GetSecurityDescriptorDacl.ADVAPI32(?,00000004,?,?,?,?), ref: 00445E4B
                • _memset.LIBCMT ref: 00445E61
                • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00445E83
                • GetLengthSid.ADVAPI32(?), ref: 00445E92
                • GetAce.ADVAPI32(?,00000000,?,?,00000018), ref: 00445EDE
                • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00445EFB
                • GetLengthSid.ADVAPI32(?,?,00000018), ref: 00445F11
                • GetLengthSid.ADVAPI32(?,00000008,?,?,00000000,?,00000000), ref: 00445F39
                • CopySid.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00445F40
                • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?,?,00000000,?,00000000), ref: 00445F6E
                • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000,?,00000000,?,00000000), ref: 00445F8B
                • SetUserObjectSecurity.USER32(?,?,?), ref: 00445FA0
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Security$DescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast_memset
                • String ID:
                • API String ID: 3490752873-0
                • Opcode ID: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                • Instruction ID: 491154c1e478dcf6c9ac3cbca3c2c9e2645d4ee7bbdc2abf5fae4ada557f6fe4
                • Opcode Fuzzy Hash: b11fc48791dee11005ef1ac308328aec1e94b5ee495351b15ab77ecbbd68b2cc
                • Instruction Fuzzy Hash: 85519D71108301ABD610DF61CD84E6FB7E9AFC9B04F04491EFA869B242D778E909C76B
                Function 0047A999 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 288comCOMMON
                Download Yara Rule
                APIs
                • OleInitialize.OLE32(00000000), ref: 0047AA03
                • CLSIDFromProgID.OLE32(00000000,?), ref: 0047AA27
                • CoCreateInstance.OLE32(?,00000000,00000005,004829C0,?), ref: 0047AAAA
                • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000), ref: 0047AB6B
                • _memset.LIBCMT ref: 0047AB7C
                • _wcslen.LIBCMT ref: 0047AC68
                • _memset.LIBCMT ref: 0047ACCD
                • CoCreateInstanceEx.OLE32 ref: 0047AD06
                • CoSetProxyBlanket.OLE32(004829D0,?,?,?,?,?,?,00000800), ref: 0047AD53
                Strings
                • NULL Pointer assignment, xrefs: 0047AD84
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateInitializeInstance_memset$BlanketFromProgProxySecurity_wcslen
                • String ID: NULL Pointer assignment
                • API String ID: 1588287285-2785691316
                • Opcode ID: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                • Instruction ID: 16786b45dbc5194aa398acfc0f0ff3b91b98a178c64a073a91da7f4e0cb75f58
                • Opcode Fuzzy Hash: 40e9c8eb680feb4042e694522f3113d29542bf103086fe34e1494599e09369de
                • Instruction Fuzzy Hash: 54B10DB15083409FD320EF65C881B9FB7E8BBC8744F108E2EF58997291D7759948CB66
                Function 004364AA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 79shutdownCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 004364B9
                • OpenProcessToken.ADVAPI32(00000000), ref: 004364C0
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 004364D6
                • AdjustTokenPrivileges.ADVAPI32 ref: 004364FE
                • GetLastError.KERNEL32 ref: 00436504
                • ExitWindowsEx.USER32(?,00000000), ref: 00436527
                • InitiateSystemShutdownExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000001), ref: 00436557
                • SetSystemPowerState.KERNEL32(00000001,00000000), ref: 0043656A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ProcessSystemToken$AdjustCurrentErrorExitInitiateLastLookupOpenPowerPrivilegePrivilegesShutdownStateValueWindows
                • String ID: SeShutdownPrivilege
                • API String ID: 2938487562-3733053543
                • Opcode ID: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                • Instruction ID: b625d7910520021a286729d09db348b3c4b0b131b75d5259d4bd29649b467962
                • Opcode Fuzzy Hash: 9f228ad1da6a4c81f8cb5394189ecc1147849337ed66d96e43b1ced3868a671c
                • Instruction Fuzzy Hash: E021D5B02803017FF7149B64DD4AF6B3398EB48B10F948829FE09852D2D6BDE844973D
                Function 0043614F Relevance: 16.6, APIs: 11, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • __swprintf.LIBCMT ref: 00436162
                • __swprintf.LIBCMT ref: 00436176
                  • Part of subcall function 0041353A: __woutput_l.LIBCMT ref: 0041358F
                • __wcsicoll.LIBCMT ref: 00436185
                • FindResourceW.KERNEL32(?,?,0000000E), ref: 004361A6
                • LoadResource.KERNEL32(?,00000000), ref: 004361AE
                • LockResource.KERNEL32(00000000), ref: 004361B5
                • FindResourceW.KERNEL32(?,?,00000003), ref: 004361DA
                • LoadResource.KERNEL32(?,00000000), ref: 004361E4
                • SizeofResource.KERNEL32(?,00000000), ref: 004361F0
                • LockResource.KERNEL32(?), ref: 004361FD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Resource$FindLoadLock__swprintf$Sizeof__wcsicoll__woutput_l
                • String ID:
                • API String ID: 2406429042-0
                • Opcode ID: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                • Instruction ID: 79d88324f8a28cdfdddc37bd7103cac5134eefaeeaedb246b69d205017f9fa0d
                • Opcode Fuzzy Hash: c1b2c305ea449a9eaa2c50be24a6d356ee30b865a6e7eb3c9e4c44cc17d92184
                • Instruction Fuzzy Hash: 82313432104210BFD700EF64ED88EAF77A9FB89304F00882BFA4196150E778D940CB68
                Function 0045D517 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 91COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D522
                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,?), ref: 0045D593
                • GetLastError.KERNEL32 ref: 0045D59D
                • SetErrorMode.KERNEL32(?), ref: 0045D629
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Error$Mode$DiskFreeLastSpace
                • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                • API String ID: 4194297153-14809454
                • Opcode ID: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                • Instruction ID: 49a1caac5541b587bc648ef7caa6256b54369420b38b3993b587487a6931f65b
                • Opcode Fuzzy Hash: 49e0e17e9479d30b414134c7f78092e00673ae1a45d158f41d80208550ba4cb8
                • Instruction Fuzzy Hash: BA31AD75A083009FC310EF55D98090BB7E1AF89315F448D6FF94997362D778E9068B6A
                Function 0047AD92 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 251comCOMMON
                Download Yara Rule
                APIs
                • MkParseDisplayName.OLE32(?,00000000,?,?), ref: 0047AF0F
                  • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                • OleInitialize.OLE32(00000000), ref: 0047AE06
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • _wcslen.LIBCMT ref: 0047AE18
                • CreateBindCtx.OLE32(00000000,?), ref: 0047AEC2
                • CLSIDFromProgID.OLE32(00000000,?,?), ref: 0047AFCC
                • GetActiveObject.OLEAUT32(?,00000000,?), ref: 0047AFF9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CopyVariant$_wcslen$ActiveBindCreateDisplayErrorFromInitializeLastNameObjectParseProg_wcscpy
                • String ID: HH
                • API String ID: 1915432386-2761332787
                • Opcode ID: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                • Instruction ID: 7e3b4e38c6064d991530b19baaff212313fd3e9d55f264e0ba959e8ba912c45c
                • Opcode Fuzzy Hash: e5cc958d5f324366fbee3d2ecbe33304f19c15b46d8e68c756c5eb73bbadfcb0
                • Instruction Fuzzy Hash: 6C915C71604301ABD710EB65CC85F9BB3E8AFC8714F10892EF64597291EB78E909CB5A
                Function 0044ED9A Relevance: 10.9, APIs: 2, Strings: 4, Instructions: 448COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: DEFINE$`$h$h
                • API String ID: 0-4194577831
                • Opcode ID: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                • Instruction ID: b1cbab3e2140d6a963e4b85c5b61650905c2e88cbb7a9c7ccaf19de07e543520
                • Opcode Fuzzy Hash: 53b7279d5b659778b651e94439d899c69cc4b33ac19e6b5c077e56500386ae31
                • Instruction Fuzzy Hash: 9802A1715083818FE725CF29C88076BBBE2BFD5304F28896EE89587342D779D849CB56
                Function 0046483C Relevance: 10.6, APIs: 7, Instructions: 103networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000001,00000006,?,00000000), ref: 004648B0
                • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,?,00000000), ref: 004648BE
                • bind.WSOCK32(00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648DA
                • WSAGetLastError.WSOCK32(00000000,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 004648E6
                • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000005,00000000,?,00000010,00000002,00000001,00000006,?,00000000), ref: 0046492D
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLast$bindclosesocketsocket
                • String ID:
                • API String ID: 2609815416-0
                • Opcode ID: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                • Instruction ID: d240999dee57073d64b91b26c15bb406cb7727aead8f71c00845428af50f987f
                • Opcode Fuzzy Hash: c745fc0386eefc9461b0625fcf5f9e880147eba2f1499b917674c09f315cfe6e
                • Instruction Fuzzy Hash: C731CB712002009BD710FF2ADC81B6BB3E8EF85724F144A5FF594A72D2D779AC85876A
                Function 0043701F Relevance: 10.6, APIs: 7, Instructions: 76processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32 ref: 00437043
                • Process32FirstW.KERNEL32(00000000,00000002), ref: 00437050
                • Process32NextW.KERNEL32(00000000,?), ref: 00437075
                • __wsplitpath.LIBCMT ref: 004370A5
                  • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                • _wcscat.LIBCMT ref: 004370BA
                • __wcsicoll.LIBCMT ref: 004370C8
                • CloseHandle.KERNEL32(00000000,?), ref: 00437105
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                • String ID:
                • API String ID: 2547909840-0
                • Opcode ID: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                • Instruction ID: d866d71778569fbbd99b025f777f77cc3db9ba9c83dfb601fa45888e96c7797d
                • Opcode Fuzzy Hash: fd838752e9d0606085fad0ec29118efadb7b5f17250a81beb0a2f2c9513d2e10
                • Instruction Fuzzy Hash: 9C21A7B20083819BD735DB55C881BEFB7E8BB99304F00491EF5C947241EB79A589CB6A
                Function 00452126 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 127filesleepCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • FindFirstFileW.KERNEL32(?,?,?,?,?,00000000), ref: 0045217E
                • Sleep.KERNEL32(0000000A,?,?,00000000), ref: 004521B2
                • FindNextFileW.KERNEL32(?,?,?,00000000), ref: 004522AC
                • FindClose.KERNEL32(?,?,00000000), ref: 004522C3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNextSleep_wcslen
                • String ID: *.*
                • API String ID: 2693929171-438819550
                • Opcode ID: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                • Instruction ID: e6452ff64139cddd5fd774ab19bf2199aa97b2a19dc0f7115334900b47d689b2
                • Opcode Fuzzy Hash: 17936c38af85c1dbfc3d1ebbd0b26446ca2a596e07a4ad84d79ac0689e190811
                • Instruction Fuzzy Hash: BD419D756083409FC314DF25C984A9FB7E4BF86305F04491FF98993291DBB8E949CB5A
                Function 00436431 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON
                Download Yara Rule
                APIs
                • __wcsicoll.LIBCMT ref: 0043643C
                • mouse_event.USER32(00000800,00000000,00000000,00000078,00000000), ref: 00436452
                • __wcsicoll.LIBCMT ref: 00436466
                • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 0043647C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicollmouse_event
                • String ID: DOWN
                • API String ID: 1033544147-711622031
                • Opcode ID: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                • Instruction ID: 8a73d33e481528181e274ae5662561dddcd8f7088196b39fde8242b6fe69d79f
                • Opcode Fuzzy Hash: 8e71a22f1bb6dc727f393f419cee3c46fab46d9365d91d475c80ba63e0095046
                • Instruction Fuzzy Hash: 75E0927558872039FC4036253C02FFB174CAB66796F018116FE00D1291EA586D865BBD
                Function 004741BB Relevance: 7.6, APIs: 5, Instructions: 137networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                • socket.WSOCK32(00000002,00000002,00000011,?,00000000), ref: 00474213
                • WSAGetLastError.WSOCK32(00000000), ref: 00474233
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLastinet_addrsocket
                • String ID:
                • API String ID: 4170576061-0
                • Opcode ID: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                • Instruction ID: 44a7e99483396e6262e636993c5e510db402c36a24f0b6146f21617b09e75fab
                • Opcode Fuzzy Hash: cabea8b38002fa781011b5f0595ab941099387897a9684b67fae1790c0a48004
                • Instruction Fuzzy Hash: B6412C7164030067E720BB3A8C83F5A72D89F40728F144D5EF954BB2C3D6BAAD45475D
                Function 00456354 Relevance: 7.6, APIs: 5, Instructions: 127keyboardCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(004A83D8), ref: 0045636A
                • ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                • GetAsyncKeyState.USER32(?), ref: 004563D0
                • GetAsyncKeyState.USER32(?), ref: 004563DC
                • GetWindowLongW.USER32(?,000000F0), ref: 00456430
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AsyncState$ClientCursorLongScreenWindow
                • String ID:
                • API String ID: 3539004672-0
                • Opcode ID: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                • Instruction ID: 0eacbf52c9ff4b21db6d2500407d28a57be55752a0539e191fb639d8ee6a043b
                • Opcode Fuzzy Hash: 8b6f1a7d11e91e3692d621cb91ecba55955a7a9a0de246f0cd2a62484a80ce0b
                • Instruction Fuzzy Hash: 8E416071108341ABD724DF55CD84EBBB7E9EF86725F540B0EB8A543281C734A848CB6A
                Function 004772DE Relevance: 7.6, APIs: 5, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                • IsWindowVisible.USER32 ref: 00477314
                • IsWindowEnabled.USER32 ref: 00477324
                • GetForegroundWindow.USER32(?,?,?,00000001,?,?), ref: 00477331
                • IsIconic.USER32 ref: 0047733F
                • IsZoomed.USER32 ref: 0047734D
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$EnabledForegroundIconicVisibleZoomed
                • String ID:
                • API String ID: 292994002-0
                • Opcode ID: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                • Instruction ID: c753cb395bd8887e5e04db90522a3107d7308fd2cfa588f53a4db7a4177bc043
                • Opcode Fuzzy Hash: 1c24098bd8cb9da3f496229370c910df04dc27541171caa4f2956f9c30b83eee
                • Instruction Fuzzy Hash: 351172327041119BE3209B26DD05B9FB7A8AF91310F05882EFC49E7250D7B8EC42D7A9
                Function 00436D2D Relevance: 7.6, APIs: 5, Instructions: 52filetimeCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000,74DF3220,00000000,00000000,00442E95,?,?,?), ref: 00436D4F
                • SetFileTime.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,00000000), ref: 00436D8C
                • CloseHandle.KERNEL32(00000000,?,?,?,00000000), ref: 00436D93
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: File$CloseCreateHandleTime
                • String ID:
                • API String ID: 3397143404-0
                • Opcode ID: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                • Instruction ID: bce1a9391340f9688fe0750810cd2cb1b104417d8b3c1e96578cdf6de8724fbd
                • Opcode Fuzzy Hash: 17e11168520f802dddbe8c477e19047108492bf153e6cd976562f268bfda3e60
                • Instruction Fuzzy Hash: A4F0C83634132077E5301A69AC8DFCF276CABDAB32F20452EF741A61C083D51445977D
                Function 0044EBBC Relevance: 7.6, APIs: 1, Strings: 3, Instructions: 551COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _strncmp
                • String ID: ACCEPT$^$h
                • API String ID: 909875538-4263704089
                • Opcode ID: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                • Instruction ID: 72a2cba82410d8b1d90f72ff5cad5771b474d57714a55a9933f2c727144888ce
                • Opcode Fuzzy Hash: a6541d7913cd7701a75e3a8dc778404717b64597fc065691f0327c8a2e2ba149
                • Instruction Fuzzy Hash: AE22A0746083818FE725CF29C48076BBBE2BFC9304F24896EE8D587351D779984ACB56
                Function 0045C999 Relevance: 4.6, APIs: 3, Instructions: 130fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045C9BE
                • FindNextFileW.KERNEL32(00000000,?), ref: 0045CA1B
                • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0045CA4A
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Find$File$CloseFirstNext
                • String ID:
                • API String ID: 3541575487-0
                • Opcode ID: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                • Instruction ID: 18858b47483a38653cd59612877c1399ad483e9f26b014a4aa46912757e3bc7b
                • Opcode Fuzzy Hash: cd42767256c3935660832567e39f7af9e021373ba4cf75ddba00705dd7020de4
                • Instruction Fuzzy Hash: EC41CE756003009FC720EF79D880A9BB3E4FF89315F208A6EED698B391D775A844CB95
                Function 00436ADE Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                Download Yara Rule
                APIs
                • GetFileAttributesW.KERNEL32(00000001,00000000), ref: 00436AEF
                • FindFirstFileW.KERNEL32(00000001,?), ref: 00436B00
                • FindClose.KERNEL32(00000000), ref: 00436B13
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FileFind$AttributesCloseFirst
                • String ID:
                • API String ID: 48322524-0
                • Opcode ID: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                • Instruction ID: 417b6d6de692ea6945bae3bf725251b28653fd5bce93257cef0f58e2a105c1b1
                • Opcode Fuzzy Hash: 9dc85b775151a348b3ed896f2b5842869c214baa03f23a1e311506cc1954de59
                • Instruction Fuzzy Hash: 23E02236804418678600AB7CAC0C4EE779CDB0A335F100B96FE38C21D0D775A9408FEA
                Function 00443390 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 004433A2
                  • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                  • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Time$FileSystem__aulldiv__time64
                • String ID: rJ
                • API String ID: 2893107130-1865492326
                • Opcode ID: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                • Instruction ID: ebc1a5536eae3429eadb0b33e849de59894c076497330b79c1ff8485d89898ec
                • Opcode Fuzzy Hash: e603e75d0767fd135478995c8e8d26e9f594f0c4df67822259ddb38eb763753e
                • Instruction Fuzzy Hash: B721A2336205108BF321CF36CC41652B7E7EBE0314F268A6AE4A5973C5CA797906CB98
                Function 00443391 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON
                Download Yara Rule
                APIs
                • __time64.LIBCMT ref: 004433A2
                  • Part of subcall function 00414CEF: GetSystemTimeAsFileTime.KERNEL32(?,?,?,?,004341DB,00000000,?,0044248A,?,?,?,0048B850), ref: 00414CFA
                  • Part of subcall function 00414CEF: __aulldiv.LIBCMT ref: 00414D1A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Time$FileSystem__aulldiv__time64
                • String ID: rJ
                • API String ID: 2893107130-1865492326
                • Opcode ID: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                • Instruction ID: 4b4e0c3debee0a45c2bc781276f994e79ac96c452fb6cf924f1e6ade5adf298d
                • Opcode Fuzzy Hash: e8e365b2ab883cc854990c78a2143569adcb81f7322f31e235de15ec19987b7e
                • Instruction Fuzzy Hash: E82187336345108BF321CF36CC4165277E3EBE0314B258B6AD4A5973C5CA797906CB88
                Function 0044289D Relevance: 3.1, APIs: 2, Instructions: 82networkfileCOMMON
                Download Yara Rule
                APIs
                • InternetQueryDataAvailable.WININET(?,?,?,?,00000000,00000000), ref: 004428C2
                • InternetReadFile.WININET(?,00000000,?,?), ref: 004428F9
                  • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Internet$AvailableDataErrorFileLastQueryRead
                • String ID:
                • API String ID: 901099227-0
                • Opcode ID: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                • Instruction ID: 2c15810e60b1cb59304632cc8162977c32d0240baa2dcf3c2cd6ef22f942a6bb
                • Opcode Fuzzy Hash: c5651eff999419169b46b76971b5abcb261cf656e183e849eb3ab7268b4b60d7
                • Instruction Fuzzy Hash: 452174B12043016BF220EF56DD45FAFB3E8ABD4715F40492EF285A6180D7B8E949C76A
                Function 0045DD7C Relevance: 3.1, APIs: 2, Instructions: 56fileCOMMON
                Download Yara Rule
                APIs
                • FindFirstFileW.KERNEL32(00000000,?,?), ref: 0045DDA1
                • FindClose.KERNEL32(00000000), ref: 0045DDDD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Find$CloseFileFirst
                • String ID:
                • API String ID: 2295610775-0
                • Opcode ID: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                • Instruction ID: 3577cc1601137e614a3334ffa73c6d258275d41fe8d72aaca367a27ef3e2a016
                • Opcode Fuzzy Hash: eac1d012b3ae473636f11b903683455954ec17c127a785734040b224e9a5f79e
                • Instruction Fuzzy Hash: DE11E5766002049FD710EF6ADC89A5AF7E5EF84325F10892EF958D7281CB75E8048B94
                Function 0044AF5C Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(00000000,00000000,00000FFF,00000000,?,?,004782E6,?,?,?), ref: 0044AF8E
                • FormatMessageW.KERNEL32(00001000,00000000,?,00000000,00000000,00000FFF,00000000,?,?,004782E6,?,?,?), ref: 0044AFA5
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorFormatLastMessage
                • String ID:
                • API String ID: 3479602957-0
                • Opcode ID: 265d7a19d3eba539260361cc1fe5a3e70b302e1c8fb97200548962176bc833fd
                • Instruction ID: 470e8fa0199c65dedc5e4648daea85b25893cba94944c51086ff1a152fa8b7f9
                • Opcode Fuzzy Hash: 265d7a19d3eba539260361cc1fe5a3e70b302e1c8fb97200548962176bc833fd
                • Instruction Fuzzy Hash: 0EF082712543416BF324E764DC49FBBB3A8EF84715F008E2EF155960E1D7B4A848C76A
                Function 0047CBF0 Relevance: 2.9, Strings: 2, Instructions: 418COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: 0vH$HH
                • API String ID: 0-728391547
                • Opcode ID: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                • Instruction ID: 538a6706abcc28c04bdc151be30d2aa4e2083a8dfdfa6c30a7857f36827e6882
                • Opcode Fuzzy Hash: 96d535d6e61c6cd6e5d21badf476ce2a2faa32e114d6f0ae27a3d334794412dd
                • Instruction Fuzzy Hash: 60E1BE725143109FC310EF25C881A9FB7E5AFC4708F108D2EF589AB281D779E946CB9A
                Function 0040F890 Relevance: 2.1, APIs: 1, Instructions: 589COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _memset
                • String ID:
                • API String ID: 2102423945-0
                • Opcode ID: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                • Instruction ID: fac722ae1e10b3ad9494cda40f9fb3e9e62b3c26aea04ddfc6562ea9d2065ebb
                • Opcode Fuzzy Hash: b8def19716de174921965326585c8a0a0c2eba4d3f226f62ebfac136bfb84777
                • Instruction Fuzzy Hash: C512B4B7B983194FDB48DEE4DCC169573E1FB98304F09A43C9A15C7306F6E8AA094794
                Function 0047E1FA Relevance: 2.0, APIs: 1, Instructions: 499COMMON
                Download Yara Rule
                APIs
                • DefDlgProcW.USER32(?,?,?,?,004A83D8,?), ref: 0047E22C
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Proc
                • String ID:
                • API String ID: 2346855178-0
                • Opcode ID: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                • Instruction ID: e1c03c818efbd3cbf3664a0c3e659178dbc9a05004c0f073233894ce1d713c90
                • Opcode Fuzzy Hash: 4f476b527310cd4595d6f2246be334f82b87c4d4a511bc9a4ae10ad49a3a576c
                • Instruction Fuzzy Hash: 4EB1E63330602429E114916BBC88EBFBB9CD7D677BB208B7FF142C1582DB5B6425A179
                Function 0045A259 Relevance: 1.5, APIs: 1, Instructions: 21keyboardCOMMON
                Download Yara Rule
                APIs
                • BlockInput.USER32(00000001), ref: 0045A272
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BlockInput
                • String ID:
                • API String ID: 3456056419-0
                • Opcode ID: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                • Instruction ID: 5d782454ef4d0180448527013755d2523f66e5fc327f68786c1d80a86620ac83
                • Opcode Fuzzy Hash: f8b7596c9daf0cf449ec099d4cdbafb4be693b9bdeaa48314d03f681346fce8b
                • Instruction Fuzzy Hash: D2E04F752043019BC700EF71C545A5BB7E4AF94314F108C6EF845A7351D775AC45CB66
                Function 0043916A Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                • LogonUserW.ADVAPI32(?,?,?,?,00000000,?), ref: 0043918E
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: LogonUser
                • String ID:
                • API String ID: 1244722697-0
                • Opcode ID: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                • Instruction ID: 63114e5cfb2c4979e73f5d19eacf740c811f86df1a08bc2cb556a5e36cce81ff
                • Opcode Fuzzy Hash: 365ca9639b26e9c6c56151d88f527b1e4ffaee0f54dfd66c8778d151900be7f4
                • Instruction Fuzzy Hash: 8DD0ECB52686066FD204CB24D846E2B77E9A7C4701F008A0CB196D2280C670D805CA32
                Function 004711D2 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: NameUser
                • String ID:
                • API String ID: 2645101109-0
                • Opcode ID: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                • Instruction ID: 8011c19b6c32d183c263453b2018abc548473ce9ed5616c99acac4896e71f792
                • Opcode Fuzzy Hash: b783c70369e54a54257db95ea8fbffa2a0b511f3d9d58af1a6b6f1143851980f
                • Instruction Fuzzy Hash: F6E08C322083058FC310EF55F8405ABB390EB94311F004C3FE64AA2191DA79920EDFAB
                Function 0042202E Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                Download Yara Rule
                APIs
                • SetUnhandledExceptionFilter.KERNEL32(Function_00021FEC), ref: 00422033
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                • Instruction ID: 3275b40964251646410af8875a24301f93fa315c26af6adae0ca3d0f7a721f84
                • Opcode Fuzzy Hash: 299f58dbcf75cd09f1fee721c9404e411c3f17cf80a1a40ae63587de51767455
                • Instruction Fuzzy Hash: CD9002743511144A4A011BB16E5D90925D46A586067920875B411C4064DB9840019619
                Function 00412C38 Relevance: .4, Instructions: 384COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                • Instruction ID: b3f199f19983f506b623bfe7955a95149e6efe4e98ce3416cc40fa12ddcf4508
                • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                • Instruction Fuzzy Hash: 46D19073C0A9B30A8735812D42582BFEE626FD578131EC3E29CD07F38AD26B5DA195D4
                Function 00412818 Relevance: .4, Instructions: 378COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                • Instruction ID: c47bdb3f9c9e38c5d46ddb9e43dedaf70276048770aeb58bd274f21c588a824b
                • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                • Instruction Fuzzy Hash: 1CD19073D1A9B30A8735852D42581AFEE626FD578031EC3E2CCD07F38AD16B5DA191D4
                Function 0041240C Relevance: .4, Instructions: 361COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                • Instruction ID: ac15b8da1a4b082d71a0b082c8349c97121379a14580263daf363e6ab8f75410
                • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                • Instruction Fuzzy Hash: 87C18173C0A9B30A8736812D42641AFEE626FD579031FC3E2CCD47F38A91AB5DA195D4
                Function 00412038 Relevance: .4, Instructions: 351COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                • Instruction ID: aa957cafbedeae1199dea6a597ba911d219650f283d164fb65797e90308ef47b
                • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                • Instruction Fuzzy Hash: 5FC18E73D0A9B30A8735812D42581AFEE626FD578031EC3E28CE46F38ED26F5DA195D4
                Function 00410D10 Relevance: .0, Instructions: 19COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                • Instruction ID: b8cfd58d412160527e66ace840abba843d94ac3f5b06779728c9fe736b8606cc
                • Opcode Fuzzy Hash: 304d221b5688423ebfa6c473264aec07cdb78ae451f757bdd5acbbf2c1e92ad4
                • Instruction Fuzzy Hash: ECD012F621844146F33144D866C0BD100437344310FB58C276005CEBC1C0DDECD6C229
                Function 00459384 Relevance: 79.2, APIs: 41, Strings: 4, Instructions: 480filewindowcomCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(?), ref: 004593D7
                • DeleteObject.GDI32(?), ref: 004593F1
                • DestroyWindow.USER32(?), ref: 00459407
                • GetDesktopWindow.USER32 ref: 0045942A
                • GetWindowRect.USER32(00000000), ref: 00459431
                • SetRect.USER32(50000001,00000000,00000000,000001F4,?), ref: 00459568
                • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00459577
                • CreateWindowExW.USER32(?,AutoIt v3,00000000,?,88C00000,?,?,50000001,?,?,00000000,00000000), ref: 004595BB
                • GetClientRect.USER32(00000000,?), ref: 004595C8
                • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,?,00000000,00000000,00000000), ref: 00459615
                • CreateFileW.KERNEL32(00000000,?,80000000,00000000,00000000,00000003,00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459635
                • GetFileSize.KERNEL32(00000000,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459654
                • GlobalAlloc.KERNEL32(00000002,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 0045965F
                • GlobalLock.KERNEL32(00000000), ref: 00459668
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459678
                • GlobalUnlock.KERNEL32(00000000), ref: 0045967F
                • CloseHandle.KERNEL32(00000000,?,50000001,?,?,00000000,00000000,00000000), ref: 00459686
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,50000001,?,?,00000000,00000000,00000000), ref: 00459694
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,000001F4), ref: 004596AD
                • GlobalFree.KERNEL32(00000000), ref: 004596C0
                • CopyImage.USER32(000000FF,00000000,00000000,00000000,00002000), ref: 004596EF
                • SendMessageW.USER32(00000000,00000172,00000000,000000FF), ref: 00459712
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,50000001,?,?,00000000,00000000,00000000), ref: 0045973D
                • ShowWindow.USER32(?,00000004,?,50000001,?,?,00000000,00000000,00000000), ref: 0045974B
                • CreateWindowExW.USER32(00000000,static,00000000,?,?,0000000B,0000000B,?,?,?,00000000,00000000), ref: 0045979C
                • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 004597AD
                • GetStockObject.GDI32(00000011), ref: 004597B7
                • SelectObject.GDI32(00000000,00000000), ref: 004597BF
                • GetTextFaceW.GDI32(00000000,00000040,00000190,?,50000001,?,?,00000000,00000000,00000000), ref: 004597CD
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004597D6
                • DeleteDC.GDI32(00000000), ref: 004597E1
                • _wcslen.LIBCMT ref: 00459800
                • _wcscpy.LIBCMT ref: 0045981F
                • CreateFontW.GDI32(?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 004598BB
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 004598D0
                • GetDC.USER32(?), ref: 004598DE
                • SelectObject.GDI32(00000000,?), ref: 004598EE
                • SelectObject.GDI32(00000000,?), ref: 00459919
                • ReleaseDC.USER32(?,00000000), ref: 00459925
                • MoveWindow.USER32(?,0000000B,?,?,?,00000001), ref: 00459943
                • ShowWindow.USER32(?,00000004,?,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,00000190), ref: 00459951
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Create$Object$Global$Rect$DeleteFileSelect$MessageSendShow$AdjustAllocCapsClientCloseCopyDesktopDestroyDeviceFaceFontFreeHandleImageLoadLockMovePictureReadReleaseSizeStockStreamTextUnlock_wcscpy_wcslen
                • String ID: $AutoIt v3$DISPLAY$static
                • API String ID: 4040870279-2373415609
                • Opcode ID: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                • Instruction ID: fce7466cc8f2b4b34a2e278d60cb4f704f90ff1017bfb666dbfc83d8aba9d67a
                • Opcode Fuzzy Hash: d6fd8d7be04635d93ea84c38fc4cb072183cdb5133bdcfdddae5d23db1010fc6
                • Instruction Fuzzy Hash: 3F028C70204301EFD714DF64DE89F2BB7A8AB84705F104A2DFA45AB2D2D7B4E805CB69
                Function 00441E05 Relevance: 49.8, APIs: 33, Instructions: 276COMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(00000012), ref: 00441E64
                • SetTextColor.GDI32(?,?), ref: 00441E6C
                • GetSysColorBrush.USER32(0000000F), ref: 00441E83
                • GetSysColor.USER32(0000000F), ref: 00441E8F
                • SetBkColor.GDI32(?,?), ref: 00441EAA
                • SelectObject.GDI32(?,?), ref: 00441EBA
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00441EF0
                • GetSysColor.USER32(00000010), ref: 00441EF8
                • CreateSolidBrush.GDI32(00000000), ref: 00441EFF
                • FrameRect.USER32(?,?,00000000), ref: 00441F10
                • DeleteObject.GDI32(?), ref: 00441F1B
                • InflateRect.USER32(?,000000FE,000000FE), ref: 00441F75
                • FillRect.USER32(?,?,?), ref: 00441FB6
                  • Part of subcall function 00433D5C: GetSysColor.USER32(0000000E), ref: 00433D81
                  • Part of subcall function 00433D5C: SetTextColor.GDI32(?,00000000), ref: 00433D89
                  • Part of subcall function 00433D5C: GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                  • Part of subcall function 00433D5C: GetSysColor.USER32(0000000F), ref: 00433DCB
                  • Part of subcall function 00433D5C: GetSysColor.USER32(00000011), ref: 00433DEB
                  • Part of subcall function 00433D5C: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                  • Part of subcall function 00433D5C: SelectObject.GDI32(?,00000000), ref: 00433E0D
                  • Part of subcall function 00433D5C: SetBkColor.GDI32(?,?), ref: 00433E19
                  • Part of subcall function 00433D5C: SelectObject.GDI32(?,?), ref: 00433E29
                  • Part of subcall function 00433D5C: InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                  • Part of subcall function 00433D5C: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                  • Part of subcall function 00433D5C: GetWindowLongW.USER32 ref: 00433E8A
                  • Part of subcall function 00433D5C: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Color$Rect$Object$BrushInflateSelect$CreateText$DeleteFillFrameLongMessageRoundSendSolidWindow
                • String ID:
                • API String ID: 69173610-0
                • Opcode ID: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                • Instruction ID: 0b0c06e318eae1aa70623bc76f746578ebcda4f465cb69034399d4c57c44293d
                • Opcode Fuzzy Hash: 8d7e9eb6a1476829fb4e0a957564412aa33fdc92885306090b82eefa456b01e4
                • Instruction Fuzzy Hash: BBB14D71508300AFD314DF64DD88A6FB7F8FB88720F504A2DF996922A0D774E845CB66
                Function 00403E50 Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 236COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #NoAutoIt3Execute$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#requireadmin$Cannot parse #include$Unterminated group of comments
                • API String ID: 1038674560-3360698832
                • Opcode ID: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                • Instruction ID: b6083b7aed1673b33e689ff2aa7e8f17f47d7310e90ec65f4167159f85ee96f3
                • Opcode Fuzzy Hash: c74d0d52908dbbec4f5022c33a9c4844136c2b84c95de0bb8b15b994b6f8f789
                • Instruction Fuzzy Hash: 5A611471B4071076EA306A229C46FAB735CDF14345F50052FFC01A628BE7ADDA4A86EE
                Function 00433D5C Relevance: 42.2, APIs: 28, Instructions: 198windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32(0000000E), ref: 00433D81
                • SetTextColor.GDI32(?,00000000), ref: 00433D89
                • GetSysColor.USER32(00000012), ref: 00433DA3
                • SetTextColor.GDI32(?,?), ref: 00433DAB
                • GetSysColorBrush.USER32(0000000F), ref: 00433DBF
                • GetSysColor.USER32(0000000F), ref: 00433DCB
                • CreateSolidBrush.GDI32(?), ref: 00433DD4
                • GetSysColor.USER32(00000011), ref: 00433DEB
                • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00433DFD
                • SelectObject.GDI32(?,00000000), ref: 00433E0D
                • SetBkColor.GDI32(?,?), ref: 00433E19
                • SelectObject.GDI32(?,?), ref: 00433E29
                • InflateRect.USER32(?,000000FF,000000FF), ref: 00433E54
                • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00433E73
                • GetWindowLongW.USER32 ref: 00433E8A
                • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00433EAC
                • GetWindowTextW.USER32(00000000,00000000,00000105), ref: 00433EE1
                • InflateRect.USER32(?,000000FD,000000FD), ref: 00433F13
                • DrawFocusRect.USER32(?,?), ref: 00433F1F
                • GetSysColor.USER32(00000011), ref: 00433F2E
                • SetTextColor.GDI32(?,00000000), ref: 00433F36
                • DrawTextW.USER32(?,?,000000FF,?,?), ref: 00433F4E
                • SelectObject.GDI32(?,?), ref: 00433F63
                • DeleteObject.GDI32(?), ref: 00433F70
                • SelectObject.GDI32(?,?), ref: 00433F78
                • DeleteObject.GDI32(00000000), ref: 00433F7B
                • SetTextColor.GDI32(?,?), ref: 00433F83
                • SetBkColor.GDI32(?,?), ref: 00433F8F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Color$ObjectText$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                • String ID:
                • API String ID: 1582027408-0
                • Opcode ID: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                • Instruction ID: aa454ab644ffbff4d2185aee23397a25bdbdaef3ad5a75b83a3ebbbeed3afe32
                • Opcode Fuzzy Hash: aa49e6287f5c8eaa4963889518cb643ef6cff4134c3562cc94785d6825a4d511
                • Instruction Fuzzy Hash: 53710570508340AFD304DF68DD88A6FBBF9FF89711F104A2DFA5592290D7B4E9418B6A
                Function 0046AEAF Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 417registryCOMMON
                Download Yara Rule
                APIs
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AFC2
                • RegCreateKeyExW.ADVAPI32(?,?,00000000,004848E8,00000000,?,00000000,?,?,?,?,?), ref: 0046B01C
                • RegCloseKey.ADVAPI32(?), ref: 0046B069
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseConnectCreateRegistry
                • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                • API String ID: 3217815495-966354055
                • Opcode ID: 0576c88994f74b2f505fbc87b526c76ee4a7ccfdd2ff9ae5f0ee2fafbf8681fe
                • Instruction ID: d9d2404220d166b11353d33fb52652cf6d28829cdaa3b272cf204d1a2c990fb8
                • Opcode Fuzzy Hash: 0576c88994f74b2f505fbc87b526c76ee4a7ccfdd2ff9ae5f0ee2fafbf8681fe
                • Instruction Fuzzy Hash: 2CE1A1B1600300ABD710EF65C885F1BB7E8AF48704F14895EB945DB392D778E945CBAA
                Function 0045657D Relevance: 38.8, APIs: 19, Strings: 3, Instructions: 287windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 00456692
                • GetDesktopWindow.USER32 ref: 004566AA
                • GetWindowRect.USER32(00000000), ref: 004566B1
                • GetWindowLongW.USER32(?,000000F0), ref: 0045670D
                • GetWindowLongW.USER32(?,000000F0), ref: 00456720
                • DestroyWindow.USER32(?), ref: 00456731
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00456779
                • SendMessageW.USER32(00000000,00000432,00000000,0000002C), ref: 00456797
                • SendMessageW.USER32(?,00000439,00000000,0000002C), ref: 004567C0
                • SendMessageW.USER32(?,00000421,?,?), ref: 004567D8
                • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 004567EE
                • IsWindowVisible.USER32(?), ref: 00456812
                • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 0045682E
                • SendMessageW.USER32(?,00000411,00000001,0000002C), ref: 00456843
                • GetWindowRect.USER32(?,?), ref: 0045685C
                • MonitorFromPoint.USER32(?,?,00000002), ref: 00456880
                • GetMonitorInfoW.USER32 ref: 00456894
                • CopyRect.USER32(?,?), ref: 004568A8
                • SendMessageW.USER32(?,00000412,00000000), ref: 0045690A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$MessageSend$Rect$LongMonitor$CopyCreateCursorDesktopDestroyFromInfoPointVisible
                • String ID: ($,$tooltips_class32
                • API String ID: 541082891-3320066284
                • Opcode ID: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                • Instruction ID: 3987ef5f26dee50c6234681dd74380f3ee0746d74ffcadc96223edc745891050
                • Opcode Fuzzy Hash: 25380f5391d2fe641591a116f81b43842710cc101ecbbf85cfa067c854d9f55a
                • Instruction Fuzzy Hash: 33B18EB0604341AFD714DF64C984B6BB7E5EF88704F408D2DF989A7292D778E848CB5A
                Function 00454DAA Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 203windowlibraryCOMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00454DCF
                • _wcslen.LIBCMT ref: 00454DE2
                • __wcsicoll.LIBCMT ref: 00454DEF
                • _wcslen.LIBCMT ref: 00454E04
                • __wcsicoll.LIBCMT ref: 00454E11
                • _wcslen.LIBCMT ref: 00454E24
                • __wcsicoll.LIBCMT ref: 00454E31
                  • Part of subcall function 004115D0: __wcsicmp_l.LIBCMT ref: 00411657
                • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00454E65
                • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,?,?,?,?,?,?,?,00000000), ref: 00454E79
                • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454EB7
                • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00454EFB
                • LoadImageW.USER32(00000000,00000000,?,00000001,?,?), ref: 00454F2C
                • FreeLibrary.KERNEL32(00000000), ref: 00454F37
                • ExtractIconExW.SHELL32(?,00000000,00000000,?,00000001), ref: 00454F94
                • DestroyIcon.USER32(?), ref: 00454FA2
                • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00454FC0
                • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00454FCC
                • MoveWindow.USER32(?,?,?,?,?,00000001), ref: 00454FF1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Load$Image_wcslen$__wcsicoll$IconLibraryMessageSend$DestroyExtractFreeMoveWindow__wcsicmp_l
                • String ID: .dll$.exe$.icl
                • API String ID: 2511167534-1154884017
                • Opcode ID: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                • Instruction ID: 777b7c61fe84a0ac0f88e3bb9536c5d4e291b97e4b5026f6b39318954af55ba4
                • Opcode Fuzzy Hash: 3f138871eb6b7f703bfd118eaab481945a2915db6d26b5ab3e2ea40d00a2935e
                • Instruction Fuzzy Hash: D461D9711043016AE620DF659D85F7B73ECEF84B0AF00481EFE81D5182E7B9A989C77A
                Function 00436B3A Relevance: 35.2, APIs: 15, Strings: 5, Instructions: 190COMMON
                Download Yara Rule
                APIs
                • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00436B4E
                • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000), ref: 00436B73
                • _wcslen.LIBCMT ref: 00436B79
                • _wcscpy.LIBCMT ref: 00436B9F
                • _wcscat.LIBCMT ref: 00436BC0
                • VerQueryValueW.VERSION(00000000,\VarFileInfo\Translation,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000), ref: 00436BE7
                • _wcscat.LIBCMT ref: 00436C2A
                • _wcscat.LIBCMT ref: 00436C31
                • __wcsicoll.LIBCMT ref: 00436C4B
                • _wcsncpy.LIBCMT ref: 00436C62
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscat$FileInfoVersion$QuerySizeValue__wcsicoll_wcscpy_wcslen_wcsncpy
                • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                • API String ID: 1503153545-1459072770
                • Opcode ID: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                • Instruction ID: f4118b49cd66f9fee818cdfc0bae26735a4a754b0a3131160812af9443992caa
                • Opcode Fuzzy Hash: 1bca29e3adc21336a21f3c01565ed382529ec8d4b1eae201a388b16e544b708b
                • Instruction Fuzzy Hash: B54115B264020137D200B7269C83EFF735CDE99715F54091FFE45A2253FA2EA69642BE
                Function 00452788 Relevance: 34.8, APIs: 23, Instructions: 344COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004431E0: __time64.LIBCMT ref: 004431EA
                • _fseek.LIBCMT ref: 004527FC
                • __wsplitpath.LIBCMT ref: 0045285C
                • _wcscpy.LIBCMT ref: 00452871
                • _wcscat.LIBCMT ref: 00452886
                • __wsplitpath.LIBCMT ref: 004528B0
                • _wcscat.LIBCMT ref: 004528C8
                • _wcscat.LIBCMT ref: 004528DD
                • __fread_nolock.LIBCMT ref: 00452914
                • __fread_nolock.LIBCMT ref: 00452925
                • __fread_nolock.LIBCMT ref: 00452944
                • __fread_nolock.LIBCMT ref: 00452955
                • __fread_nolock.LIBCMT ref: 00452976
                • __fread_nolock.LIBCMT ref: 00452987
                • __fread_nolock.LIBCMT ref: 00452998
                • __fread_nolock.LIBCMT ref: 004529A9
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004523ED
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 00452432
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045244F
                  • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 0045247D
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 0045248E
                  • Part of subcall function 004523CE: __fread_nolock.LIBCMT ref: 004524AB
                  • Part of subcall function 004523CE: _wcscpy.LIBCMT ref: 004524D9
                • __fread_nolock.LIBCMT ref: 00452A39
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __fread_nolock$_wcscat_wcscpy$__wsplitpath$__time64_fseek
                • String ID:
                • API String ID: 2054058615-0
                • Opcode ID: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                • Instruction ID: 66779ec6e5012556871fefb3c18d5d4f0449fb8b445ab61f685bb60241e2a5ae
                • Opcode Fuzzy Hash: 983239acf030dd5dbcb525efe1f3094d5bf78e470c43ee0c462dc16c64ee25c2
                • Instruction Fuzzy Hash: 16C14EB2508340ABD320DF65C881EEBB7E8EFC9714F444D2FF68987241E6799544CBA6
                Function 004559A8 Relevance: 33.7, APIs: 18, Strings: 1, Instructions: 401COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                • Instruction ID: a4e6889c8706d2a682ad3cc8acca51b009283e1ae9b51da70db0806919efebf9
                • Opcode Fuzzy Hash: b9da739ef4394ef292cf8eb25369925a80ec30f337521dada9f854f90e9bbf21
                • Instruction Fuzzy Hash: 95C104723403416BF3209B64DC46FBBB794EB95321F04453FFA45D62C1EBBA9409876A
                Function 004700B0 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • GetWindowRect.USER32(?,?), ref: 004701EA
                • GetClientRect.USER32(?,?), ref: 004701FA
                • GetSystemMetrics.USER32(00000007), ref: 00470202
                • GetSystemMetrics.USER32(00000008), ref: 00470216
                • GetSystemMetrics.USER32(00000004), ref: 00470238
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0047026B
                • GetSystemMetrics.USER32(00000007), ref: 00470273
                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 004702A0
                • GetSystemMetrics.USER32(00000008), ref: 004702A8
                • GetSystemMetrics.USER32(00000004), ref: 004702CF
                • SetRect.USER32(?,00000000,00000000,?,?), ref: 004702F1
                • AdjustWindowRectEx.USER32(?,?,00000000,000000FF), ref: 00470304
                • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,?,?,?,?,00000000,00400000,00000000), ref: 0047033E
                • SetWindowLongW.USER32(00000000,000000EB,?), ref: 00470356
                • GetClientRect.USER32(?,?), ref: 00470371
                • GetStockObject.GDI32(00000011), ref: 00470391
                • SendMessageW.USER32(?,00000030,00000000), ref: 0047039D
                • SetTimer.USER32(00000000,00000000,00000028,Function_00061E7F), ref: 004703C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: System$Metrics$Rect$Window$ClientInfoParameters$AdjustCreateLongMessageObjectSendStockTimer_malloc
                • String ID: AutoIt v3 GUI
                • API String ID: 867697134-248962490
                • Opcode ID: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                • Instruction ID: 96ed3905d942d8c5c267f8207effb08aff50268186fc7250a269a1908d1679c9
                • Opcode Fuzzy Hash: 2f3c1093d205cc919e8fce6edce52452572e464071e7d7185a704cd66ddcb838
                • Instruction Fuzzy Hash: 27B19F71205301AFD324DF68DD45B6BB7E4FB88710F108A2EFA9587290DBB5E844CB5A
                Function 00448759 Relevance: 31.8, APIs: 17, Strings: 1, Instructions: 311COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(004A83D8,00000000,00000000,00000000,00000000,00000000,00000013,004A83D8,?,?), ref: 0044880A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window
                • String ID: 0
                • API String ID: 2353593579-4108050209
                • Opcode ID: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                • Instruction ID: 13976ff69904029c6bcd7d6129a783336058688c161485e0dcc644b2654616cc
                • Opcode Fuzzy Hash: ca380a5f1b7b22306afb7d181ee8588f63c71b92ae7430e038360cbc2591eaeb
                • Instruction Fuzzy Hash: 94B19DB02443419FF324CF14C889BABBBE4EB89744F14491EF991972D1DBB8E845CB5A
                Function 0044A0EA Relevance: 31.7, APIs: 21, Instructions: 196windowCOMMON
                Download Yara Rule
                APIs
                • GetSysColor.USER32 ref: 0044A11D
                • GetClientRect.USER32(?,?), ref: 0044A18D
                • SendMessageW.USER32(?,00001328,00000000,?), ref: 0044A1A6
                • GetWindowDC.USER32(?), ref: 0044A1B3
                • GetPixel.GDI32(00000000,?,?), ref: 0044A1C6
                • ReleaseDC.USER32(?,00000000), ref: 0044A1D6
                • GetSysColor.USER32(0000000F), ref: 0044A1EC
                • GetWindowLongW.USER32(?,000000F0), ref: 0044A207
                • GetSysColor.USER32(0000000F), ref: 0044A216
                • GetSysColor.USER32(00000005), ref: 0044A21E
                • GetWindowDC.USER32 ref: 0044A277
                • GetPixel.GDI32(00000000,00000000,00000000), ref: 0044A28A
                • GetPixel.GDI32(00000000,?,00000000), ref: 0044A29F
                • GetPixel.GDI32(00000000,00000000,?), ref: 0044A2B4
                • GetPixel.GDI32(00000000,?,?), ref: 0044A2D0
                • ReleaseDC.USER32(?,00000000), ref: 0044A2D8
                • SetTextColor.GDI32(00000000,?), ref: 0044A2F6
                • SetBkMode.GDI32(00000000,00000001), ref: 0044A30A
                • GetStockObject.GDI32(00000005), ref: 0044A312
                • SetBkColor.GDI32(00000000,00000000), ref: 0044A328
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Color$Pixel$Window$Release$ClientLongMessageModeObjectRectSendStockText
                • String ID:
                • API String ID: 1744303182-0
                • Opcode ID: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                • Instruction ID: f407f88e1fc9bdd08975b2e96734b256c85d8f08b0ead5e1f8dbf5832e348edb
                • Opcode Fuzzy Hash: c697551d262e08263a45fd1ab6b47457a8b4de30e4a023901e5f3e03e0b3260a
                • Instruction Fuzzy Hash: AD6148315442016BE3209B388C88BBFB7A4FB49324F54079EF9A8973D0D7B99C51D76A
                Function 0046884B Relevance: 31.6, APIs: 6, Strings: 12, Instructions: 113COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll$__wcsnicmp
                • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                • API String ID: 790654849-1810252412
                • Opcode ID: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                • Instruction ID: 1b62209f2aa4de5792947d5a3aa61dcd1c874d3672784017b8f4b2c72f71c34c
                • Opcode Fuzzy Hash: 3ef763bd77a89c14e9ef14da431a542ecfa9ee53dca0875bc5fd58ba0035de2e
                • Instruction Fuzzy Hash: 7A3193B1644301A7CA00FA61DC83F5B73A85F54759F100A3FB955B61D6FA6CEA0C862F
                Function 00463F19 Relevance: 28.4, APIs: 14, Strings: 2, Instructions: 396processCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00463F35
                • _wcslen.LIBCMT ref: 004640A0
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004640B6
                • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 004640DC
                • _wcslen.LIBCMT ref: 0046419A
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000,?), ref: 004641B4
                • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 004641DA
                • _wcslen.LIBCMT ref: 0046422C
                • _wcslen.LIBCMT ref: 00464244
                • _wcslen.LIBCMT ref: 00464267
                • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 004642CA
                • GetLastError.KERNEL32(00000000,00000001,00000000,?,?), ref: 00464304
                • CloseHandle.KERNEL32(?,?,?), ref: 0046434C
                • CloseHandle.KERNEL32(?), ref: 004643DD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                • String ID: D$HH
                • API String ID: 908184983-3550586394
                • Opcode ID: 9c94baab72e5f216c2de1bbe37285b47dbfb71c8dd0184069956c6c9248de8d4
                • Instruction ID: fb727168ff3a635639fa9d56eabcb50e9dc6a5bc9d0fc25d7c440df2c68cb0fa
                • Opcode Fuzzy Hash: 9c94baab72e5f216c2de1bbe37285b47dbfb71c8dd0184069956c6c9248de8d4
                • Instruction Fuzzy Hash: F1E1F1B15043419BD720EF75C845B5BB7E4AFC4308F104A2EF98987392EB39E945CB5A
                Function 00476A8A Relevance: 27.3, APIs: 18, Instructions: 332COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: InitVariant
                • String ID:
                • API String ID: 1927566239-0
                • Opcode ID: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                • Instruction ID: b17386a2766a1a739d91313a8bf0106a5dd250ff49ec0cac6ee5761d63536315
                • Opcode Fuzzy Hash: 0ce8a0180f427c6633dd7a645a706da8f2470da33a28fd12fcc8bbcffff15558
                • Instruction Fuzzy Hash: 87A1F5766146019FC300EF65D88499FB7AAFF85315F408D3EFA49C3211D77AD4098BAA
                Function 0046D6EB Relevance: 26.7, APIs: 6, Strings: 9, Instructions: 474COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • GetForegroundWindow.USER32(?,?), ref: 0046D7C1
                • GetForegroundWindow.USER32 ref: 0046DBA4
                • IsWindow.USER32(?), ref: 0046DBDE
                • GetDesktopWindow.USER32 ref: 0046DCB5
                • EnumChildWindows.USER32(00000000), ref: 0046DCBC
                • EnumWindows.USER32(00460772,?), ref: 0046DCC4
                  • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$EnumForegroundWindows_wcslen$ChildDesktop
                • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                • API String ID: 1322021666-1919597938
                • Opcode ID: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                • Instruction ID: 252cd24da08a8cddfda52e39780f3f39bafd894638fb43d2866a45805a666b3e
                • Opcode Fuzzy Hash: f0ae0bd5c84c8fbd9fa80e8b17a650ade3f6139d63811c55da114ce2128ba9af
                • Instruction Fuzzy Hash: 96F1C571D143409BCB00EF61C881EAB73A4BF95308F44496FF9456B286E77DE909CB6A
                Function 0045DE12 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 190timeCOMMON
                Download Yara Rule
                APIs
                • GetLocalTime.KERNEL32(?), ref: 0045DED4
                • SystemTimeToFileTime.KERNEL32(?,?), ref: 0045DEE4
                • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0045DEF0
                • _wcsncpy.LIBCMT ref: 0045DF0F
                • __wsplitpath.LIBCMT ref: 0045DF54
                • _wcscat.LIBCMT ref: 0045DF6C
                • _wcscat.LIBCMT ref: 0045DF7E
                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0045DF93
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFA7
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFE5
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0045DFFB
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0045E00D
                • _wcscpy.LIBCMT ref: 0045E019
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 0045E05F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CurrentDirectory$Time$File$Local_wcscat$System__wsplitpath_wcscpy_wcsncpy
                • String ID: *.*
                • API String ID: 3201719729-438819550
                • Opcode ID: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                • Instruction ID: 9ef8ac46b2ec3f8a2b66e183c5d6435db2730cdd54c1860218fefef83dfd89d7
                • Opcode Fuzzy Hash: 89541da3f554ebb8d42e95f45bc66f31ca584aff69b040987f949bd9346ecb30
                • Instruction Fuzzy Hash: D061A7B25043049BC724EF65C881E9FB3E8AF94704F048E1EF98987241DB79E949CB96
                Function 0043737D Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll$IconLoad
                • String ID: blank$info$question$stop$warning
                • API String ID: 2485277191-404129466
                • Opcode ID: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                • Instruction ID: 3fdcc892c2a25cebf9aff257507665a297d4e16c4260cb8f6e9492a672fb13e0
                • Opcode Fuzzy Hash: 5bed60ec3368b378429e4d7d86c3e9ed6cb6a0c6f582f3c961ebbe10ae210b10
                • Instruction Fuzzy Hash: CB2128B6B08301A7D610A725BC05FDF27489FA8365F004C2BF941E2283F3A8A45583BD
                Function 00428604 Relevance: 25.8, APIs: 17, Instructions: 306stringCOMMON
                Download Yara Rule
                APIs
                • CompareStringW.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428611
                • GetLastError.KERNEL32(?,?,004832AC,00000001,004832AC,00000001), ref: 00428627
                • strncnt.LIBCMT ref: 00428646
                • strncnt.LIBCMT ref: 0042865A
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: strncnt$CompareErrorLastString
                • String ID:
                • API String ID: 1776594460-0
                • Opcode ID: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                • Instruction ID: 056e5a993d73ec50dc3c8e072878bb631c9b69e1f80941a2a69bbd8adeb14d7f
                • Opcode Fuzzy Hash: 16ce8c3a65625fd7540c51b5c1254bfa478756f7f63d0819a38d9cd03b2976a4
                • Instruction Fuzzy Hash: 0DA1B131B01225AFDF219F61EC41AAF7BB6AF94340FA4402FF81196251DF3D8891CB58
                Function 004545C9 Relevance: 25.7, APIs: 17, Instructions: 198windowtimeCOMMON
                Download Yara Rule
                APIs
                • LoadIconW.USER32(?,00000063), ref: 004545DA
                • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 004545EC
                • SetWindowTextW.USER32(?,?), ref: 00454606
                • GetDlgItem.USER32(?,000003EA), ref: 0045461F
                • SetWindowTextW.USER32(00000000,?), ref: 00454626
                • GetDlgItem.USER32(?,000003E9), ref: 00454637
                • SetWindowTextW.USER32(00000000,?), ref: 0045463E
                • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00454663
                • SendDlgItemMessageW.USER32(?,000003E9,000000C5,?,00000000), ref: 0045467D
                • GetWindowRect.USER32(?,?), ref: 00454688
                • SetWindowTextW.USER32(?,?), ref: 004546FD
                • GetDesktopWindow.USER32 ref: 00454708
                • GetWindowRect.USER32(00000000), ref: 0045470F
                • MoveWindow.USER32(?,?,00000000,?,?,00000000), ref: 00454760
                • GetClientRect.USER32(?,?), ref: 0045476F
                • PostMessageW.USER32(?,00000005,00000000,?), ref: 0045479E
                • SetTimer.USER32(?,0000040A,?,00000000), ref: 004547E9
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                • String ID:
                • API String ID: 3869813825-0
                • Opcode ID: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                • Instruction ID: 4e77de65cc6986e78e6be143d0a4b9e7f39e78804b6f4fc71fe9e35dfcfd5046
                • Opcode Fuzzy Hash: d6d25c813e590b752cbfd9858452ff05e3d443d6a6ce6916d89e520ab15b373f
                • Instruction Fuzzy Hash: 8C616D71604701AFD320DF68CD88F2BB7E8AB88709F004E1DF98697691D7B8E849CB55
                Function 00458D1C Relevance: 25.6, APIs: 17, Instructions: 112COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F8A), ref: 00458D2D
                • LoadCursorW.USER32(00000000,00007F00), ref: 00458D3A
                • LoadCursorW.USER32(00000000,00007F03), ref: 00458D47
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00458D54
                • LoadCursorW.USER32(00000000,00007F01), ref: 00458D61
                • LoadCursorW.USER32(00000000,00007F81), ref: 00458D6E
                • LoadCursorW.USER32(00000000,00007F88), ref: 00458D7B
                • LoadCursorW.USER32(00000000,00007F80), ref: 00458D88
                • LoadCursorW.USER32(00000000,00007F86), ref: 00458D95
                • LoadCursorW.USER32(00000000,00007F83), ref: 00458DA2
                • LoadCursorW.USER32(00000000,00007F85), ref: 00458DAF
                • LoadCursorW.USER32(00000000,00007F82), ref: 00458DBC
                • LoadCursorW.USER32(00000000,00007F84), ref: 00458DC9
                • LoadCursorW.USER32(00000000,00007F04), ref: 00458DD6
                • LoadCursorW.USER32(00000000,00007F02), ref: 00458DE3
                • LoadCursorW.USER32(00000000,00007F89), ref: 00458DF0
                • GetCursorInfo.USER32 ref: 00458E03
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Cursor$Load$Info
                • String ID:
                • API String ID: 2577412497-0
                • Opcode ID: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                • Instruction ID: 36b4ee280ed0253346847529aeb00c95e660e1b7f2a6688567eec4957a26740b
                • Opcode Fuzzy Hash: 0c78b259ae472df09145ddf792cd37f85d2c816b82f1d484569203a38ef646a1
                • Instruction Fuzzy Hash: D9311671E4C3156AE7509F758C5AB1BBEE0AF40B54F004D2FF2889F2D1DAB9E4448B86
                Function 00469681 Relevance: 24.8, APIs: 13, Strings: 1, Instructions: 253windowCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000112,0000F060,00000000), ref: 004696CC
                • GetFocus.USER32 ref: 004696E0
                • GetDlgCtrlID.USER32(00000000), ref: 004696EB
                • PostMessageW.USER32(?,00000111,?,00000000), ref: 0046973F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePost$CtrlFocus
                • String ID: 0
                • API String ID: 1534620443-4108050209
                • Opcode ID: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                • Instruction ID: 7d80af5808d25915b866e76daf530f36ef8b085de22dc1c7fc8dbb607ae8adb7
                • Opcode Fuzzy Hash: a7e7dd4ad94bd17b8779821b2562c3e74f4a4d43059232d4a161c8df91f382bc
                • Instruction Fuzzy Hash: 1591E1B1604301ABD710DF14D884BABB7A8FB89714F004A1EF99497391E7B4DC49CBAB
                Function 004680EB Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 204windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00468107
                • GetMenuItemInfoW.USER32(?,00000007,00000000,?), ref: 00468190
                • GetMenuItemCount.USER32(?), ref: 00468227
                • DeleteMenu.USER32(?,00000005,00000000), ref: 004682B8
                • DeleteMenu.USER32(?,00000004,00000000), ref: 004682C1
                • DeleteMenu.USER32(?,00000006,00000000,?,00000004,00000000), ref: 004682CA
                • DeleteMenu.USER32(00000000,00000003,00000000,?,00000006,00000000,?,00000004,00000000), ref: 004682D3
                • GetMenuItemCount.USER32 ref: 004682DC
                • SetMenuItemInfoW.USER32 ref: 00468317
                • GetCursorPos.USER32(00000000), ref: 00468322
                • SetForegroundWindow.USER32(?), ref: 0046832D
                • TrackPopupMenuEx.USER32(?,00000000,00000000,00000006,?,00000000,?,?,00000006,00000000,?,00000004,00000000), ref: 00468345
                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 00468352
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                • String ID: 0
                • API String ID: 3993528054-4108050209
                • Opcode ID: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                • Instruction ID: a450cccb4b36e122d1eca3afa35c85d1e57e2007e4dd5bc50ce81cada7f4397f
                • Opcode Fuzzy Hash: 96134d5ccf85dd2c353584f61e992c1258bc53944db1005dc2f45aa542165571
                • Instruction Fuzzy Hash: 3C71C070648301ABE3309B14CC49F5BB7E8BF86724F244B0EF5A5563D1DBB9A8458B1B
                Function 0046F2B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 185windowfileCOMMON
                Download Yara Rule
                APIs
                • DragQueryPoint.SHELL32(?,?), ref: 0046F2DA
                  • Part of subcall function 00441CB4: ClientToScreen.USER32(00000000,?), ref: 00441CDE
                  • Part of subcall function 00441CB4: GetWindowRect.USER32(?,?), ref: 00441D5A
                  • Part of subcall function 00441CB4: PtInRect.USER32(?,?,?), ref: 00441D6F
                • SendMessageW.USER32(?), ref: 0046F34C
                • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0046F355
                • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0046F37F
                • _wcscat.LIBCMT ref: 0046F3BC
                • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0046F3D1
                • SendMessageW.USER32(?,000000B0,?,?), ref: 0046F3E3
                • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F3F1
                • SendMessageW.USER32(?,000000B1,?,?), ref: 0046F40E
                • DragFinish.SHELL32(?), ref: 0046F414
                • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0046F4FC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$Drag$Query$FileRect$ClientFinishPointProcScreenWindow_wcscat
                • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                • API String ID: 4085615965-3440237614
                • Opcode ID: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                • Instruction ID: d92027b63b9478c52a8b17f069484fb886a707b260a555cedefccfc898d4b85d
                • Opcode Fuzzy Hash: e6dc8860684545ee98a9b737372e313d8034606243f87d3f07a4344f64e9a130
                • Instruction Fuzzy Hash: 596170716043009BD700EF54D885E5FB7A8FFC9714F104A2EF99097291D7B8A949CBAA
                Function 0044B988 Relevance: 24.6, APIs: 7, Strings: 7, Instructions: 73COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll
                • String ID: LEFT$MAIN$MENU$MIDDLE$PRIMARY$RIGHT$SECONDARY
                • API String ID: 3832890014-4202584635
                • Opcode ID: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                • Instruction ID: bf73cd225697d97a5a257e466bf5c8c79b4efa22739c650e03c6b1f9c6e9338c
                • Opcode Fuzzy Hash: 3f0b73fdde0a53fb0a00575eab05b85141dd4a2dcfcc4ab19f269ee93bd0b8a8
                • Instruction Fuzzy Hash: 1D01616160562122FE11322A7C03BDF15898F5139AF14447BFC05F1282FF4DDA8692EE
                Function 00466999 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 312COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 004669C4
                • _wcsncpy.LIBCMT ref: 00466A21
                • _wcsncpy.LIBCMT ref: 00466A4D
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • _wcstok.LIBCMT ref: 00466A90
                  • Part of subcall function 004142A3: __getptd.LIBCMT ref: 004142A9
                • _wcstok.LIBCMT ref: 00466B3F
                • _wcscpy.LIBCMT ref: 00466BC8
                • GetOpenFileNameW.COMDLG32(00000058), ref: 00466CFE
                • _wcslen.LIBCMT ref: 00466D1D
                • _memset.LIBCMT ref: 00466BEE
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • _wcslen.LIBCMT ref: 00466D4B
                • GetSaveFileNameW.COMDLG32(00000058), ref: 00466D9E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$FileName_memset_wcscpy_wcsncpy_wcstok$OpenSave__getptd
                • String ID: X$HH
                • API String ID: 3021350936-1944015008
                • Opcode ID: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                • Instruction ID: 73e83d7ea4d12cbe09e247b0b8120e99e9ae8af51722f6ce2f45a1bbad6557a4
                • Opcode Fuzzy Hash: 148ffd08a53066c169799d7010fd2328abbb1436974d200da898f01e024381e3
                • Instruction Fuzzy Hash: D1C1B2715043408BC714EF65C981A9FB3E4BF84304F15892FF949AB292EB78E905CB9B
                Function 0045F48E Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 226windowsleepCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0045F4AE
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F519
                • SetMenuItemInfoW.USER32(00000008,00000004,00000000,?), ref: 0045F556
                • Sleep.KERNEL32(000001F4,?,?,00000000,?), ref: 0045F568
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: InfoItemMenu$Sleep_memset
                • String ID: 0
                • API String ID: 1504565804-4108050209
                • Opcode ID: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                • Instruction ID: 9e8996cb251b45e9fd8013479734a73363ce4640cf951279a7d2fdadd0934edb
                • Opcode Fuzzy Hash: d1fae1760d081b6b8cddc0049297ea6fd0734e9abca2e90a1ac85592b3d85e38
                • Instruction Fuzzy Hash: E171E3711043406BD3109F54DD48FABBBE8EBD5306F04086FFD8587252D6B9A94EC76A
                Function 004556F8 Relevance: 23.0, APIs: 11, Strings: 2, Instructions: 216COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,004A83D8,?), ref: 00455800
                • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00400000,00000000), ref: 00455847
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$CreateDestroy
                • String ID: ,$tooltips_class32
                • API String ID: 1109047481-3856767331
                • Opcode ID: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                • Instruction ID: af4df8b80438f92fd5356fe82daba85812243c44dff517d7eb602cf52e2cfce3
                • Opcode Fuzzy Hash: 0ca5ab61cf6a2cad142a114e1c8ac043728d1bef212d4075191e352a737c6d07
                • Instruction Fuzzy Hash: BF719075244704AFE320DB28CC85F7B77E4EB89700F50491EFA8197391E6B5E905CB59
                Function 0045CBCC Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 202COMMON
                Download Yara Rule
                APIs
                • _wcsncpy.LIBCMT ref: 0045CCFA
                • __wsplitpath.LIBCMT ref: 0045CD3C
                • _wcscat.LIBCMT ref: 0045CD51
                • _wcscat.LIBCMT ref: 0045CD63
                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,?,?,00000104,?), ref: 0045CD78
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,00000104,?), ref: 0045CD8C
                  • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDD0
                • SetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDE6
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CDF8
                • SetCurrentDirectoryW.KERNEL32(?), ref: 0045CE08
                • _wcscpy.LIBCMT ref: 0045CE14
                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,?,?,00000104,?), ref: 0045CE5A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CurrentDirectory$AttributesFile$_wcscat$__wsplitpath_wcscpy_wcsncpy
                • String ID: *.*
                • API String ID: 1153243558-438819550
                • Opcode ID: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                • Instruction ID: 4b7f18f3392d5c51d0b0bcfc25b88d1348604f1c1aa494fd035d881d108a9fe9
                • Opcode Fuzzy Hash: 5bfa431d4ef7075d2dc920e4199facb1e2714bc7465ef22df03346902ac9b5e5
                • Instruction Fuzzy Hash: 0561E5B61043419FD731EF54C885AEBB7E4EB84305F44882FED8983242D67D998E879E
                Function 0045510D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 115windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00455127
                • GetMenuItemInfoW.USER32 ref: 00455146
                • DeleteMenu.USER32(?,?,00000000), ref: 004551B2
                • DeleteMenu.USER32(?,?,00000000), ref: 004551C8
                • GetMenuItemCount.USER32(?), ref: 004551D9
                • SetMenu.USER32(?,00000000), ref: 004551E7
                • DestroyMenu.USER32(?,?,00000000), ref: 004551F4
                • DrawMenuBar.USER32 ref: 00455207
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$Delete$Destroy$ItemObject$CountDrawIconInfoWindow_memset
                • String ID: 0
                • API String ID: 1663942905-4108050209
                • Opcode ID: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                • Instruction ID: b4bdd7d0bd4ee66815c45afb4cba49e6688c1fb7c5fb2b704b87d0eb3faa17d4
                • Opcode Fuzzy Hash: 9367fca2e423954c8e95e5664296e443175f4f0a3dc8af8de701f007cae6aaa4
                • Instruction Fuzzy Hash: F4413B70600A01AFD715DF24D9A8B6B77A8BF44302F40891DFD49CB292DB78EC44CBA9
                Function 00415C25 Relevance: 22.7, APIs: 15, Instructions: 236COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __get_daylight__invoke_watson$__gmtime64_s$__getptd_noexit
                • String ID:
                • API String ID: 1481289235-0
                • Opcode ID: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                • Instruction ID: 11750150b5911b8a2d77b888e51b7102539fbc40f42687a9f62e69b5342e6946
                • Opcode Fuzzy Hash: 0c2ddcf2cfad548662a25bd64df7f8cdb197bd458fe0989c9b03f034f06c5664
                • Instruction Fuzzy Hash: 8461B372B00B15DBD724AB69DC81AEB73E99F84324F14452FF011D7682EB78DA808B58
                Function 0046FB53 Relevance: 22.7, APIs: 15, Instructions: 176windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,?,?,00000001), ref: 0046FB61
                • ExtractIconExW.SHELL32(?,000000FF,?,?,00000001), ref: 0046FB7A
                • SendMessageW.USER32 ref: 0046FBAF
                • SendMessageW.USER32 ref: 0046FBE2
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,?,00000001), ref: 0046FC1B
                • SendMessageW.USER32(?,00001003,00000001,00000000), ref: 0046FC3E
                • ImageList_Create.COMCTL32(00000020,00000020,00000021,?,00000001), ref: 0046FC51
                • SendMessageW.USER32(?,00001003,00000000,00000000), ref: 0046FC73
                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FC97
                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?), ref: 0046FCA5
                • SendMessageW.USER32 ref: 0046FD00
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$IconImageList_$CreateExtractReplace
                • String ID:
                • API String ID: 2632138820-0
                • Opcode ID: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                • Instruction ID: f8b2170a3f6480226351c2682443129a31dd3945ebd2779c8b18a40e734619f9
                • Opcode Fuzzy Hash: 84d296b218fe0245d687438722339ecf4745b7249032fe4bb2113eafbff2dc59
                • Instruction Fuzzy Hash: A461BF70208305AFD320DF14DC85F5BB7E4FB89B14F10492EFA85972D1E7B4A8498B66
                Function 00433BAC Relevance: 22.6, APIs: 15, Instructions: 79COMMON
                Download Yara Rule
                APIs
                • LoadCursorW.USER32(00000000,00007F89), ref: 00433BC7
                • LoadCursorW.USER32(00000000,00007F8A), ref: 00433BDE
                • LoadCursorW.USER32(00000000,00007F03), ref: 00433BF5
                • LoadCursorW.USER32(00000000,00007F8B), ref: 00433C0C
                • LoadCursorW.USER32(00000000,00007F01), ref: 00433C23
                • LoadCursorW.USER32(00000000,00007F88), ref: 00433C3A
                • LoadCursorW.USER32(00000000,00007F86), ref: 00433C51
                • LoadCursorW.USER32(00000000,00007F83), ref: 00433C68
                • LoadCursorW.USER32(00000000,00007F85), ref: 00433C7F
                • LoadCursorW.USER32(00000000,00007F82), ref: 00433C96
                • LoadCursorW.USER32(00000000,00007F84), ref: 00433CAD
                • LoadCursorW.USER32(00000000,00007F04), ref: 00433CC4
                • LoadCursorW.USER32(00000000,00007F02), ref: 00433CDB
                • LoadCursorW.USER32(00000000,00000000), ref: 00433CEF
                • LoadCursorW.USER32(00000000,00007F00), ref: 00433D06
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CursorLoad
                • String ID:
                • API String ID: 3238433803-0
                • Opcode ID: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                • Instruction ID: acd63d7325575073817552101614e6badc0a76bef24473f745c9da0ba21645f6
                • Opcode Fuzzy Hash: a9ae3fa102d058121485b558102ae55493db0c8a3ed3723cc80ee02977cbc66e
                • Instruction Fuzzy Hash: 6D310E3058C302FFE7504F50EE0AB1C36A0BB48B47F008C7DF64AA62E0E6F055009B9A
                Function 00460ABB Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 294windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000100), ref: 00460AF5
                • _wcslen.LIBCMT ref: 00460B00
                • __swprintf.LIBCMT ref: 00460B9E
                • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00460C11
                • GetClassNameW.USER32(?,?,00000400), ref: 00460C8E
                • GetDlgCtrlID.USER32(?), ref: 00460CE6
                • GetWindowRect.USER32(?,?), ref: 00460D21
                • GetParent.USER32(?), ref: 00460D40
                • ScreenToClient.USER32(00000000), ref: 00460D47
                • GetClassNameW.USER32(?,?,00000100), ref: 00460DBE
                • GetWindowTextW.USER32(?,?,00000400), ref: 00460DFB
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_wcslen
                • String ID: %s%u
                • API String ID: 1899580136-679674701
                • Opcode ID: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                • Instruction ID: ed0b46c26cbb3f928a943cd91895a09858176ee0e89b0f6962e21683ef9d2041
                • Opcode Fuzzy Hash: 263ba601bdfcacdbc09c0537f08939095875f2576dae1f9512caffb95b688f0a
                • Instruction Fuzzy Hash: 3AA1CD722043019BDB14DF54C884BEB73A8FF84714F04892EFD889B245E778E946CBA6
                Function 0047D5F6 Relevance: 21.2, APIs: 4, Strings: 8, Instructions: 210COMMON
                Download Yara Rule
                APIs
                • CoTaskMemFree.OLE32(?), ref: 0047D6D3
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • StringFromCLSID.OLE32(?,?), ref: 0047D6B5
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • StringFromIID.OLE32(?,?), ref: 0047D7F0
                • CoTaskMemFree.OLE32(?), ref: 0047D80A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FreeFromStringTask_wcslen$_wcscpy
                • String ID: 0vH$CLSID\$Interface\$ProgID$ToolBoxBitmap32$inprocserver32$localserver32$HH
                • API String ID: 2485709727-934586222
                • Opcode ID: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                • Instruction ID: 9b1d76abf7044590dd80f2c514dab21f357569e7696d0ed80310904c07b122bf
                • Opcode Fuzzy Hash: 94ff36e8c5adf47d5d15ad8c3baf2c81511e2686fb9cf3bb874d512fd4cd8d9e
                • Instruction Fuzzy Hash: 63714BB5614201AFC304EF25C981D5BB3F8BF88704F108A2EF5599B351DB78E905CB6A
                Function 0045DB3E Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 181COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscpy$Folder_memset$BrowseDesktopFromInitializeListMallocPathUninitialize
                • String ID: HH
                • API String ID: 3381189665-2761332787
                • Opcode ID: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                • Instruction ID: 9856a5a3be2a6f4b6f15ab218c20ab076772672eb14c4daba281b2e598c2a196
                • Opcode Fuzzy Hash: cbd34bb05af2b60d6becc686f20e38c9c02ad4ea561bbadf99ecd2e28994155d
                • Instruction Fuzzy Hash: E1619AB59043009FC320EF65C88499BB7E9BFC8704F048E1EF98987252D775E849CB6A
                Function 00434506 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162windowCOMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 00434585
                • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00434590
                • CreateCompatibleDC.GDI32(00000000), ref: 0043459B
                • SelectObject.GDI32(00000000,?), ref: 004345A9
                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00434618
                • GetDIBits.GDI32(00000000,?,00000000,00000000,00000000,?,00000000), ref: 00434665
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CompatibleCreate$BitmapBitsObjectSelectStretch
                • String ID: (
                • API String ID: 3300687185-3887548279
                • Opcode ID: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                • Instruction ID: a007e7ec8c3f390601fcb6226b5fc218b62818acb39bbc9fe8cd9ddeb27b86ed
                • Opcode Fuzzy Hash: 440148b18d84eb95ba181de3259d53385060cfec68f9b8a73670629712acb2fa
                • Instruction Fuzzy Hash: E4514871508345AFD310CF69C884B6BBBE9EF8A310F14881DFA9687390D7B5E844CB66
                Function 0045E41B Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 150COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E463
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • LoadStringW.USER32(?,00000072,?,00000FFF), ref: 0045E480
                • __swprintf.LIBCMT ref: 0045E4D9
                • _printf.LIBCMT ref: 0045E595
                • _printf.LIBCMT ref: 0045E5B7
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: LoadString_printf$__swprintf_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR $HH
                • API String ID: 3590180749-2894483878
                • Opcode ID: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                • Instruction ID: 42a5c2f6345f2e10047da6565a111f96cfad8617a22bea28fc44504b1d19b7ce
                • Opcode Fuzzy Hash: ef66654f81976a0e6a78d75721240b4b5dad2d0c7f05b7bb9659983eace5fa73
                • Instruction Fuzzy Hash: 9F51A171518345ABD324EF91CC41DAF77A8AF84754F04093FF94463292EB78EE488B6A
                Function 0046F90E Relevance: 21.1, APIs: 14, Instructions: 147windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000F0), ref: 0046F911
                • LoadImageW.USER32(00000000,?,00000000,00000000,00000000,00002010), ref: 0046F929
                • SendMessageW.USER32(?,000000F7,00000000,00000000), ref: 0046F942
                • DeleteObject.GDI32(?), ref: 0046F950
                • DestroyIcon.USER32(?,?,000000F7,00000000,00000000,?,00000000,00000000,00000000,00002010,?,000000F0), ref: 0046F95E
                • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9A8
                • SendMessageW.USER32(?,000000F7,00000001,00000000), ref: 0046F9C1
                • DeleteObject.GDI32(?), ref: 0046F9CF
                • DestroyIcon.USER32(?,?,000000F7,00000001,00000000,?,00000001,00000000,00000000,00002010), ref: 0046F9DD
                • ExtractIconExW.SHELL32(?,?,?,000000FF,00000001), ref: 0046FA1D
                • DestroyIcon.USER32(?), ref: 0046FA4F
                • SendMessageW.USER32(?,000000F7,00000001,?), ref: 0046FA5A
                • DeleteObject.GDI32(?), ref: 0046FA68
                • DestroyIcon.USER32(?,?,000000F7,00000001,?), ref: 0046FA76
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Icon$Destroy$DeleteMessageObjectSend$ImageLoad$ExtractLongWindow
                • String ID:
                • API String ID: 3412594756-0
                • Opcode ID: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                • Instruction ID: 2b127e2e725f503062080ad48664a75956f0b49bd2ac624c91da1236fc619d99
                • Opcode Fuzzy Hash: f692dd120a8e9e8c350368ee646f6d7ebba10fee5470a76da8eaf9bc85602db5
                • Instruction Fuzzy Hash: BD41B575344301ABE7209B65ED45B6B7398EB44711F00083EFA85A7381DBB9E809C76A
                Function 0045D971 Relevance: 21.1, APIs: 4, Strings: 8, Instructions: 140COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                  • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                • GetDriveTypeW.KERNEL32 ref: 0045DA30
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DA76
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DAAB
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045DADF
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: SendString$_wcslen$BuffCharDriveLowerType
                • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                • API String ID: 4013263488-4113822522
                • Opcode ID: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                • Instruction ID: 78e8968fe3d68f28a61334a0544e46eb3ade7c09d07056eb4a028b8014bab4f9
                • Opcode Fuzzy Hash: b9e44105478404289108567262d296c88e7101013f7783f6c7bd148379995db0
                • Instruction Fuzzy Hash: 86516E71604300ABD710EF55CC85F5EB3E4AF88714F14496EF985AB2D2D7B8E908CB5A
                Function 00435A35 Relevance: 21.1, APIs: 14, Instructions: 136timeCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$_wcsncpy$LocalTime__wcstoi64
                • String ID:
                • API String ID: 228034949-0
                • Opcode ID: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                • Instruction ID: c9113392db11e6d0b84b7dcaf0f9983ae7bcdcfbf3325debe08446cd55f13bc3
                • Opcode Fuzzy Hash: d55b35800c2a6f74fd0df3de6656c0821778ac1c15f087543c4dc83ec7dd6154
                • Instruction Fuzzy Hash: 874194B181435066DA10FF6AC8479DFB3A8EF89314F84495FF945D3162E378E64883AA
                Function 004334CA Relevance: 21.1, APIs: 14, Instructions: 132filecommemoryCOMMON
                Download Yara Rule
                APIs
                • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?,?,?,?,?,?,?,0046FAD5), ref: 004334F4
                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043350F
                • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043351A
                • GlobalLock.KERNEL32(00000000), ref: 00433523
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433533
                • GlobalUnlock.KERNEL32(00000000), ref: 0043353A
                • CloseHandle.KERNEL32(00000000,?,?,?,?,0046FAD5,?,?,?,?), ref: 00433541
                • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,0046FAD5,?,?,?,?), ref: 0043354F
                • OleLoadPicture.OLEAUT32(?,00000000,00000000,00482A20,?), ref: 00433568
                • GlobalFree.KERNEL32(00000000), ref: 0043357B
                • GetObjectW.GDI32(?,00000018,?), ref: 004335A6
                • CopyImage.USER32(?,00000000,?,?,00002000), ref: 004335DB
                • DeleteObject.GDI32(?), ref: 00433603
                • SendMessageW.USER32(?,00000172,00000000,?), ref: 0043361B
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Global$File$CreateObject$AllocCloseCopyDeleteFreeHandleImageLoadLockMessagePictureReadSendSizeStreamUnlock
                • String ID:
                • API String ID: 3969911579-0
                • Opcode ID: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                • Instruction ID: 5aed18668fdc988692497ed4484016cc97142e8c7c748bcd34b77a3330007e11
                • Opcode Fuzzy Hash: c8af0a6d34b3156cf5dea3d494721158f709963105dd3e2632bd1b1f7de041f4
                • Instruction Fuzzy Hash: 70410471204210AFD710DF64DC88F6BBBE8FB89711F10492DFA45972A0D7B5A941CBAA
                Function 0045EEFF Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 74COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 0045EF6C
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EF81
                • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0045EF94
                • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 0045EFAB
                • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 0045EFB8
                • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 0045EFD2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: SendString$_wcslen
                • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                • API String ID: 2420728520-1007645807
                • Opcode ID: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                • Instruction ID: e5e6e3524f15ee9b53aa238c1547bf14c0af5fa70a1fb0ad50a0449216793e57
                • Opcode Fuzzy Hash: 2e8e49e05c1f121906b47c7a82fbb4c843ecfb9788746b18ac8014d8855edcbb
                • Instruction Fuzzy Hash: F321A53164830476E220FB51DC87F9E7798AB84B14F200D3BBA407A0D1DBA8E94CC76E
                Function 00445A77 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32 ref: 00445A8D
                • GetClassNameW.USER32(00000000,?,00000100), ref: 00445AA0
                • __wcsicoll.LIBCMT ref: 00445AC4
                • __wcsicoll.LIBCMT ref: 00445AE0
                • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00445B3D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll$ClassMessageNameParentSend
                • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                • API String ID: 3125838495-3381328864
                • Opcode ID: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                • Instruction ID: 9ea7b4bfd8e333fc3d4c3d1cc69785ca983c3453aa66f955cff8de8c622a02b1
                • Opcode Fuzzy Hash: 6f6f70247b4827d2a410ddc22f410c306ecb8b2e46d0c95c17204de523c723c4
                • Instruction Fuzzy Hash: F011E9B1B40301BBFF10B6659C46EAF739CDF94759F00081BFD44E6182F6ACA9458769
                Function 00479921 Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 314COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CopyVariant$ErrorLast
                • String ID: Conversion of parameters failed$NULL Pointer assignment$Not an Object type
                • API String ID: 2286883814-4206948668
                • Opcode ID: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                • Instruction ID: 5c76bcf0434180a49ef26f8382d3619d889c8a8ee3f63882ad125ac36acecb62
                • Opcode Fuzzy Hash: 2f6e4bc4aaf8f7a3794965dba448b56a5b6575b3b05f264a778baa01eb75d6f6
                • Instruction Fuzzy Hash: 4EA1F0B1644300ABD620EB25CC81EABB3E9FBC4704F10891EF65987251D779E945CBAA
                Function 00475D8B Relevance: 19.4, APIs: 2, Strings: 9, Instructions: 194COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0045335B: CharLowerBuffW.USER32(?,?,?,0045D9DB,?,?,?), ref: 0045336E
                  • Part of subcall function 00445975: _wcslen.LIBCMT ref: 00445984
                • GetDriveTypeW.KERNEL32(?,?,00000061), ref: 00475EEC
                • _wcscpy.LIBCMT ref: 00475F18
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BuffCharDriveLowerType_wcscpy_wcslen
                • String ID: a$all$cdrom$fixed$network$ramdisk$removable$unknown$HH
                • API String ID: 3052893215-4176887700
                • Opcode ID: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                • Instruction ID: 30c0e749cffa51fc832ec364bb88d57898ea161693411a08ebb212f54f1b1ce2
                • Opcode Fuzzy Hash: 531685fb0cf90d6ae2ec3f9560420c3d557b818d2d0e5f32259ad5e7ccb69ffd
                • Instruction Fuzzy Hash: E951E5716047009BC710EF51D981B9BB3D4AB85705F108C2FF948AB382D7B9DE09879B
                Function 004582BF Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 165registryCOMMON
                Download Yara Rule
                APIs
                • StringFromIID.OLE32(?,?,00000003,?,?,00000000), ref: 004582E5
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • CoTaskMemFree.OLE32(?,00000000), ref: 00458335
                • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,?), ref: 00458351
                • RegQueryValueExW.ADVAPI32 ref: 00458381
                • CLSIDFromString.OLE32(00000000,?), ref: 004583AF
                • RegQueryValueExW.ADVAPI32 ref: 004583E8
                • LoadRegTypeLib.OLEAUT32(?,?), ref: 00458486
                  • Part of subcall function 00413F97: __wtof_l.LIBCMT ref: 00413FA1
                • RegCloseKey.ADVAPI32(?), ref: 004584BA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FromQueryStringValue_wcslen$CloseFreeLoadOpenTaskType__wtof_l_wcscpy
                • String ID: Version$\TypeLib$interface\
                • API String ID: 656856066-939221531
                • Opcode ID: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                • Instruction ID: 73379605cfaaf105ee685c6daddaf2c4824f5dc828714578f474d0d05c7db838
                • Opcode Fuzzy Hash: fae0be2ce993580ee9701cb6b1f6a998fde8705fa16d3e1feab2af977247b743
                • Instruction Fuzzy Hash: 19513B715083059BD310EF55D944A6FB3E8FFC8B08F004A2DF985A7251EA78DD09CB9A
                Function 0045E62E Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 155COMMON
                Download Yara Rule
                APIs
                • LoadStringW.USER32(?,00000066,?,00000FFF), ref: 0045E676
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • LoadStringW.USER32(?,?,?,00000FFF), ref: 0045E69A
                • __swprintf.LIBCMT ref: 0045E6EE
                • _printf.LIBCMT ref: 0045E7A9
                • _printf.LIBCMT ref: 0045E7D2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: LoadString_printf$__swprintf_wcslen
                • String ID: Error: $%s (%d) : ==> %s:$%s (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                • API String ID: 3590180749-2354261254
                • Opcode ID: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                • Instruction ID: 835382aeb01427732dc6b750cf2ba574ed77461063debdd42288bdc21f9728b4
                • Opcode Fuzzy Hash: fd3ade05fede2dfa3d14bccfacac15f81e3d16141c85e45952f832d3a26197ce
                • Instruction Fuzzy Hash: B051D5715143019BD324FB51CC41EAF77A8AF84354F14093FF94563292DB78AE49CB6A
                Function 00452E2A Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 154COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __swprintf_wcscpy$__i64tow__itow
                • String ID: %.15g$0x%p$False$True
                • API String ID: 3038501623-2263619337
                • Opcode ID: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
                • Instruction ID: 2d826072eebb3cc9b8b6a8fde8b9da0ebc7f558755c715a4a51c402ed3db85ba
                • Opcode Fuzzy Hash: 7b8e0de2511f5af4d8d0822e3c6977e40dd5bee4b5bc8329dee76eef781b5613
                • Instruction Fuzzy Hash: 5741E5B2504204ABD700EF35EC06EAB73A4EB95304F04892FFD0997282F67DD619976E
                Function 004580E1 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 136registryshareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • _memset.LIBCMT ref: 00458194
                • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 004581D6
                • RegConnectRegistryW.ADVAPI32(?,80000002,00000000), ref: 004581F4
                • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,00000000), ref: 00458219
                • RegQueryValueExW.ADVAPI32(00000000,00000000,00000000,00000000,?,?), ref: 00458248
                • CLSIDFromString.OLE32(00000000,?), ref: 00458279
                • RegCloseKey.ADVAPI32(00000000), ref: 0045828F
                • RegCloseKey.ADVAPI32(00000000), ref: 00458296
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset_wcslen
                • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                • API String ID: 2255324689-22481851
                • Opcode ID: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                • Instruction ID: 0916ae95de1959dc40878de41837780f7e862baf069d4d5c3429810960799c2e
                • Opcode Fuzzy Hash: 40f125b4ffe5f12493adc0cb93ab67eb911e8c28f62e3d79c4190a4fe5521cad
                • Instruction Fuzzy Hash: 4A4190725083019BD320EF54C845B5FB7E8AF84714F044D2EFA8577291DBB8E949CB9A
                Function 004584D6 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 105registryCOMMON
                Download Yara Rule
                APIs
                • RegOpenKeyExW.ADVAPI32(80000000,interface,00000000,00020019,?), ref: 00458513
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?), ref: 00458538
                • RegCloseKey.ADVAPI32(?), ref: 00458615
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • RegOpenKeyExW.ADVAPI32(80000000,?,00000000,00020019,000001FE,interface\), ref: 0045858A
                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,00000028), ref: 004585A8
                • __wcsicoll.LIBCMT ref: 004585D6
                • IIDFromString.OLE32(?,?,?,?), ref: 004585EB
                • RegCloseKey.ADVAPI32(?), ref: 004585F8
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseOpen$EnumFromQueryStringValue__wcsicoll_wcslen
                • String ID: ($interface$interface\
                • API String ID: 2231185022-3327702407
                • Opcode ID: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                • Instruction ID: 2ed788c9a442d2de66cb2a0eaf665167c450c6ff9570aaff4df7cfaf3afbbce1
                • Opcode Fuzzy Hash: f3ba987632fb2ab980929a1e8c26c1d4f1068388d2a95cb25d4e52b6d927b3fe
                • Instruction Fuzzy Hash: CE317271204305ABE710DF54DD85F6BB3E8FB84744F10492DF685A6191EAB8E908C76A
                Function 00436582 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79networkCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?), ref: 004365A5
                • gethostname.WSOCK32(00000100,00000100,00000101,?), ref: 004365BC
                • gethostbyname.WSOCK32(00000101,00000100,00000100,00000101,?), ref: 004365C6
                • _wcscpy.LIBCMT ref: 004365F5
                • WSACleanup.WSOCK32 ref: 004365FD
                • inet_ntoa.WSOCK32(00000100,?), ref: 00436624
                • _strcat.LIBCMT ref: 0043662F
                • _wcscpy.LIBCMT ref: 00436644
                • WSACleanup.WSOCK32(?,?,?,?,?,?,00000100,?), ref: 00436652
                • _wcscpy.LIBCMT ref: 00436666
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscpy$Cleanup$Startup_strcatgethostbynamegethostnameinet_ntoa
                • String ID: 0.0.0.0
                • API String ID: 2691793716-3771769585
                • Opcode ID: 4b0b642d101985f70d6cdd6c7558d2647848e1b39832a20c11015ca7ea879481
                • Instruction ID: 29d249c793a1599df1911ffab6ed89036a29d54f41df1114d8fa63e2d2305339
                • Opcode Fuzzy Hash: 4b0b642d101985f70d6cdd6c7558d2647848e1b39832a20c11015ca7ea879481
                • Instruction Fuzzy Hash: 5C21D4726003016BD620FB269C42FFF33A89FD4318F54492FF64456242EABDD58983AB
                Function 00416B12 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,0048C968,0000000C,00416C4D,00000000,00000000,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416B24
                • __crt_waiting_on_module_handle.LIBCMT ref: 00416B2F
                  • Part of subcall function 0041177F: Sleep.KERNEL32(000003E8,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 0041178B
                  • Part of subcall function 0041177F: GetModuleHandleW.KERNEL32(00411739,?,?,00416A38,KERNEL32.DLL,?,00411B0C,?,00413973,00411739,?,?,00411739,?,00401C0B), ref: 00411794
                • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00416B58
                • GetProcAddress.KERNEL32(00411739,DecodePointer), ref: 00416B68
                • __lock.LIBCMT ref: 00416B8A
                • InterlockedIncrement.KERNEL32(00EA60FF), ref: 00416B97
                • __lock.LIBCMT ref: 00416BAB
                • ___addlocaleref.LIBCMT ref: 00416BC9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                • String ID: DecodePointer$EncodePointer$KERNEL32.DLL
                • API String ID: 1028249917-2843748187
                • Opcode ID: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                • Instruction ID: dfb830706c011728ae11a8c0f52cb2fa371409e71f4acd403326aacb15a29bdd
                • Opcode Fuzzy Hash: 149215eb9963fdce733e6eee9b7d54027110d9b9ecd285c2a82fe369659baa59
                • Instruction Fuzzy Hash: 4E119671944701AFD720EF76C905B9EBBE0AF00714F10495FE469A6391DB78A580CB1D
                Function 0044920C Relevance: 18.2, APIs: 12, Instructions: 243windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000000,000000FF,?), ref: 0044931D
                • SendMessageW.USER32(?,0045BBB0,00000000,00000000), ref: 0044932D
                • CharNextW.USER32(?,?,?,?,0045BBB0,00000000,00000000,?,?), ref: 00449361
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 00449375
                • SendMessageW.USER32(?,00000402,?), ref: 0044941C
                • SendMessageW.USER32(004A83D8,000000C2,00000001,?), ref: 004494A0
                • SendMessageW.USER32(?,00001002,00000000,?), ref: 00449515
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$CharNext
                • String ID:
                • API String ID: 1350042424-0
                • Opcode ID: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                • Instruction ID: cf19a455924c4199ae2d31ef2e344bdd2865620a2145bd440d1f5c61272ee54d
                • Opcode Fuzzy Hash: 5fd89deb92f75c0e0d7406111af65340a6b95ffecf1ba9c2db83920ef449de6e
                • Instruction Fuzzy Hash: 5D81B5312083019BE720DF15DC85FBBB7E4EBD9B20F00492EFA54962C0D7B99946D766
                Function 00453B94 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,?,00000000), ref: 00453C0D
                • SetKeyboardState.USER32(?), ref: 00453C5A
                • GetAsyncKeyState.USER32(000000A0), ref: 00453C82
                • GetKeyState.USER32(000000A0), ref: 00453C99
                • GetAsyncKeyState.USER32(000000A1), ref: 00453CC9
                • GetKeyState.USER32(000000A1), ref: 00453CDA
                • GetAsyncKeyState.USER32(00000011), ref: 00453D07
                • GetKeyState.USER32(00000011), ref: 00453D15
                • GetAsyncKeyState.USER32(00000012), ref: 00453D3F
                • GetKeyState.USER32(00000012), ref: 00453D4D
                • GetAsyncKeyState.USER32(0000005B), ref: 00453D77
                • GetKeyState.USER32(0000005B), ref: 00453D85
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                • Instruction ID: 09d2c23b2f41f951af40c960ff4fa7a39ed3d74d48f5bb091813d5d41b5bf946
                • Opcode Fuzzy Hash: 439544d7db57c6269f5a832870b7215b314e2d5ec2fc8731d7b6f8ebe45629c5
                • Instruction Fuzzy Hash: BD5108311497C42AF731EF6048217A7BBE45F52782F488D5EE9C107283E619AB0C976B
                Function 00437DB1 Relevance: 18.2, APIs: 12, Instructions: 180COMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,00000001), ref: 00437DD7
                • GetWindowRect.USER32(00000000,?), ref: 00437DE9
                • MoveWindow.USER32(00000000,0000000A,?,?,?,00000000), ref: 00437E5C
                • GetDlgItem.USER32(?,00000002), ref: 00437E70
                • GetWindowRect.USER32(00000000,?), ref: 00437E82
                • MoveWindow.USER32(00000000,?,00000000,?,?,00000000), ref: 00437EDB
                • GetDlgItem.USER32(?,000003E9), ref: 00437EEA
                • GetWindowRect.USER32(00000000,?), ref: 00437EFC
                • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00437F46
                • GetDlgItem.USER32(?,000003EA), ref: 00437F55
                • MoveWindow.USER32(00000000,0000000A,0000000A,?,-000000FB,00000000), ref: 00437F6E
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00437F78
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$ItemMoveRect$Invalidate
                • String ID:
                • API String ID: 3096461208-0
                • Opcode ID: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                • Instruction ID: 6334a21bf5495bf578199e0a0c43900503e40640961724061e29feeedb49a886
                • Opcode Fuzzy Hash: 85b2574db82c4a067caaf632f6dab2f3668a9f7fdedc9eb4d1c33f4a9692aa02
                • Instruction Fuzzy Hash: 46511CB16083069FC318DF68DD85A2BB7E9ABC8300F144A2DF985D3391E6B4ED058B95
                Function 00436879 Relevance: 18.1, APIs: 12, Instructions: 115COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                • String ID:
                • API String ID: 136442275-0
                • Opcode ID: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                • Instruction ID: e47e2093bf76b35e8f1fec89578fc46911e8a4506192668d3a16ce6d5165f020
                • Opcode Fuzzy Hash: 8bb1124220d8f68122d0f1a8633f784f40ed2a0c71bdd1f95919e960fb23027d
                • Instruction Fuzzy Hash: 744124B2408345ABC235E754C885EEF73ECABD8314F44891EB68D42141EB796688C7A7
                Function 0046B39A Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 401registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046B479
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ConnectRegistry_wcslen
                • String ID: HH
                • API String ID: 535477410-2761332787
                • Opcode ID: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                • Instruction ID: 7a368be733395892e28f24b11b3b05e85d853a2cd395d98498a1c99032eed9d9
                • Opcode Fuzzy Hash: cc03a81e182be6ba1e7ee8022fe76587c4fcfc5607386b983ff95d826003d501
                • Instruction Fuzzy Hash: 63E171B1604200ABC714EF28C981F1BB7E4EF88704F148A1EF685DB381D779E945CB9A
                Function 00460473 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 255COMMON
                Download Yara Rule
                APIs
                • GetClassNameW.USER32(?,?,00000400), ref: 004604B5
                • GetWindowTextW.USER32(?,?,00000400), ref: 004604F1
                • _wcslen.LIBCMT ref: 00460502
                • CharUpperBuffW.USER32(?,00000000), ref: 00460510
                • GetClassNameW.USER32(?,?,00000400), ref: 00460589
                • GetWindowTextW.USER32(?,?,00000400), ref: 004605C2
                • GetClassNameW.USER32(?,?,00000400), ref: 00460606
                • GetClassNameW.USER32(?,?,00000400), ref: 0046063E
                • GetWindowRect.USER32(?,?), ref: 004606AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen
                • String ID: ThumbnailClass
                • API String ID: 4123061591-1241985126
                • Opcode ID: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                • Instruction ID: b645ef8d54a60b7d8a856e9fdf4d8999e4c56e3b903fe9b51be5921097eabf2a
                • Opcode Fuzzy Hash: d81b9eb1014bf0c552f647121340d293adfb5e43e55e37c5a686eb3c785bede7
                • Instruction Fuzzy Hash: 3F91B0715043019FDB14DF24C884BAB77A8EF84715F04896FFD85AA281E778E905CBAB
                Function 0046F50B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 157windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00456354: GetCursorPos.USER32(004A83D8), ref: 0045636A
                  • Part of subcall function 00456354: ScreenToClient.USER32(004A83D8,?), ref: 0045638A
                  • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563D0
                  • Part of subcall function 00456354: GetAsyncKeyState.USER32(?), ref: 004563DC
                • DefDlgProcW.USER32(?,00000205,?,?,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F55F
                • ImageList_DragLeave.COMCTL32(00000000,004A83D8,00000000,00000001,004A83D8,?), ref: 0046F57D
                • ImageList_EndDrag.COMCTL32 ref: 0046F583
                • ReleaseCapture.USER32 ref: 0046F589
                • SetWindowTextW.USER32(?,00000000), ref: 0046F620
                • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0046F630
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AsyncDragImageList_State$CaptureClientCursorLeaveMessageProcReleaseScreenSendTextWindow
                • String ID: @GUI_DRAGFILE$@GUI_DROPID$HH
                • API String ID: 2483343779-2060113733
                • Opcode ID: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                • Instruction ID: 4b94e37398fb4c0e8bf176de98e3888209b69965db7f8e5b86c8cb252d1f017b
                • Opcode Fuzzy Hash: 5127d0ffcd17cb1bef4f2f1971358f36b919fc832d8745dd5c7fc1032c5585dd
                • Instruction Fuzzy Hash: EB5106716043119BD700DF18DC85FAF77A5EB89310F04492EF941973A2DB789D49CBAA
                Function 0046FD7F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 143windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FD8A
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?), ref: 0046FDF0
                • SendMessageW.USER32(?,00001109,00000000,00000000), ref: 0046FE0E
                • ImageList_ReplaceIcon.COMCTL32(?,000000FF,?,004A83D8,?), ref: 0046FE20
                • SendMessageW.USER32(?,0000113E,00000000,?), ref: 0046FEA5
                • SendMessageW.USER32(?,0000113F,00000000,?), ref: 0046FEDF
                • GetClientRect.USER32(?,?), ref: 0046FEF2
                • RedrawWindow.USER32(?,?,00000000,00000000), ref: 0046FF02
                • DestroyIcon.USER32(?), ref: 0046FFCC
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: IconMessageSend$ImageList_$ClientCreateDestroyExtractRectRedrawReplaceWindow
                • String ID: 2
                • API String ID: 1331449709-450215437
                • Opcode ID: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                • Instruction ID: e79942d1a0196d9b5e30c5c178d8ccafd59c9ae1e7fac48b8759c586c5a3b44e
                • Opcode Fuzzy Hash: 0839cb131ab93339cce718f32a9fb856b385d6e902e652cc812f2dbbb554e4d7
                • Instruction Fuzzy Hash: EB51AC702043019FD320CF44D885BAABBE5FB88700F04487EE684872A2D7B5A849CB5A
                Function 0045FF4F Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 139COMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,00000066,?,00000FFF,00000010,00000001,?,?,0042B612,?,0000138C,?), ref: 0045FFDF
                • LoadStringW.USER32(00000000), ref: 0045FFE2
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF), ref: 00460005
                • LoadStringW.USER32(00000000), ref: 00460008
                • __swprintf.LIBCMT ref: 00460044
                • __swprintf.LIBCMT ref: 0046005A
                • _printf.LIBCMT ref: 0046010D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: HandleLoadModuleString__swprintf$_printf_wcslen
                • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d:$^ ERROR
                • API String ID: 4046238252-2561132961
                • Opcode ID: 3a0ba83e73347f9d66d327fa194003f337c112eb025fc1bfa34d21ba4accb515
                • Instruction ID: 1782bf699798572b532e289ec277df613d4b2535fc1d09db4cdff265272d1083
                • Opcode Fuzzy Hash: 3a0ba83e73347f9d66d327fa194003f337c112eb025fc1bfa34d21ba4accb515
                • Instruction Fuzzy Hash: 7041EA725043059BC300FB61DC96A5F77A8DF91358F45093EB540A72D2EA7CDD09876B
                Function 00450E7D Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 120COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?,?,?,00000000,static,00000000,00000000,?,?,00000000,00000000,?,00000000), ref: 00450EE1
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DestroyWindow
                • String ID: static
                • API String ID: 3375834691-2160076837
                • Opcode ID: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                • Instruction ID: 4605c95b1b006c90d65e271c0fdf07f62d21d56273c2870bf7f2e3decf5281c5
                • Opcode Fuzzy Hash: 88f11647011456fbb04f7235260bd1d02a964e72c1c4e3b3fb6640230c73d37f
                • Instruction Fuzzy Hash: 4531B572200300BBD7109B64DC45F6BB3A8EBC9711F204A2EFA50D72C0D7B4E8048B69
                Function 004393E2 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 109threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(00000008,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439409
                • OpenThreadToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 0043940C
                • GetCurrentProcess.KERNEL32(00000008,?,?,?,?,?,?,?,?,?,?), ref: 0043941D
                • OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?), ref: 00439420
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeAssignPrimaryTokenPrivilege,?), ref: 0043945B
                • LookupPrivilegeValueW.ADVAPI32(00000000,SeIncreaseQuotaPrivilege,?), ref: 00439474
                • _memcmp.LIBCMT ref: 004394A9
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004394F8
                Strings
                • SeIncreaseQuotaPrivilege, xrefs: 0043946A
                • SeAssignPrimaryTokenPrivilege, xrefs: 00439455
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$CurrentLookupOpenPrivilegeTokenValue$CloseHandleThread_memcmp
                • String ID: SeAssignPrimaryTokenPrivilege$SeIncreaseQuotaPrivilege
                • API String ID: 1446985595-805462909
                • Opcode ID: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                • Instruction ID: 628aaead06b6f58e004e5b45c2ed9710a22b4d2b921ab75b424857e8fd72c9d6
                • Opcode Fuzzy Hash: 7b5964ebc210eec24af21402e2b7f40e95def761f5b1447ed6d44f65f7ea18b7
                • Instruction Fuzzy Hash: DB31A371508312ABC710DF21CD41AAFB7E8FB99704F04591EF98193240E7B8DD4ACBAA
                Function 0045D83D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 86COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D848
                • GetDriveTypeW.KERNEL32(?,?), ref: 0045D8A3
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D94A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorMode$DriveType
                • String ID: CDROM$Fixed$Network$RAMDisk$Removable$Unknown$HH
                • API String ID: 2907320926-41864084
                • Opcode ID: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                • Instruction ID: d4cab332979e247f8c2da9788294718902473fa09eb5ff996f03d25688ce9cbb
                • Opcode Fuzzy Hash: f2537af69be7bdfb8cd077d5fba63d09357e4425d7c4eca9e5473fe3d57dd33a
                • Instruction Fuzzy Hash: C7318B75A083008FC310EF65E48481EB7A1AFC8315F648D2FF945A7362C779D9068BAB
                Function 00467214 Relevance: 16.8, APIs: 11, Instructions: 313COMMON
                Download Yara Rule
                APIs
                • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 004672E6
                • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046735D
                • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467375
                • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004673ED
                • SafeArrayGetVartype.OLEAUT32(CE8B7824,?), ref: 00467418
                • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467445
                • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 0046746A
                • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 00467559
                • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 0046748A
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                • SafeArrayAccessData.OLEAUT32(CE8B7824,?), ref: 00467571
                • SafeArrayUnaccessData.OLEAUT32(CE8B7824), ref: 004675E4
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ArraySafe$Data$AccessUnaccess$Exception@8ThrowVartype_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID:
                • API String ID: 1932665248-0
                • Opcode ID: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                • Instruction ID: 42a0e90c8bf2b482c85e144861ec280134e9fb1dbd9e00a0d693b148f8e5f150
                • Opcode Fuzzy Hash: 2f069d425a14989955c91583bf1eee78d18cf75f4644af0e6fd4452b58d9bd04
                • Instruction Fuzzy Hash: E8B1BF752082009FD304DF29C884B6B77E5FF98318F14496EE98587362E779E885CB6B
                Function 004480F2 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00448182
                • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00448185
                • GetWindowLongW.USER32(?,000000F0), ref: 004481A7
                • _memset.LIBCMT ref: 004481BA
                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004481CC
                • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 0044824E
                • SendMessageW.USER32(?,00001074,?,00000007), ref: 004482A4
                • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 004482BE
                • SendMessageW.USER32(?,0000101D,00000001,00000000), ref: 004482E3
                • SendMessageW.USER32(?,0000101E,00000001,00000000), ref: 004482FC
                • SendMessageW.USER32(?,00001008,?,00000007), ref: 00448317
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$LongWindow_memset
                • String ID:
                • API String ID: 830647256-0
                • Opcode ID: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                • Instruction ID: 69fd08a602074ed3d664547bad3ac5a94a9e6c02d61aa1d07dc3907ec7ad0976
                • Opcode Fuzzy Hash: 45db6e2e50868ce621a7577b0335e91e45f99dc9c013701cc26792922a244152
                • Instruction Fuzzy Hash: 41616F70208341AFE310DF54C881FABB7A4FF89704F14465EFA909B2D1DBB5A945CB56
                Function 0046EA7F Relevance: 16.7, APIs: 11, Instructions: 167windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                • DestroyAcceleratorTable.USER32(?), ref: 0046EA9F
                • ImageList_Destroy.COMCTL32(?), ref: 0046EB04
                • ImageList_Destroy.COMCTL32(?), ref: 0046EB18
                • ImageList_Destroy.COMCTL32(?), ref: 0046EB24
                • DeleteObject.GDI32(00000000), ref: 0046EB4F
                • DestroyIcon.USER32(00000000), ref: 0046EB67
                • DeleteObject.GDI32(5A98CBB2), ref: 0046EB7F
                • DestroyWindow.USER32(00000007), ref: 0046EB97
                • DestroyIcon.USER32(?), ref: 0046EBBF
                • DestroyIcon.USER32(?), ref: 0046EBCD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$IconImageList_$DeleteObject$AcceleratorInvalidateRectTableWindow
                • String ID:
                • API String ID: 802431696-0
                • Opcode ID: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                • Instruction ID: 42d633cefbe7d7192e7a113645d0a532909e6831d49db23f2259be933aabe8c6
                • Opcode Fuzzy Hash: 294737084f3018da842919bbfa865d3a976cdf3ad66c8c89ec2250206a47d952
                • Instruction Fuzzy Hash: 17513178600202DFDB14DF26D894E2A77E9FB4AB14B54446EE502CB361EB38EC41CB5E
                Function 00444D52 Relevance: 16.6, APIs: 11, Instructions: 132keyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,?,?), ref: 00444D8A
                • GetAsyncKeyState.USER32(000000A0), ref: 00444E0F
                • GetKeyState.USER32(000000A0), ref: 00444E26
                • GetAsyncKeyState.USER32(000000A1), ref: 00444E40
                • GetKeyState.USER32(000000A1), ref: 00444E51
                • GetAsyncKeyState.USER32(00000011), ref: 00444E69
                • GetKeyState.USER32(00000011), ref: 00444E77
                • GetAsyncKeyState.USER32(00000012), ref: 00444E8F
                • GetKeyState.USER32(00000012), ref: 00444E9D
                • GetAsyncKeyState.USER32(0000005B), ref: 00444EB5
                • GetKeyState.USER32(0000005B), ref: 00444EC3
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: State$Async$Keyboard
                • String ID:
                • API String ID: 541375521-0
                • Opcode ID: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                • Instruction ID: c605e69a62dfc64c618b97cb3a1930d242a0674024be490a091b983f03ece729
                • Opcode Fuzzy Hash: d4a73a67db12bad31d9fb613c99c8778707defbe90317bf640d05d8e99de570f
                • Instruction Fuzzy Hash: 6A41C3646087C52DFB31966484017E7FFD16FA2708F58844FD1C5067C2DBAEA9C8C7AA
                Function 004507E7 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 146windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 004508CB
                • SendMessageW.USER32(?,00001036,00000000,?), ref: 004508DB
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,00001036,00000000,?,000000FF,?,SysListView32,004848E8,00000000), ref: 004508FC
                • _wcslen.LIBCMT ref: 00450944
                • _wcscat.LIBCMT ref: 00450955
                • SendMessageW.USER32(?,00001057,00000000,?), ref: 0045096C
                • SendMessageW.USER32(?,00001061,?,?), ref: 0045099B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$Window_wcscat_wcslen
                • String ID: -----$SysListView32
                • API String ID: 4008455318-3975388722
                • Opcode ID: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                • Instruction ID: 786a3889ee88f98d9b0e9b4b0e1dacf7018a6923f31dd28eeaa3c07ad082d1a6
                • Opcode Fuzzy Hash: 1aeeed20face43e167d1a5b6966347104c1855cbe0e780de9d31d79ee612f7fa
                • Instruction Fuzzy Hash: 17519470504340ABE330DB65C885FABB3E4AF84714F104E1EFA94972D3D6B99989CB65
                Function 00448602 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00448625
                • CreateMenu.USER32 ref: 0044863C
                • SetMenu.USER32(?,00000000), ref: 0044864C
                • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 004486D6
                • IsMenu.USER32(?), ref: 004486EB
                • CreatePopupMenu.USER32 ref: 004486F5
                • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 00448739
                • DrawMenuBar.USER32 ref: 00448742
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                • String ID: 0
                • API String ID: 176399719-4108050209
                • Opcode ID: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                • Instruction ID: 98f94d81d6847d6484dd50bbdc77a0bd9f9f2d632c710d3394220f00cc789bef
                • Opcode Fuzzy Hash: 4add02930eb798c2c2cb68413aedc402262f89096725e95a36bc963f45c6c407
                • Instruction Fuzzy Hash: 86417675604201AFD700CF68D894A9BBBE4FF89314F14891EFA488B350DBB5A845CFA6
                Function 004691F4 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 88windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(00000000,0000018C,000000FF,00000000), ref: 00469277
                • GetDlgCtrlID.USER32(00000000), ref: 00469289
                • GetParent.USER32 ref: 004692A4
                • SendMessageW.USER32(00000000,?,00000111), ref: 004692A7
                • GetDlgCtrlID.USER32(00000000), ref: 004692AE
                • GetParent.USER32 ref: 004692C7
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 004692CA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 2040099840-1403004172
                • Opcode ID: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                • Instruction ID: ef07326ddff4210f4741e87947fad3c2ec39ee11b6619cfdf8cc81125e1c6f8c
                • Opcode Fuzzy Hash: d7a46b5f720fef199203ad69d051b39deebb3b2451f9d950c399d088bcf038a9
                • Instruction Fuzzy Hash: BC21D6716002147BD600AB65CC45DBFB39CEB85324F044A1FF954A73D1DAB8EC0947B9
                Function 004693F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 87windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(00000186,00000186,?,00000000), ref: 00469471
                • GetDlgCtrlID.USER32(00000000), ref: 00469483
                • GetParent.USER32 ref: 0046949E
                • SendMessageW.USER32(00000000,?,00000111), ref: 004694A1
                • GetDlgCtrlID.USER32(00000000), ref: 004694A8
                • GetParent.USER32 ref: 004694C1
                • SendMessageW.USER32(00000000,?,00000111,?), ref: 004694C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$CtrlParent$_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 2040099840-1403004172
                • Opcode ID: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                • Instruction ID: 434b10a17d45167e777e8ea6e726dd6ee4e01267e4a119798c8aa60e835c5cdc
                • Opcode Fuzzy Hash: 2e10f5a1695edfae3743bbe69767f09e04e95ab32c83142982b04f1cb5eb07ed
                • Instruction Fuzzy Hash: CA21D7756002147BD600BB29CC45EBFB39CEB85314F04492FF984A7291EABCEC0A4779
                Function 00448DAF Relevance: 15.2, APIs: 10, Instructions: 173windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004419ED: DeleteObject.GDI32(?), ref: 00441A53
                • SendMessageW.USER32(75C123D0,00001001,00000000,00000000), ref: 00448E73
                • SendMessageW.USER32(75C123D0,00001026,00000000,00000000), ref: 00448E7E
                  • Part of subcall function 00441A7A: CreateSolidBrush.GDI32 ref: 00441ACB
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$BrushCreateDeleteObjectSolid
                • String ID:
                • API String ID: 3771399671-0
                • Opcode ID: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                • Instruction ID: ebbecaf0548398ae771b9aa28ebf0b72f134f9ffbbfb28b2279bd799396bd9e3
                • Opcode Fuzzy Hash: 51f09a1d655476e15b4ab454a85655f186203ac899921849c361721d54d31972
                • Instruction Fuzzy Hash: F4510930208300AFE2209F25DD85F6F77EAEB85B14F14091EF994E72D0CBB9E9458769
                Function 0046ECBF Relevance: 15.1, APIs: 10, Instructions: 101COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: InitVariant$_malloc_wcscpy_wcslen
                • String ID:
                • API String ID: 3413494760-0
                • Opcode ID: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                • Instruction ID: 77b59fa0745152fd1b6386ccdd9ca850b9b7f4abb66e551d88b584249de3d357
                • Opcode Fuzzy Hash: 482f3b1f0bd705d72ebf0bcdddfb27694f63f3fe8f528a3bcd533af3ba5d9e97
                • Instruction Fuzzy Hash: F83150B2600746AFC714DF7AC880996FBA8FF88310B44892EE64983641D735F554CBA5
                Function 004377B4 Relevance: 15.1, APIs: 10, Instructions: 97threadCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 004377D7
                • GetForegroundWindow.USER32(00000000,?,?,?,?,0045FDE0,?,?,00000001), ref: 004377EB
                • GetWindowThreadProcessId.USER32(00000000), ref: 004377F8
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 00437809
                • GetWindowThreadProcessId.USER32(?,00000001), ref: 00437819
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043782E
                • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,0045FDE0,?,?,00000001), ref: 0043783D
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 0043788D
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378A1
                • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,0045FDE0,?,?,00000001), ref: 004378AC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                • String ID:
                • API String ID: 2156557900-0
                • Opcode ID: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                • Instruction ID: cf5237ead9178137421241ba4763476990ac919c12b5de4495d1c20f4e3090f4
                • Opcode Fuzzy Hash: f5203a8e23f024bead7fa0256802a4b49a7a8dce25e7908e04b44143f6d1477f
                • Instruction Fuzzy Hash: B0316FB1504341AFD768EF28DC88A7BB7A9EF9D310F14182EF44197250D7B89C44CB69
                Function 0045F776 Relevance: 14.4, APIs: 5, Strings: 3, Instructions: 446COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll
                • String ID: 0%d$DOWN$OFF
                • API String ID: 3832890014-468733193
                • Opcode ID: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                • Instruction ID: 3901981f80fa7430cd77b89167089bc3925961a07aad88d0cc2f25a35af8916b
                • Opcode Fuzzy Hash: b886d43e96c57de01ffb669c6ba173cdd7012b944398daffbb17888043fd80c7
                • Instruction Fuzzy Hash: B7F1D8614083856DEB21EB21C845BAF7BE85F95309F08092FF98212193D7BCD68DC76B
                Function 0045E912 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 353timeCOMMON
                Download Yara Rule
                APIs
                • VariantInit.OLEAUT32(00000000), ref: 0045E959
                • VariantCopy.OLEAUT32(00000000), ref: 0045E963
                • VariantClear.OLEAUT32 ref: 0045E970
                • VariantTimeToSystemTime.OLEAUT32 ref: 0045EAEB
                • __swprintf.LIBCMT ref: 0045EB1F
                • VarR8FromDec.OLEAUT32(?,?), ref: 0045EB61
                • VariantInit.OLEAUT32(00000000), ref: 0045EBE7
                Strings
                • %4d%02d%02d%02d%02d%02d, xrefs: 0045EB19
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Variant$InitTime$ClearCopyFromSystem__swprintf
                • String ID: %4d%02d%02d%02d%02d%02d
                • API String ID: 43541914-1568723262
                • Opcode ID: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                • Instruction ID: db8708ae94f177a13b26e6bf0e0b18ed2eb17208bc27bd00c320e315e6f9d40a
                • Opcode Fuzzy Hash: 14db4cabc5e1b0f67770c810f21e70b33e6c91423244c68acaef5aa9588cc2da
                • Instruction Fuzzy Hash: ABC1F4BB1006019BC704AF06D480666F7A1FFD4322F14896FED984B341DB3AE95ED7A6
                Function 0042FE54 Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 298sleepCOMMON
                Download Yara Rule
                APIs
                • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FE66
                • Sleep.KERNEL32(0000000A), ref: 0042FE6E
                • InterlockedDecrement.KERNEL32(004A7CAC), ref: 0042FF5D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DecrementInterlocked$Sleep
                • String ID: 0vH$0vH$4RH0vH$@COM_EVENTOBJ
                • API String ID: 2250217261-3412429629
                • Opcode ID: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                • Instruction ID: 990b5f35a06538e4ae7b6c94f393f4a5fafaaf51bfa382c75dcb300f2d234fa3
                • Opcode Fuzzy Hash: 8ee3dc3b90658de1bdba7935e7c509bae4c97cbbd898303c1487c3161a53cb39
                • Instruction Fuzzy Hash: E0B1C0715083009FC714EF54C990A5FB3E4AF98304F508A2FF495972A2DB78ED4ACB9A
                Function 004689FF Relevance: 14.3, APIs: 2, Strings: 6, Instructions: 288COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                • API String ID: 0-1603158881
                • Opcode ID: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                • Instruction ID: 1d39c91c6ba170ccd8bd44326015c92659356e06a413e753493f98454e3169a0
                • Opcode Fuzzy Hash: b68d94a9d6a5d87f13f0fb5a725928f8f142c37ef967d8f11e3e615729381ce2
                • Instruction Fuzzy Hash: 49A1D3B14043459BCB20EF50CC81BDE37A4AF94348F44891FF9896B182EF79A64DC76A
                Function 00479C97 Relevance: 14.3, APIs: 5, Strings: 3, Instructions: 274COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00479D1F
                • VariantInit.OLEAUT32(?), ref: 00479F06
                • VariantClear.OLEAUT32(?), ref: 00479F11
                • VariantInit.OLEAUT32(?), ref: 00479DF7
                  • Part of subcall function 00467626: VariantInit.OLEAUT32(00000000), ref: 00467666
                  • Part of subcall function 00467626: VariantCopy.OLEAUT32(00000000,00479BD3), ref: 00467670
                  • Part of subcall function 00467626: VariantClear.OLEAUT32 ref: 0046767D
                • VariantClear.OLEAUT32(?), ref: 00479F9C
                  • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Variant$Copy$ClearInit$ErrorLast_memset
                • String ID: F$Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                • API String ID: 665237470-60002521
                • Opcode ID: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                • Instruction ID: 799f1794578ead7d01377608c22e1fb401aa4fc5ffca8a64c02b8280356d09a3
                • Opcode Fuzzy Hash: d48da594d57f6aadbcc7a695fec4cf75dc39f6aec1ddb07572db38b207896a5c
                • Instruction Fuzzy Hash: 6091B272204341AFD720DF64D880EABB7E9EFC4314F50891EF28987291D7B9AD45C766
                Function 0046A75F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 179registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046A84D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ConnectRegistry_wcslen
                • String ID: HH
                • API String ID: 535477410-2761332787
                • Opcode ID: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                • Instruction ID: 68d8ff7817732ac0dd8275009c421e29eb5870de2046e22f9b94a35ba54c9d9f
                • Opcode Fuzzy Hash: 95544a26956fe54eb2a8636236a3b10fc217bfdb2bff17811b2f45cb9df4731a
                • Instruction Fuzzy Hash: FE617FB56083009FD304EF65C981F6BB7E4AF88704F14891EF681A7291D678ED09CB97
                Function 0045F2C5 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 146windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0045F317
                • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 0045F367
                • IsMenu.USER32(?), ref: 0045F380
                • CreatePopupMenu.USER32 ref: 0045F3C5
                • GetMenuItemCount.USER32(?), ref: 0045F42F
                • InsertMenuItemW.USER32(?,?,00000001,?), ref: 0045F45B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                • String ID: 0$2
                • API String ID: 3311875123-3793063076
                • Opcode ID: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                • Instruction ID: 6c7ab59355789d00cbd42ef361c1bd9312a1bc9220e92816940967e3bd29aecc
                • Opcode Fuzzy Hash: fbdd9a11e44187a4bf70f7de18f8631e861f84fad9f8f26dcc1fb12baf34abbc
                • Instruction Fuzzy Hash: E451CF702043409FD710CF69D888B6BBBE4AFA5319F104A3EFD9586292D378994DCB67
                Function 0043717F Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 46windowCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleW.KERNEL32(00000000,004A8E80,00000100,00000100,?,C:\Users\user\Desktop\Invoices #645473.exe), ref: 0043719E
                • LoadStringW.USER32(00000000), ref: 004371A7
                • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 004371BD
                • LoadStringW.USER32(00000000), ref: 004371C0
                • _printf.LIBCMT ref: 004371EC
                • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00437208
                Strings
                • %s (%d) : ==> %s: %s %s, xrefs: 004371E7
                • C:\Users\user\Desktop\Invoices #645473.exe, xrefs: 00437189
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: HandleLoadModuleString$Message_printf
                • String ID: %s (%d) : ==> %s: %s %s$C:\Users\user\Desktop\Invoices #645473.exe
                • API String ID: 220974073-3667001505
                • Opcode ID: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                • Instruction ID: cc9e6972dbc5209964c20f0f7d1f7455a13934f6c555fd98bc0bf92a0502fb90
                • Opcode Fuzzy Hash: 94d1ddb87e9fdddd1f0eb85761e890ae026325719f266e56d7856026e6b64315
                • Instruction Fuzzy Hash: F7014FB2A543447AE620EB549D06FFB365CABC4B01F444C1EB794A60C0AAF865548BBA
                Function 00456168 Relevance: 13.7, APIs: 9, Instructions: 181COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                • Instruction ID: 20732dcab93056f759d0b04a6df1a57780e33876730225f1fefd21ccf2a16f59
                • Opcode Fuzzy Hash: b00adbc1ea9d53563bb8a7982d93c3fa4b8356126e06b3aad1cc727703ca6f1a
                • Instruction Fuzzy Hash: 36519070200301ABD320DF29CC85F5BB7E8EB48715F540A1EF995E7292D7B4E949CB29
                Function 004534EB Relevance: 13.6, APIs: 9, Instructions: 150filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Invoices #645473.exe,?,C:\Users\user\Desktop\Invoices #645473.exe,004A8E80,C:\Users\user\Desktop\Invoices #645473.exe,0040F3D2), ref: 0040FFCA
                  • Part of subcall function 00436AC4: GetFileAttributesW.KERNEL32(?,0044BD82,?,?,?), ref: 00436AC9
                • lstrcmpiW.KERNEL32(?,?), ref: 0045355E
                • MoveFileW.KERNEL32(?,?), ref: 0045358E
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: File$AttributesFullMoveNamePathlstrcmpi
                • String ID:
                • API String ID: 978794511-0
                • Opcode ID: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                • Instruction ID: dcad70f49e32ae1adaf0c812d378eb0bba467e0a617048934f4a65f03e3a0b24
                • Opcode Fuzzy Hash: 905b41a6b5f1f1e7811aa1c06e555ad1605d40905c9a381d53b63ac73f12040d
                • Instruction Fuzzy Hash: 665162B25043406AC724EF61D885ADFB3E8AFC8305F44992EB94992151E73DD34DC767
                Function 004417BC Relevance: 13.6, APIs: 9, Instructions: 142COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                • Instruction ID: b1e2397247e50d0c7000acf5a2db8631a214b417b603bec0598d849dd48054e0
                • Opcode Fuzzy Hash: 2697ea5a26a9fc7488a3d070abad83f7d669ddccf749f4bfc66ff3ac1f4b4023
                • Instruction Fuzzy Hash: E54128332402806BE320A75DB8C4ABBFB98E7A2362F50443FF18196520D76678C5D339
                Function 00455EF5 Relevance: 13.6, APIs: 9, Instructions: 126windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowLongW.USER32(?,000000EC), ref: 00455F01
                • _memset.LIBCMT ref: 00455F12
                • SendMessageW.USER32 ref: 00455F43
                • SendMessageW.USER32(?,0000104B,00000000,?), ref: 00455F82
                • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00455FF5
                • _wcslen.LIBCMT ref: 00455FFC
                • _wcslen.LIBCMT ref: 00456018
                • CharNextW.USER32(00000000,?,?,?), ref: 00456034
                • SendMessageW.USER32(?,0000104B,00000000,00000001), ref: 00456060
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$_wcslen$CharLongNextWindow_memset
                • String ID:
                • API String ID: 2321321212-0
                • Opcode ID: 1e0cf8b8d25046b6848c8f46273bd4d506c8fc7d824d1fae03d8575ab44ef5d5
                • Instruction ID: 728fd5b54b682decfcd50b06f9b7fb359c8698431e162ed45c662fcf507213b6
                • Opcode Fuzzy Hash: 1e0cf8b8d25046b6848c8f46273bd4d506c8fc7d824d1fae03d8575ab44ef5d5
                • Instruction Fuzzy Hash: 5D41D172204241ABE3108F68DC45BABB7E4FB84321F004A2EF954D72D1E7B9904A8B66
                Function 00445CF9 Relevance: 13.6, APIs: 9, Instructions: 69sleepkeyboardwindowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044593E: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 0044595D
                  • Part of subcall function 0044593E: GetCurrentThreadId.KERNEL32 ref: 00445964
                  • Part of subcall function 0044593E: AttachThreadInput.USER32(00000000,?,00000001,00478FA7), ref: 0044596B
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D15
                • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00445D35
                • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00445D3F
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D45
                • PostMessageW.USER32(00000000,00000100,00000027,00000000), ref: 00445D66
                • Sleep.KERNEL32(00000000), ref: 00445D70
                • MapVirtualKeyW.USER32(00000025,00000000), ref: 00445D76
                • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00445D8B
                • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000), ref: 00445D8F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                • String ID:
                • API String ID: 2014098862-0
                • Opcode ID: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                • Instruction ID: b085f3065cf9cd100f04f322da00d4b037e108fc79bf5967fdabce1cd6d2e74b
                • Opcode Fuzzy Hash: 621277f82d70151dd5f553487d646ea3797e8fa9e9e6e4ab5ab83039983e6254
                • Instruction Fuzzy Hash: 7B116971790704B7F620AB958C8AF5A7399EF88B11F20080DF790AB1C1C9F5E4418B7C
                Function 0045427D Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 259libraryloaderCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressProc_malloc$_strcat_strlen
                • String ID: AU3_FreeVar
                • API String ID: 2184576858-771828931
                • Opcode ID: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                • Instruction ID: c940ad03d776ce5ee908f8b881b33357b51647545ffc53e819ca791e1fdac2da
                • Opcode Fuzzy Hash: 111e65442873bd7cbffe48700b84114c079de58427b558a04ef4a5d95244f0f0
                • Instruction Fuzzy Hash: EDA18DB5604205DFC300DF59C480A2AB7E5FFC8319F1489AEE9554B362D739ED89CB8A
                Function 00401D10 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 235COMMON
                Download Yara Rule
                APIs
                • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00401D5A
                • DestroyWindow.USER32(?), ref: 0042A751
                • UnregisterHotKey.USER32(?), ref: 0042A778
                • FreeLibrary.KERNEL32(?), ref: 0042A822
                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 0042A854
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Free$DestroyLibrarySendStringUnregisterVirtualWindow
                • String ID: close all
                • API String ID: 4174999648-3243417748
                • Opcode ID: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                • Instruction ID: e23b5dd52123a376b0379481fe8be5d2f02d07e70979f80a1c72d587d5a24a2c
                • Opcode Fuzzy Hash: ddf39f1eda455a1c63d5a7d3271f56cd3ed42d138f3b783cbb3ca1597947a384
                • Instruction Fuzzy Hash: FFA17075A102248FCB20EF55CC85B9AB3B8BF44304F5044EEE90967291D779AE85CF9D
                Function 0044AA1F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 171networkCOMMON
                Download Yara Rule
                APIs
                • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 0044AA5A
                • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0044AA8D
                • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 0044AAF9
                • InternetSetOptionW.WININET(00000000,0000001F,?,00000004), ref: 0044AB11
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044AB20
                • HttpQueryInfoW.WININET(00000000,00000005,?,00000000,00000000), ref: 0044AB61
                  • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: HttpInternet$OptionQueryRequest$ConnectErrorInfoLastOpenSend
                • String ID:
                • API String ID: 1291720006-3916222277
                • Opcode ID: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                • Instruction ID: 782b6278bf246bef60821ca34847c3ce69a0d92f774604c9678bedd135ce19ea
                • Opcode Fuzzy Hash: fd0d9a71f1b9f9aed2e07c44adb1cce69882d59a8a6dee97d1abd644e851efd9
                • Instruction Fuzzy Hash: 9C51E6B12803016BF320EB65CD85FBBB7A8FB89704F00091EF74196181D7B9A548C76A
                Function 0046BB59 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 168networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLastselect
                • String ID: HH
                • API String ID: 215497628-2761332787
                • Opcode ID: 1fabfcd992589e09f71fbdf65a98bbf14ddec7c9fe5d6fbc91cd0cd8de42f11a
                • Instruction ID: a252b81ccbce03d1e7b1b0efababa2c0a0929072778302a7b1202b90a7697d70
                • Opcode Fuzzy Hash: 1fabfcd992589e09f71fbdf65a98bbf14ddec7c9fe5d6fbc91cd0cd8de42f11a
                • Instruction Fuzzy Hash: BF51E4726043005BD320EB65DC42F9BB399EB94324F044A2EF558E7281EB79E944C7AA
                Function 0047D2F8 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 162COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __snwprintf__wcsicoll_wcscpy
                • String ID: , $$0vH$AUTOITCALLVARIABLE%d$CALLARGARRAY
                • API String ID: 1729044348-3708979750
                • Opcode ID: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                • Instruction ID: 823d0c4529048d9f890bbf28e75db1a658c609af9319d28fcdda535ef0d13f31
                • Opcode Fuzzy Hash: 19d8c814bf70bb05cadf871115a188aa6336bc7b5c41e4e48777219efcb9f973
                • Instruction Fuzzy Hash: E651A571514300ABD610EF65C882ADFB3A4EFC4348F048D2FF54967291D779E949CBAA
                Function 0044BBC9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 100filestringCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Invoices #645473.exe,?,C:\Users\user\Desktop\Invoices #645473.exe,004A8E80,C:\Users\user\Desktop\Invoices #645473.exe,0040F3D2), ref: 0040FFCA
                • lstrcmpiW.KERNEL32(?,?), ref: 0044BC04
                • MoveFileW.KERNEL32(?,?), ref: 0044BC38
                • _wcscat.LIBCMT ref: 0044BCAA
                • _wcslen.LIBCMT ref: 0044BCB7
                • _wcslen.LIBCMT ref: 0044BCCB
                • SHFileOperationW.SHELL32 ref: 0044BD16
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: File_wcslen$FullMoveNameOperationPath_wcscatlstrcmpi
                • String ID: \*.*
                • API String ID: 2326526234-1173974218
                • Opcode ID: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                • Instruction ID: 9e4979448571685848097db6772507fbfe8bfb8d1337cd0032b1ea927bdad9db
                • Opcode Fuzzy Hash: 79917c867e5dc746cbfe3ebb0135d92afbab4952e7fca4f485a184e9ce72b521
                • Instruction Fuzzy Hash: 4B3183B14083019AD724EF21C5D5ADFB3E4EFC8304F444D6EB98993251EB39E608D7AA
                Function 004366BE Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 90COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00436328: _wcsncpy.LIBCMT ref: 0043633C
                • _wcslen.LIBCMT ref: 004366DD
                • GetFileAttributesW.KERNEL32(?), ref: 00436700
                • GetLastError.KERNEL32 ref: 0043670F
                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00436727
                • _wcsrchr.LIBCMT ref: 0043674C
                  • Part of subcall function 004366BE: CreateDirectoryW.KERNEL32(?,00000000,?,00000000,00000000), ref: 0043678F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateDirectory$AttributesErrorFileLast_wcslen_wcsncpy_wcsrchr
                • String ID: \
                • API String ID: 321622961-2967466578
                • Opcode ID: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                • Instruction ID: 68cadaa88695c7c006562ade17844284f7fc34f8e7e15af3b97584e331f528d6
                • Opcode Fuzzy Hash: 3d3187412736f1559758a6cd6e40f0a594bd5d43c4c9ea1cccac3023e941b0f8
                • Instruction Fuzzy Hash: 3C2148765003017ADB20A724EC47AFF33989F95764F90993EFD14D6281E779950882AE
                Function 0044C80C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsnicmp
                • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                • API String ID: 1038674560-2734436370
                • Opcode ID: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                • Instruction ID: f72ce1d64a5a3b865947b719243e4701f1ba8c8209579f194a7ae3ad15c73224
                • Opcode Fuzzy Hash: dc7e98e38d8725b7134af3b864f32bf76aed1b78794146943df9d66deb8fb3e7
                • Instruction Fuzzy Hash: 1B21F87261161067E730B659DCC2BDB63985F65305F04406BF800AA247D6ADA98A83AA
                Function 0047439D Relevance: 12.3, APIs: 8, Instructions: 268COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 112564a247b2c5517b2e9062ed64c3c881856d236ed0f54b465f9cd3811f3f85
                • Instruction ID: 650af14def374fe6fd11052fbef22cb8aa6c894e3601bf285572d08ae3c4fed9
                • Opcode Fuzzy Hash: 112564a247b2c5517b2e9062ed64c3c881856d236ed0f54b465f9cd3811f3f85
                • Instruction Fuzzy Hash: 439192726043009BD710EF65DC82BABB3E9AFD4714F004D2EF548E7291D779E944875A
                Function 00436EC8 Relevance: 12.1, APIs: 8, Instructions: 103COMMON
                Download Yara Rule
                APIs
                • EnumProcesses.PSAPI(?,00000800,?,?,00444263,?,?,?), ref: 00436EEC
                • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00436F44
                • EnumProcessModules.PSAPI(00000000,?,00000004,?), ref: 00436F59
                • GetModuleBaseNameW.PSAPI(00000000,?,?,00000104,00000000,?,00000004,?), ref: 00436F71
                • __wsplitpath.LIBCMT ref: 00436FA0
                • _wcscat.LIBCMT ref: 00436FB2
                • __wcsicoll.LIBCMT ref: 00436FC4
                • CloseHandle.KERNEL32(00000000,00000000,?,?,00000104,00000000,?,00000004,?), ref: 00437003
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: EnumProcess$BaseCloseHandleModuleModulesNameOpenProcesses__wcsicoll__wsplitpath_wcscat
                • String ID:
                • API String ID: 2903788889-0
                • Opcode ID: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                • Instruction ID: e95795bff0e4a6f47310c77509a1ee8dff79588992f1933afd8058d7896a4498
                • Opcode Fuzzy Hash: 7292045517b03260f1320f87d3cebc28a29f897dca793e666df8b3a842c294cc
                • Instruction Fuzzy Hash: C831A5B5108341ABD725DF54D881EEF73E8BBC8704F00891EF6C587241DBB9AA89C766
                Function 00441561 Relevance: 12.1, APIs: 8, Instructions: 101windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(?), ref: 0044157D
                • GetDC.USER32(00000000), ref: 00441585
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00441590
                • ReleaseDC.USER32(00000000,00000000), ref: 0044159B
                • CreateFontW.GDI32(?,00000000,00000000,00000000,?,000000FF,000000FF,000000FF,00000001,00000004,00000000,?,00000000,00000000), ref: 004415E9
                • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00441601
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00441639
                • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00441659
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                • String ID:
                • API String ID: 3864802216-0
                • Opcode ID: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                • Instruction ID: 4e191e68d33858d232da06d8f8bca50b2e2c885119a5133d865ec5329e905ca2
                • Opcode Fuzzy Hash: ea0a3e179a2db4f205f3d0bf310cedd64f619745dcd59731a2847991c922bb1b
                • Instruction Fuzzy Hash: 1531C172240344BBE7208B14CD49FAB77EDEB88B15F08450DFB44AA2D1DAB4ED808B64
                Function 00401230 Relevance: 12.1, APIs: 8, Instructions: 83windowtimeCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00401257
                  • Part of subcall function 00401BE0: _memset.LIBCMT ref: 00401C62
                  • Part of subcall function 00401BE0: _wcsncpy.LIBCMT ref: 00401CA1
                  • Part of subcall function 00401BE0: _wcscpy.LIBCMT ref: 00401CBD
                  • Part of subcall function 00401BE0: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00401CCF
                • KillTimer.USER32(?,?), ref: 004012B0
                • SetTimer.USER32(?,?,000002EE,00000000), ref: 004012BF
                • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AA80
                • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AACC
                • Shell_NotifyIconW.SHELL32(?,?), ref: 0042AB0F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: IconNotifyShell_$Timer_memset$Kill_wcscpy_wcsncpy
                • String ID:
                • API String ID: 1792922140-0
                • Opcode ID: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                • Instruction ID: 78dbdb20408675f5dda5a176dd8a03fc230073daf987e80dd157250a536ae6f7
                • Opcode Fuzzy Hash: 91f47cbc1f218a7f09512ea68bd6b482f011e20e77652f43937312b7b91c0350
                • Instruction Fuzzy Hash: 56319670609642BFD319CB24D544B9BFBE8BF85304F04856EF488A3251C7789A19D7AB
                Function 004140DB Relevance: 12.0, APIs: 8, Instructions: 42threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 004140E1
                  • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                  • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                  • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                • ___fls_getvalue@4.LIBCMT ref: 004140EC
                  • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                • ___fls_setvalue@8.LIBCMT ref: 004140FF
                  • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                • ExitThread.KERNEL32 ref: 0041410F
                • GetCurrentThreadId.KERNEL32 ref: 00414115
                • __freefls@4.LIBCMT ref: 00414135
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                • String ID:
                • API String ID: 1925773019-0
                • Opcode ID: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                • Instruction ID: d0499dd1a11a7aa3f5f6b81cdb2be0183561266298d4129ec5ef95b8f2f1ff50
                • Opcode Fuzzy Hash: 78c5a7e04feddb60afef3bdf2204f5ea6d2fca564e255d6fa6df859771c1ea47
                • Instruction Fuzzy Hash: 12018430000200ABC704BFB2DD0D9DE7BA9AF95345722886EF90497212DA3CC9C28B5C
                Function 004357AD Relevance: 12.0, APIs: 8, Instructions: 36COMMON
                Download Yara Rule
                APIs
                • VariantClear.OLEAUT32(00000038), ref: 004357C3
                • VariantClear.OLEAUT32(00000058), ref: 004357C9
                • VariantClear.OLEAUT32(00000068), ref: 004357CF
                • VariantClear.OLEAUT32(00000078), ref: 004357D5
                • VariantClear.OLEAUT32(00000088), ref: 004357DE
                • VariantClear.OLEAUT32(00000048), ref: 004357E4
                • VariantClear.OLEAUT32(00000098), ref: 004357ED
                • VariantClear.OLEAUT32(000000A8), ref: 004357F6
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                • Instruction ID: 4669651a97e20320d925a323ac357da1b1419afffb7c9eb93274aad60c959a81
                • Opcode Fuzzy Hash: 108e33c2045b04221b4df3f02cd388125a51a7e0134505e60bdc817f2fb2f336
                • Instruction Fuzzy Hash: BDF03CB6400B446AC235EB79DC40BD7B7E86F89200F018E1DE58783514DA78F588CB64
                Function 00464A0E Relevance: 10.8, APIs: 7, Instructions: 281networkmemoryCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WSOCK32(00000101,?,?), ref: 00464ADE
                  • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                • inet_addr.WSOCK32(?,00000000,?,?,00000101,?,?), ref: 00464B1F
                • gethostbyname.WSOCK32(?,?,00000000,?,?,00000101,?,?), ref: 00464B29
                • _memset.LIBCMT ref: 00464B92
                • GlobalAlloc.KERNEL32(00000040,00000040), ref: 00464B9E
                • GlobalFree.KERNEL32(00000000), ref: 00464CDE
                • WSACleanup.WSOCK32 ref: 00464CE4
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Global$AllocByteCharCleanupFreeMultiStartupWide_memsetgethostbynameinet_addr
                • String ID:
                • API String ID: 3424476444-0
                • Opcode ID: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                • Instruction ID: 8d90feaebe95447676150adcea4a136074f650e12d33839f26a9dde16614cdb7
                • Opcode Fuzzy Hash: 3a9821fb802cba04523fcb9c1f83c74fd5b22343f7d4654d6e4056c4a41f6a01
                • Instruction Fuzzy Hash: A3A17EB1504300AFD710EF65C982F9BB7E8AFC8714F54491EF64497381E778E9058B9A
                Function 00440B39 Relevance: 10.8, APIs: 7, Instructions: 261COMMON
                Download Yara Rule
                APIs
                • GetSystemMetrics.USER32(0000000F), ref: 00440B7B
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MetricsSystem
                • String ID:
                • API String ID: 4116985748-0
                • Opcode ID: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                • Instruction ID: 1e23dbab6d9439f1299be2c39bdf7de0481ead398f869a6d5eaf0ea33fa99bdf
                • Opcode Fuzzy Hash: eff4c90f3403bcfb76001cffaab33834930133fcb34fa8184a7caea4de8066d9
                • Instruction Fuzzy Hash: 8EA19C70608701DBE314CF68C984B6BBBE1FB88704F14491EFA8593251E778F965CB5A
                Function 0046AB70 Relevance: 10.8, APIs: 7, Instructions: 260registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AC62
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ConnectRegistry_wcslen
                • String ID:
                • API String ID: 535477410-0
                • Opcode ID: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                • Instruction ID: 71109d01e6e71572d3d886d5d9f1e4ab699fb1be984f768d753da2f0a00da466
                • Opcode Fuzzy Hash: 37987dacba266e2f7d681c7555595b89ca1c624194ad33880a6965c3691367fb
                • Instruction Fuzzy Hash: BBA18EB1204300AFC710EF65C885B1BB7E4BF85704F14896EF685AB292D779E905CB9B
                Function 0045377F Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • _memset.LIBCMT ref: 004538C4
                • GetMenuItemInfoW.USER32(?,?), ref: 004538EF
                • _wcslen.LIBCMT ref: 00453960
                • SetMenuItemInfoW.USER32(00000011,?,00000000,?), ref: 004539C4
                • SetMenuDefaultItem.USER32(?,000000FF,00000000,?,?), ref: 004539E0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ItemMenu$Info_wcslen$Default_memset_wcscpy
                • String ID: 0
                • API String ID: 3530711334-4108050209
                • Opcode ID: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                • Instruction ID: 97d09e0af2b4d046480d7fb626e7fa0667c22e7462995616ff61acde959b3bac
                • Opcode Fuzzy Hash: 95001eb6d8d06d897afce0aca893f4b7651020868193ca3a80220c39ecb6f9c3
                • Instruction Fuzzy Hash: 747118F15083015AD714DF65C881B6BB7E4EB98396F04491FFD8082292D7BCDA4CC7AA
                Function 0047395A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 227COMMON
                Download Yara Rule
                APIs
                • GetCurrentProcessId.KERNEL32(?), ref: 00473A00
                • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00473A0E
                • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00473A34
                • CloseHandle.KERNEL32(00000000,00000000,?,00000028), ref: 00473C01
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$CloseCountersCurrentHandleOpen
                • String ID: HH
                • API String ID: 3488606520-2761332787
                • Opcode ID: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                • Instruction ID: 2161edc7e7eefe464b48455ffcea7dd3157e2cbe85e131cccd8837112284b0a3
                • Opcode Fuzzy Hash: 12402d889b8d2545f97f81e579d11a3e1d05628ef8a47b4e2ac7d1c45517ac81
                • Instruction Fuzzy Hash: 3581BF71A043019FD320EF69C882B5BF7E4AF84744F108C2EF598AB392D675E945CB96
                Function 004472C8 Relevance: 10.7, APIs: 7, Instructions: 207COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                  • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                  • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                • LineTo.GDI32(?,?), ref: 004474BF
                • CloseFigure.GDI32(?), ref: 004474C6
                • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                • Rectangle.GDI32(?,?), ref: 004474F3
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                • String ID:
                • API String ID: 4082120231-0
                • Opcode ID: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                • Instruction ID: e2e17d079c8faeb919f1a119f9aa9df975eabc7d00289576b12f70c1741c819b
                • Opcode Fuzzy Hash: 3e823f4574af11f26be8c20bd8771cfecf2a7ea1363ae8038588c787c8c49515
                • Instruction Fuzzy Hash: BC713AB11083419FD300DF15C884E6BBBE9EFC9708F148A1EF99497351D778A906CBAA
                Function 00447303 Relevance: 10.7, APIs: 7, Instructions: 192COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                  • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                  • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                • Ellipse.GDI32(?,?,?,00000000), ref: 00447463
                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447473
                • AngleArc.GDI32(?,?,?,?,?,?), ref: 004474B6
                • LineTo.GDI32(?,?), ref: 004474BF
                • CloseFigure.GDI32(?), ref: 004474C6
                • SetPixel.GDI32(?,?,?,?), ref: 004474D6
                • Rectangle.GDI32(?,?), ref: 004474F3
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Object$Select$AngleBeginCloseCreateDeleteEllipseFigureLineMovePathPixelRectangle
                • String ID:
                • API String ID: 4082120231-0
                • Opcode ID: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                • Instruction ID: 71053adf7dd607ae91079c2ca5de7ffea4483cc305881a9741cc2e8bc8d6f2cf
                • Opcode Fuzzy Hash: bd92991fb0a59d5160a547c0af993f50d26037df712543aebae1afc8709768cb
                • Instruction Fuzzy Hash: 55613BB51083419FD300DF55CC84E6BBBE9EBC9308F148A1EF99597351D738A906CB6A
                Function 0044733D Relevance: 10.7, APIs: 7, Instructions: 177COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AngleCloseEllipseFigureLineMovePixelRectangle
                • String ID:
                • API String ID: 288456094-0
                • Opcode ID: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                • Instruction ID: d3db7697bfba14f4a3ad6627a8a5faa1010559558ae5e3f89cc6b0bd66950af4
                • Opcode Fuzzy Hash: d308d32173f93e4cd5527eec6d709d72f3e0fef6f2bd509874fda6c33d0c9603
                • Instruction Fuzzy Hash: 90514BB51082419FD300DF15CC84E6BBBE9EFC9308F14891EF99497351D734A906CB6A
                Function 0044496C Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 004449B0
                • GetKeyboardState.USER32(?), ref: 004449C3
                • SetKeyboardState.USER32(?), ref: 00444A0F
                • PostMessageW.USER32(?,00000101,00000010,?), ref: 00444A3F
                • PostMessageW.USER32(?,00000101,00000011,?), ref: 00444A60
                • PostMessageW.USER32(?,00000101,00000012,?), ref: 00444AAC
                • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00444AD1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                • Instruction ID: 19c159416ad4887e81d4090d30fbb5c505c675cee05c330e2fd8e115592bd25d
                • Opcode Fuzzy Hash: d47ceab968b999e6d4944081d81f2373d9ea27f049f07d95c13b51a59d3cc885
                • Instruction Fuzzy Hash: B651C5A05487D139F7369234884ABA7BFD55F8A304F08CA4EF1E5156C3D2ECE984C769
                Function 00444B65 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 00444BA9
                • GetKeyboardState.USER32(?), ref: 00444BBC
                • SetKeyboardState.USER32(?), ref: 00444C08
                • PostMessageW.USER32(?,00000100,00000010,?), ref: 00444C35
                • PostMessageW.USER32(?,00000100,00000011,?), ref: 00444C53
                • PostMessageW.USER32(?,00000100,00000012,?), ref: 00444C9C
                • PostMessageW.USER32(?,00000100,0000005B,?), ref: 00444CBE
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$Parent
                • String ID:
                • API String ID: 87235514-0
                • Opcode ID: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                • Instruction ID: 4493abccadab05ae7d00f733e1fa63583af0c494729619d74f1516a50adc8d80
                • Opcode Fuzzy Hash: de9aba9e896a2e755c79cba499ec14fd455f1b60db9a9f79a8626ad1a28ad6a0
                • Instruction Fuzzy Hash: A951E4F05097D139F7369364884ABA7BFE46F8A304F088A4EF1D5065C2D2ACE984C769
                Function 004498BD Relevance: 10.7, APIs: 7, Instructions: 159COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                • Instruction ID: b3b3da583a0ae8cfa3180eda0e634cae40a493ebdfd517dbec9d2fd4fbd82cb1
                • Opcode Fuzzy Hash: 2552f041a71837ba3affbc4ec308d2b7aa0755a9e2dfe05148a880b05b5b76bf
                • Instruction Fuzzy Hash: 1E513A315082909FE321CF14DC89FABBB64FB46320F18456FF895AB2D1D7649C06D7AA
                Function 0046A98D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 158registryCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0046AA77
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ConnectRegistry_wcslen
                • String ID: HH
                • API String ID: 535477410-2761332787
                • Opcode ID: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                • Instruction ID: 7b41397762752e7dec08e47bcdb2cb2f58790b6f4670524580eb9da3090621e6
                • Opcode Fuzzy Hash: a31a44ff546351b1de52d8f34745bf25342c9426a619c9766caf2b0061db1f75
                • Instruction Fuzzy Hash: A2516D71208301AFD304EF65C981F5BB7A9BFC4704F40892EF685A7291D678E905CB6B
                Function 00457C08 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 158COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 00457C34
                • _memset.LIBCMT ref: 00457CE8
                • ShellExecuteExW.SHELL32(?), ref: 00457D34
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • CloseHandle.KERNEL32(?), ref: 00457DDD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _memset$CloseExecuteHandleShell_wcscpy_wcslen
                • String ID: <$@
                • API String ID: 1325244542-1426351568
                • Opcode ID: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                • Instruction ID: 09e461bdfc47c8bdd671eddb31188d347eda7c51057725e13e77015b5001baed
                • Opcode Fuzzy Hash: 669f3797eafbd6ea24f738bceaf78c3ad3f6bdf3b3f8ec2a74c9f7251b65f49f
                • Instruction Fuzzy Hash: EA510FB55083009FC710EF61D985A5BB7E4AF84709F00492EFD44AB392DB39ED48CB9A
                Function 0047375F Relevance: 10.6, APIs: 7, Instructions: 150processCOMMON
                Download Yara Rule
                APIs
                • CreateToolhelp32Snapshot.KERNEL32(?,?,?,?,?,?,?,?,?,00000002,00000000,00000014), ref: 0047379B
                • Process32FirstW.KERNEL32(00000000,?), ref: 004737A8
                • __wsplitpath.LIBCMT ref: 004737E1
                  • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                • _wcscat.LIBCMT ref: 004737F6
                • __wcsicoll.LIBCMT ref: 00473818
                • Process32NextW.KERNEL32(00000000,?), ref: 00473844
                • CloseHandle.KERNEL32(00000000,00000000,?,?), ref: 00473852
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wcsicoll__wsplitpath__wsplitpath_helper_wcscat
                • String ID:
                • API String ID: 2547909840-0
                • Opcode ID: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                • Instruction ID: 8efa427203ffd7a45d167e3a64f6abf3f3640219bb0751621114887cb14f0fc1
                • Opcode Fuzzy Hash: 1dcf289f501924a5df592eae16a0ec0030d5246948486ec38c60cdc62178aa5b
                • Instruction Fuzzy Hash: 4751BB71544304A7D720EF61CC86FDBB3E8AF84748F00492EF58957182E775E645C7AA
                Function 00455297 Relevance: 10.6, APIs: 7, Instructions: 149windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001308,?,00000000), ref: 004552B7
                • ImageList_Remove.COMCTL32(?,?,?,?), ref: 004552EB
                • SendMessageW.USER32(?,0000133D,?,00000002), ref: 004553D3
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DeleteDestroyMessageObjectSend$IconImageList_RemoveWindow
                • String ID:
                • API String ID: 2354583917-0
                • Opcode ID: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                • Instruction ID: 19c5dc8500d05a42ca126c51664c70dafe1d1a8ca3b523478e8997b137d6e309
                • Opcode Fuzzy Hash: b44580b005306b3b7f9b1dbab51831616e075f248f5ed84087b7c105bb41b1f9
                • Instruction Fuzzy Hash: 77519D30204A419FC714DF24C4A4B7A77E5FB49301F4486AEFD9ACB392DB78A849CB54
                Function 0047762A Relevance: 10.6, APIs: 7, Instructions: 140windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                • GetMenu.USER32 ref: 004776AA
                • GetMenuItemCount.USER32(00000000), ref: 004776CC
                • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 004776FB
                • _wcslen.LIBCMT ref: 0047771A
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$CountItemStringWindow_wcslen
                • String ID:
                • API String ID: 1823500076-0
                • Opcode ID: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                • Instruction ID: 4b9e656becebfc5f52f27a1d7ad2c07a58398098864d75d3a5ce1c02cc274359
                • Opcode Fuzzy Hash: 3c1e0179b5075f45df12b398ec391808b8d2f1e7a16a5d1bec5683dd9427006f
                • Instruction Fuzzy Hash: 174117715083019FD320EF25CC45BABB3E8BF88314F10492EF55997252D7B8E9458BA9
                Function 00448877 Relevance: 10.6, APIs: 7, Instructions: 130windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 0044890A
                • SendMessageW.USER32(?,00000469,?,00000000), ref: 00448920
                • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Enable$Show$MessageMoveSend
                • String ID:
                • API String ID: 896007046-0
                • Opcode ID: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                • Instruction ID: 0809a8548e22334437b8974569d6adfa08582830463fbdb99c3481629354d751
                • Opcode Fuzzy Hash: 440e8810410bf42a4c8e03fd117b8fd843bde7e89b0e2674ab81ad81c9f8ea0f
                • Instruction Fuzzy Hash: 63419E746043419FF7248B24C884B6FB7A1FB99305F18886EF98197391DA78A845CB59
                Function 004413F0 Relevance: 10.6, APIs: 7, Instructions: 114windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                • GetWindowLongW.USER32(?,000000F0), ref: 00441452
                • GetWindowLongW.USER32(?,000000F0), ref: 00441493
                • SendMessageW.USER32(02FC1B98,000000F1,00000000,00000000), ref: 004414C6
                • SendMessageW.USER32(02FC1B98,000000F1,00000001,00000000), ref: 004414F1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                • Instruction ID: f6a862a32ccfd92e4f153a1965fa7dc80102ffdb8abe4b8a046001f82176c48d
                • Opcode Fuzzy Hash: ed470013e842d905752aa6f8daaa5f1d8e955df317e7b96a507e5c494099af20
                • Instruction Fuzzy Hash: 2F416A347442019FE720CF58DCC4F6A77A5FB8A754F24416AE5519B3B1CB75AC82CB48
                Function 0044849C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 106windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 004484C4
                • GetMenuItemInfoW.USER32(?,?,00000000,004A83D8), ref: 00448562
                • IsMenu.USER32(?), ref: 0044857B
                • InsertMenuItemW.USER32(?,?,00000001,004A83D8), ref: 004485D0
                • DrawMenuBar.USER32 ref: 004485E4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$Item$DrawInfoInsert_memset
                • String ID: 0
                • API String ID: 3866635326-4108050209
                • Opcode ID: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                • Instruction ID: c1b4c65bd9dbf201e14e83578cc8030a3c247867dd5f1e451e409e2153a24926
                • Opcode Fuzzy Hash: 42a201a1e731261e29c9ff9b40de176b55a78da0b06957c9f64dc5096dc7767a
                • Instruction Fuzzy Hash: 9F417F75604341AFE710CF45C984B6BB7E4FB89304F14881EFA554B391DBB4E849CB5A
                Function 0047244D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104sleepCOMMON
                Download Yara Rule
                APIs
                • InterlockedIncrement.KERNEL32 ref: 0047247C
                • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472491
                • Sleep.KERNEL32(0000000A), ref: 00472499
                • InterlockedIncrement.KERNEL32(004A7CAC), ref: 004724A4
                • InterlockedDecrement.KERNEL32(004A7CAC), ref: 00472599
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Interlocked$DecrementIncrement$Sleep
                • String ID: 0vH
                • API String ID: 327565842-3662162768
                • Opcode ID: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                • Instruction ID: 7246262c18bb701d5349304b0e2d21290bf7c9637501dd5a114e6955e8e78370
                • Opcode Fuzzy Hash: bfb173672284e31ba0a3017bb0c7d670cf276827bd066f711b3c3b49063f60eb
                • Instruction Fuzzy Hash: 9631D2329082259BD710DF28DD41A8A77A5EB95324F05483EFD08FB251DB78EC498BED
                Function 00448AFF Relevance: 10.6, APIs: 7, Instructions: 98windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00000401,?,00000000), ref: 00448B16
                • GetFocus.USER32 ref: 00448B1C
                • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Enable$Show$FocusMessageSend
                • String ID:
                • API String ID: 3429747543-0
                • Opcode ID: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                • Instruction ID: 96ed947056310062a3fa6d2350adc65d304252fdbf70c479ab88671ed4e09c2c
                • Opcode Fuzzy Hash: f5aca3f6d68f8169105ace43209457086b036621b25274999c7621d4cb9b91fc
                • Instruction Fuzzy Hash: FC31B4706443819BF7248E14C8C4BAFB7D0EB95745F04492EF981A6291DBA89845C719
                Function 0045D321 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 81COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D32F
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D3B3
                • __swprintf.LIBCMT ref: 0045D3CC
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D416
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume__swprintf
                • String ID: %lu$HH
                • API String ID: 3164766367-3924996404
                • Opcode ID: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                • Instruction ID: e4de0c6df68350460ad5232616e5185c9d799459bd1b640414cfcbd8d86849a8
                • Opcode Fuzzy Hash: bd20e614eacc1ec6e7ce8a240dc663141bf9142d6fc10aee8c7bf862d4d2af0b
                • Instruction Fuzzy Hash: 85314A716083019BC310EF55D941A5BB7E4FF88704F40892EFA4597292D774EA09CB9A
                Function 00450DB4 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 76windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00450E24
                • SendMessageW.USER32(00000000,00000409,00000000,FF000000), ref: 00450E35
                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00450E43
                • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00450E54
                • SendMessageW.USER32(00000000,00000404,00000001,00000000), ref: 00450E62
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Msctls_Progress32
                • API String ID: 3850602802-3636473452
                • Opcode ID: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                • Instruction ID: b51c377fab27852337593a8f268aff884918310fa347e0537580fa9f3b853d23
                • Opcode Fuzzy Hash: 42656bfbb5a190feb894f1e63281698c22ff60bbec02a0e57f9bf8616b6fd2a5
                • Instruction Fuzzy Hash: 2C2121712543007AE7209A65DC42F5BB3E9AFD8B24F214A0EF754B72D1C6B4F8418B58
                Function 00455449 Relevance: 10.6, APIs: 7, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                • ImageList_Destroy.COMCTL32(?), ref: 00455451
                • ImageList_Destroy.COMCTL32(?), ref: 0045545F
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteImageList_ObjectWindow$Icon
                • String ID:
                • API String ID: 3985565216-0
                • Opcode ID: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                • Instruction ID: 02eb1b45cc7e926b76574f27881fb1e8d9d372094f4d7b34cf8607babd6cb63d
                • Opcode Fuzzy Hash: dc022e11ae60a508d3fee16e2099accab07c71a042b18f60c16d9d094d7ead98
                • Instruction Fuzzy Hash: EA213270200A019FCB20DF65CAD4B2A77A9BF45312F50855EED45CB352DB39EC45CB69
                Function 00415702 Relevance: 10.6, APIs: 7, Instructions: 74threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 00415737
                • __calloc_crt.LIBCMT ref: 00415743
                • __getptd.LIBCMT ref: 00415750
                • CreateThread.KERNEL32(00000000,?,0041568B,00000000,00000004,00000000), ref: 00415776
                • ResumeThread.KERNEL32(00000000,?,?,?,?,?,?,00000000), ref: 00415786
                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 00415791
                • __dosmaperr.LIBCMT ref: 004157A9
                  • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                  • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Thread$CreateErrorLastResume___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                • String ID:
                • API String ID: 1269668773-0
                • Opcode ID: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                • Instruction ID: 083f1b3d72dc2b4e3073d7627409da2efaae6cca9fbdfa2eb2c15b7cb2a145f7
                • Opcode Fuzzy Hash: bb8068f02d799d687f86b9c43e1e9df3108372b57b840b2ce394e22bf251b6d0
                • Instruction Fuzzy Hash: 4511E672501604EFC720AF76DC868DF7BA4EF80334F21412FF525922D1DB788981966D
                Function 00439102 Relevance: 10.5, APIs: 7, Instructions: 46threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00438FE4: GetProcessHeap.KERNEL32(00000008,0000000C,0043910A,00000000,00000000,00000000,0044646E,?,?,?), ref: 00438FE8
                  • Part of subcall function 00438FE4: HeapAlloc.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FEF
                • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,00000000,00000000,00000000,0044646E,?,?,?), ref: 00439119
                • GetCurrentProcess.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439123
                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0043912C
                • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00439138
                • GetCurrentProcess.KERNEL32(?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00439142
                • DuplicateHandle.KERNEL32(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00439145
                • CreateThread.KERNEL32(00000000,00000000,004390C2,00000000,00000000,00000000), ref: 0043915E
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                • String ID:
                • API String ID: 1957940570-0
                • Opcode ID: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                • Instruction ID: b388a4287fabc35bf2088fa38ebc9459a42e34e8a642192e1b63b89709cb9be3
                • Opcode Fuzzy Hash: ae016cd78919e3da0d3d218cc031d8d4f693afb8d34ff927aa47fd3b6f506194
                • Instruction Fuzzy Hash: 3BF0CD753413007BD220EB65DC86F5BB7A8EBC9B10F118919F6049B1D1C6B4A800CB65
                Function 0041568B Relevance: 10.5, APIs: 7, Instructions: 37threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 00415690
                  • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                  • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                  • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                • ___fls_getvalue@4.LIBCMT ref: 0041569B
                  • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                • ___fls_setvalue@8.LIBCMT ref: 004156AD
                  • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                • ExitThread.KERNEL32 ref: 004156BD
                • __freefls@4.LIBCMT ref: 004156D9
                • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4
                • String ID:
                • API String ID: 4166825349-0
                • Opcode ID: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                • Instruction ID: 1015f584654e325efa3cacb901eba7c9ae2b5aefa54885f90b4e6d99173acdac
                • Opcode Fuzzy Hash: 185d0aae8fe32bab84a079219336c355dd614541d1aff55515eff8c05f91681e
                • Instruction Fuzzy Hash: 14F049745007009BD704BF72DD159DE7B69AF85345761C85FB80897222DA3DC9C1CB9C
                Function 00434124 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(advapi32.dll,p#D,0043415E,p#D,?,00442370,?), ref: 00434134
                • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00434146
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: RegDeleteKeyExW$advapi32.dll$p#D$p#D
                • API String ID: 2574300362-3261711971
                • Opcode ID: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                • Instruction ID: cb82693085896f9455b4638215a98dd7e3cb824177552166877179ce6000b7c2
                • Opcode Fuzzy Hash: 3da92f374f37a9fa7395fa6ef73d3af1d379715eec5b41da1672ebd70bf57acc
                • Instruction Fuzzy Hash: D8D05EB0400B039FCB105F24D8086AB76F4EB68700F208C2EF989A3750C7B8E8C0CB68
                Function 0047B1D0 Relevance: 9.5, APIs: 6, Instructions: 489COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                • Instruction ID: be39947db1ffbcb7075193c31d102fc15fe4f6af8d23ce90efbce3d2b6a77a88
                • Opcode Fuzzy Hash: c82efa3070467c2623ec738b5b2be2cd760763614a3dd1863134219050ad48d5
                • Instruction Fuzzy Hash: 4BF16D71108740AFD210DB59C880EABB7F9EFCA744F10891EF69983261D735AC45CBAA
                Function 004336C7 Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 00433724
                • GetWindowRect.USER32(00000000,?), ref: 00433757
                • GetClientRect.USER32(0000001D,?), ref: 004337AC
                • GetSystemMetrics.USER32(0000000F), ref: 00433800
                • GetWindowRect.USER32(?,?), ref: 00433814
                • ScreenToClient.USER32(?,?), ref: 00433842
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Rect$Client$Window$MetricsScreenSystem
                • String ID:
                • API String ID: 3220332590-0
                • Opcode ID: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                • Instruction ID: 40e56d112be44df416332e5c874318f33691c6b0c201ea6c9f9086adb5117cf0
                • Opcode Fuzzy Hash: 3d0204db3781b081fd3de6a8efec2d06c6e501bf89adf1cf9fb69463b8de8f3e
                • Instruction Fuzzy Hash: E9A126B42147028AC324CF68C5847ABBBF1FF98715F04991EE9D983360E775E908CB5A
                Function 00457838 Relevance: 9.2, APIs: 6, Instructions: 176COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _malloc_wcslen$_strcat_wcscpy
                • String ID:
                • API String ID: 1612042205-0
                • Opcode ID: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                • Instruction ID: 39b6431fb86a1cae222df6ecce28f21653e085caad8de22f1e35678e4483a9b6
                • Opcode Fuzzy Hash: de2929fcda50375e6e5cb9f1075b8832783a078aa1feca3c1cc6154b42d84a61
                • Instruction Fuzzy Hash: CD613B70504202EFCB10EF29D58096AB3E5FF48305B50496EF8859B306D738EE59DB9A
                Function 0044C522 Relevance: 9.2, APIs: 6, Instructions: 155windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C588
                • SetKeyboardState.USER32(00000080), ref: 0044C59B
                • PostMessageW.USER32(?,00000104,?,?), ref: 0044C5EC
                • PostMessageW.USER32(?,00000100,?,?), ref: 0044C610
                • PostMessageW.USER32(?,00000102,?,00000001), ref: 0044C637
                • SendInput.USER32 ref: 0044C6E2
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePost$KeyboardState$InputSend
                • String ID:
                • API String ID: 2221674350-0
                • Opcode ID: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                • Instruction ID: 3a634557d1668dba9f4fbb3ffee1259adddcddb7f3fce46f2ce6721246940f3b
                • Opcode Fuzzy Hash: 061e63fcf1402e721e52ee56d2f22f81c2cbe03cfd8f861d8ff00d299370d474
                • Instruction Fuzzy Hash: A24148725053486AF760EF209C80BFFBB98EF95324F04151FFDC412281D66E984987BA
                Function 00445153 Relevance: 9.1, APIs: 6, Instructions: 142COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcscpy$_wcscat
                • String ID:
                • API String ID: 2037614760-0
                • Opcode ID: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                • Instruction ID: 871aa96d6b0d5f43eceffdadd72b032f7becd6ba50fbda5e2bca5dd503650597
                • Opcode Fuzzy Hash: f99e136c889cacb8689bc9f00eee4ad51686cf745bff212a4790763dd87d00cb
                • Instruction Fuzzy Hash: 7D41BD31901A256BDE317F55D880BBB7358DFA1314F84006FF98247313EA6E5892C6BE
                Function 00447B66 Relevance: 9.1, APIs: 6, Instructions: 119COMMON
                Download Yara Rule
                APIs
                • BeginPaint.USER32(00000000,?,004A83D8,?), ref: 00447B9D
                • GetWindowRect.USER32(?,?), ref: 00447C1B
                • ScreenToClient.USER32(?,?), ref: 00447C39
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                • EndPaint.USER32(?,?), ref: 00447CD1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Paint$BeginClientRectRectangleScreenViewportWindow
                • String ID:
                • API String ID: 4189319755-0
                • Opcode ID: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                • Instruction ID: de699fe3e67e71f806f86ee7feca1bcffcb0489daa19151882f3061068cc4b26
                • Opcode Fuzzy Hash: 37bca05dc5f282a43c1c57c3b808f61ec058395b4d713bcb6da44fc2610780a1
                • Instruction Fuzzy Hash: D14182705043019FE320DF15C8C8F7B7BA8EB89724F04466EF9548B391DB74A846CB69
                Function 0044B474 Relevance: 9.1, APIs: 6, Instructions: 113fileCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(?,000001F5), ref: 0044B490
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B4C2
                • EnterCriticalSection.KERNEL32(00000000), ref: 0044B4E3
                • LeaveCriticalSection.KERNEL32(00000000), ref: 0044B5A0
                • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 0044B5BB
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                • InterlockedExchange.KERNEL32(?,000001F6), ref: 0044B5D1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrow_mallocstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID:
                • API String ID: 1726766782-0
                • Opcode ID: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                • Instruction ID: bf52b5dc2e344941501510e432fc863898df75637e45487ca8cd05157db66b41
                • Opcode Fuzzy Hash: 3a1f833abb26ce593740c71d471a220e6d34013d7717cf1b73c6152b0bb325a5
                • Instruction Fuzzy Hash: 09415C75104701AFD320EF26D845EABB3F8EF88708F008E2DF59A92650D774E945CB6A
                Function 00441077 Relevance: 9.1, APIs: 6, Instructions: 111windowCOMMON
                Download Yara Rule
                APIs
                • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 004410F9
                • EnableWindow.USER32(?,00000000), ref: 0044111A
                • ShowWindow.USER32(?,00000000,?,?,?,?,00448962,004A83D8,?,?), ref: 00441183
                • ShowWindow.USER32(?,00000004,?,?,?,00448962,004A83D8,?,?), ref: 00441192
                • EnableWindow.USER32(?,00000001), ref: 004411B3
                • SendMessageW.USER32(?,0000130C,?,00000000), ref: 004411D5
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Show$Enable$MessageSend
                • String ID:
                • API String ID: 642888154-0
                • Opcode ID: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                • Instruction ID: 824eeaafe1f931a994963cd163acc5b0ce47b26168a6fd4ee38d593e4569daee
                • Opcode Fuzzy Hash: c853c7407bbaf9010c68549c691492fdcd401e5b0cb22aeb5446aebbed6f20c9
                • Instruction Fuzzy Hash: 14417770604245DFE725CF14C984FA6B7E5BF89300F1886AEE6859B3B2CB74A881CB55
                Function 00449063 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00001024,00000000,?), ref: 004490E3
                • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004490F8
                • SendMessageW.USER32(00000000,0000111E,00000000,?), ref: 0044910D
                • InvalidateRect.USER32(?,00000000,00000001), ref: 00449124
                • GetWindowLongW.USER32(00000000,000000F0), ref: 0044912F
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0044913C
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$LongWindow$InvalidateRect
                • String ID:
                • API String ID: 1976402638-0
                • Opcode ID: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                • Instruction ID: 8b80d2acd15126bdfc8b54909556444574c0e56a9806921f1e0b477f33817628
                • Opcode Fuzzy Hash: 2b574cf222373ea94a5f8b1e2da5d15417ee742d7ff148607d59a4e94613559a
                • Instruction Fuzzy Hash: F231B476244202AFF224DF04DC89FBBB7A9F785321F14492EF291973D0CA75AC469729
                Function 00442582 Relevance: 9.1, APIs: 6, Instructions: 104COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00442597
                  • Part of subcall function 004344B7: GetWindowRect.USER32(?,?), ref: 004344D3
                • GetDesktopWindow.USER32 ref: 004425BF
                • GetWindowRect.USER32(00000000), ref: 004425C6
                • mouse_event.USER32(00008001,?,?,?,?), ref: 004425F5
                  • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                • GetCursorPos.USER32(?), ref: 00442624
                • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00442690
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                • String ID:
                • API String ID: 4137160315-0
                • Opcode ID: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                • Instruction ID: 1581b522c3ee05a339ffa1fd07f9e8cd23967deed6539873686ea33d82c69dd2
                • Opcode Fuzzy Hash: 9bf1d5af4d3523281d87c855d40d0150606dc562a9e0308dc2a2f88b36285eae
                • Instruction Fuzzy Hash: 7C31C1B2104306ABD310DF54CD85E6BB7E9FB98304F004A2EF94597281E675E9058BA6
                Function 00448851 Relevance: 9.1, APIs: 6, Instructions: 92windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000F1,?,00000000), ref: 0044886C
                • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Enable$Show$MessageSend
                • String ID:
                • API String ID: 1871949834-0
                • Opcode ID: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                • Instruction ID: fbfed122d4da650e42f877d7e8bff2bfe9b33138fa51555fe8345b8bcc16d821
                • Opcode Fuzzy Hash: 703f0702a5e3ae6889c0b2c4cbd553a5347372704319c0c884d711360b5070ea
                • Instruction Fuzzy Hash: A731F3B07443819BF7248E14C8C4BAFB7D0AB95345F08482EF981A63D1DBAC9846872A
                Function 00449606 Relevance: 9.1, APIs: 6, Instructions: 91windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0044961A
                • SendMessageW.USER32 ref: 0044964A
                  • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                • SendMessageW.USER32(?,00001074,?,00000001), ref: 004496AC
                • _wcslen.LIBCMT ref: 004496BA
                • _wcslen.LIBCMT ref: 004496C7
                • SendMessageW.USER32(?,00001074,?,?), ref: 004496FD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$_wcslen$_memset_wcspbrk
                • String ID:
                • API String ID: 1624073603-0
                • Opcode ID: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                • Instruction ID: 7e49a266cf7116299f7bc8659d1ce07b00adedb8b3f1b428e1954e4b11147a1e
                • Opcode Fuzzy Hash: 3158986b153f08837b9b71a8f77f3cc169978b1c24ba43a32ffefb24081b9654
                • Instruction Fuzzy Hash: B631CA71508300AAE720DF15DC81BEBB7D4EBD4720F504A1FFA54862D0EBBAD945C7A6
                Function 004416D1 Relevance: 9.1, APIs: 6, Instructions: 84COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                • Instruction ID: 0263b137e1f68684b0dae4bb7f633391a2f723f0f4072b7ce39308acd6c8c458
                • Opcode Fuzzy Hash: 8dc28afdcb3e23db499faf1906c1cec9916ddd90de084288035f36419de8ba35
                • Instruction Fuzzy Hash: 31219272245110ABE7108B68DCC4B6F7798EB96374F240A3AF512C61E1EA7998C1C769
                Function 0045552E Relevance: 9.1, APIs: 6, Instructions: 78windowCOMMON
                Download Yara Rule
                APIs
                • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 004555AD
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DestroyWindow$DeleteObject$IconMove
                • String ID:
                • API String ID: 1640429340-0
                • Opcode ID: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                • Instruction ID: 2ee25f48dcb0ad8048bc4d9c922f6cac320a9d705fdb810e808868a6102f62dc
                • Opcode Fuzzy Hash: da39536b61dc90218e8938c0c8165bcff49a91d8f884d8405ba8ed69dafdd4fa
                • Instruction Fuzzy Hash: 05312770200A419FD724DF24C998B3A73F9FB44312F4485AAE945CB266E778EC49CB69
                Function 00467E5E Relevance: 9.1, APIs: 6, Instructions: 78COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __fileno__setmode$DebugOutputString_fprintf
                • String ID:
                • API String ID: 3354276064-0
                • Opcode ID: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                • Instruction ID: 1e9a75ed7ce68f0ee686932f25d41d1f14ae1a91d469003489e3a0780bce169f
                • Opcode Fuzzy Hash: 44da5cbe136b9a97bfd5e2050e6700f1212f0f901edc4668462b95a159366457
                • Instruction Fuzzy Hash: 6D11F3B2D0830136D500BA366C02AAF7A5C4A91B5CF44056EFD4563293EA2DAA4943FF
                Function 0046FF12 Relevance: 9.1, APIs: 6, Instructions: 77windowCOMMON
                Download Yara Rule
                APIs
                • ExtractIconExW.SHELL32(?,?,00000000,?,00000001), ref: 0046FF1D
                • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001,004A83D8,?,?,?,00000000,?,00000001), ref: 0046FF5D
                • SendMessageW.USER32(?,00001303,00000000,00000000), ref: 0046FF7B
                • ImageList_ReplaceIcon.COMCTL32(?,?,?,004A83D8,?,?,?,00000000,?,00000001), ref: 0046FF93
                • SendMessageW.USER32 ref: 0046FFBA
                • DestroyIcon.USER32(?), ref: 0046FFCC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Icon$ImageList_MessageSend$CreateDestroyExtractReplace
                • String ID:
                • API String ID: 3611059338-0
                • Opcode ID: 317c6088c103e71675824f08105c26182ca0c8a94683eb5d1f55e72f19be716d
                • Instruction ID: 5774e549fe23b70f7ddb20da7ab5c74696e2cf490f7d8532ec6e8e804971e2f4
                • Opcode Fuzzy Hash: 317c6088c103e71675824f08105c26182ca0c8a94683eb5d1f55e72f19be716d
                • Instruction Fuzzy Hash: 7121F475240304AFE350DB24DC85FABB7A4FB88710F00482EFA8597291DBF9A845CB66
                Function 00455080 Relevance: 9.1, APIs: 6, Instructions: 75windowCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteMenuObject$IconWindow
                • String ID:
                • API String ID: 752480666-0
                • Opcode ID: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                • Instruction ID: bf467a0aa8f060071afd9cdae546a2eb92d9c059e8a57ac1e588bb5f3fc3a395
                • Opcode Fuzzy Hash: e2db828b4da75c1988a3618645d7ad87c2567147b1e4a2a373431826dce2281b
                • Instruction Fuzzy Hash: 26215E30200A019FC724DF24D5E8B7AB7A9FB44312F50855EED498B392CB39EC89CB59
                Function 00455212 Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000), ref: 0045527A
                • ImageList_Destroy.COMCTL32(?), ref: 0045528C
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                • String ID:
                • API String ID: 3275902921-0
                • Opcode ID: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                • Instruction ID: c357af2a313eda44c34a26cb015c973203dd8f66e4d80e74dc1abfaeb9ce60f9
                • Opcode Fuzzy Hash: 9ca718b8a23ef3076e20a4bf5a66fd8e296fb8dfd37af4e8726ba93a3cadf818
                • Instruction Fuzzy Hash: 2D217E70604A019BC714DF79D99466AB7A5BF44311F40856EF919CB342DB38E849CF68
                Function 00439326 Relevance: 9.1, APIs: 6, Instructions: 72processCOMMON
                Download Yara Rule
                APIs
                • GetCurrentProcess.KERNEL32(0000000A,?,?,?,?,?,00446540,?,?,?,?,?,?,?,?,?), ref: 0043935D
                • OpenProcessToken.ADVAPI32(00000000,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439364
                • CreateEnvironmentBlock.USERENV(?,?,00000001,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439376
                • CloseHandle.KERNEL32(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 00439383
                • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 004393C0
                • DestroyEnvironmentBlock.USERENV(?,?,00000000,00464227,00000000,?,?,?,?,?,?,?,?), ref: 004393D4
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                • String ID:
                • API String ID: 1413079979-0
                • Opcode ID: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                • Instruction ID: 8c652321442b38080740e7d333ba663a52d3460857ef2618669649d87ea194c0
                • Opcode Fuzzy Hash: 1d720b0393062126ad9b64f1bf0a3b497d62ac8a089cd0237a290436ac7c4432
                • Instruction Fuzzy Hash: 7B2150B2208300ABD314CB65D854EABB7EDEBCD754F084E1DF989A3250C7B4E901CB25
                Function 0041415E Relevance: 9.1, APIs: 6, Instructions: 71threadCOMMON
                Download Yara Rule
                APIs
                • ___set_flsgetvalue.LIBCMT ref: 0041418F
                • __calloc_crt.LIBCMT ref: 0041419B
                • __getptd.LIBCMT ref: 004141A8
                • CreateThread.KERNEL32(?,?,004140DB,00000000,?,?), ref: 004141DF
                • GetLastError.KERNEL32(?,?,?,?,?,?,00000000), ref: 004141E9
                • __dosmaperr.LIBCMT ref: 00414201
                  • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                  • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateErrorLastThread___set_flsgetvalue__calloc_crt__decode_pointer__dosmaperr__getptd__getptd_noexit
                • String ID:
                • API String ID: 1803633139-0
                • Opcode ID: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                • Instruction ID: ec3febacf030228bba34671a5a373aa86179f0c9a00f1e1343e4adce14cbcb36
                • Opcode Fuzzy Hash: 9093ead1b57094de5194e295d789e60ec266b8318c1e976fb280fb1b07ce6f9a
                • Instruction Fuzzy Hash: 1311DD72504209BFCB10AFA5DC828DF7BA8EF44368B20446EF50193151EB39C9C18A68
                Function 004555E0 Relevance: 9.1, APIs: 6, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • ImageList_Destroy.COMCTL32(?), ref: 004555E8
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconImageList_
                • String ID:
                • API String ID: 3275902921-0
                • Opcode ID: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                • Instruction ID: 9e206caaed87a4944845468030bda76e3f946505fe2e652cce1cc100bc4c7c20
                • Opcode Fuzzy Hash: 9bb8e3ba902fb320eab333f0308ec6d2a7ed81620e332b79689394e938adb37d
                • Instruction Fuzzy Hash: BE2141702006409FCB25DF25C994A2B77A9FF44312F80856EED49CB352DB39EC4ACB59
                Function 004554C0 Relevance: 9.1, APIs: 6, Instructions: 61windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 004554DF
                • SendMessageW.USER32(?,00001008,00000000,00000000), ref: 004554FA
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DeleteDestroyMessageObjectSend$IconWindow
                • String ID:
                • API String ID: 3691411573-0
                • Opcode ID: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                • Instruction ID: ead105b7aa3a144aa2df3f4c31681f961a0d6b706109639263d1a652a664e8ec
                • Opcode Fuzzy Hash: ffc9a8f4f75f6e2ff6fdc7cc9300f0c908ecc9e004d580c3573be367ed75df53
                • Instruction Fuzzy Hash: A5118F713046419BDB10DF68DD88A2A77A8FB58322F404A2AFE14DB2D1D775DC498B68
                Function 0043609C Relevance: 9.1, APIs: 6, Instructions: 59COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$_wcstok$ExtentPoint32Text
                • String ID:
                • API String ID: 1814673581-0
                • Opcode ID: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                • Instruction ID: 25d714350c6a951fb861184d208c8546153e966ae5ec0a2422e5c8358eb53325
                • Opcode Fuzzy Hash: cf50433860b5c5ee623566781d9083cc0ce59c581d7d4fe1355e753f7016059c
                • Instruction Fuzzy Hash: F60125B19053126BC6209F95DC42B5BB7E8EF45760F11842AFD04E3340D7F8E84483EA
                Function 00436272 Relevance: 9.1, APIs: 6, Instructions: 59sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362A7
                • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362B2
                • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362BA
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 004362C5
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: PerformanceQuery$CounterSleep$Frequency
                • String ID:
                • API String ID: 2833360925-0
                • Opcode ID: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                • Instruction ID: c21ea81f2c38402705b15ef58ab4919efdb6e4f3ef0ac894e378511a69de5cf2
                • Opcode Fuzzy Hash: ce9720f61a9ee9538873cf1403cb39b7711a51cb3deac7b7aa4b9b4cf2db8b86
                • Instruction Fuzzy Hash: C411D031909306ABC700EF19DA8499FB7E4FFCCB11F828D2DF98592210D734C9498B96
                Function 004471EC Relevance: 9.0, APIs: 6, Instructions: 50COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                  • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                  • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                • MoveToEx.GDI32(?,?,?,00000000), ref: 0044721F
                • LineTo.GDI32(?,?,?), ref: 00447227
                • MoveToEx.GDI32(?,?,?,00000000), ref: 00447235
                • LineTo.GDI32(?,?,?), ref: 0044723D
                • EndPath.GDI32(?), ref: 0044724E
                • StrokePath.GDI32(?), ref: 0044725C
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ObjectPath$LineMoveSelect$BeginCreateDeleteStroke
                • String ID:
                • API String ID: 372113273-0
                • Opcode ID: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                • Instruction ID: cf4011081099dc8586e946db52605055ec0608de7db987eb6b7af15cf0be2a5d
                • Opcode Fuzzy Hash: 902a14e142be2de25a3bb197ce65ea465fb84dbb313772e519df98722d37df37
                • Instruction Fuzzy Hash: B7018F36105264BBE2119750EC4AF9FBBACEF8A710F14451DF70156191C7F42A0587BD
                Function 00410940 Relevance: 9.0, APIs: 6, Instructions: 49keyboardCOMMON
                Download Yara Rule
                APIs
                • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0041098F
                • MapVirtualKeyW.USER32(00000010,00000000), ref: 00410997
                • MapVirtualKeyW.USER32(000000A0,00000000), ref: 004109A2
                • MapVirtualKeyW.USER32(000000A1,00000000), ref: 004109AD
                • MapVirtualKeyW.USER32(00000011,00000000), ref: 004109B5
                • MapVirtualKeyW.USER32(00000012,00000000), ref: 004109BD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Virtual
                • String ID:
                • API String ID: 4278518827-0
                • Opcode ID: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                • Instruction ID: 14dd698fb88c41d3cb2937c08abaa7ad6cdafd80764dd657d9f2199fb51feb0a
                • Opcode Fuzzy Hash: 067efc0be0420d5e011611900d1cbcbd564411b72165316cb005851f0732894c
                • Instruction Fuzzy Hash: 52112A6118ABC4ADD3329F694854A87FFE45FB6304F484A8ED1D607A43C195A60CCBBA
                Function 0044CBD3 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • GetDC.USER32(00000000), ref: 0044CBEF
                • GetDeviceCaps.GDI32(00000000,00000058), ref: 0044CC00
                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0044CC09
                • ReleaseDC.USER32(00000000,00000000), ref: 0044CC10
                • MulDiv.KERNEL32(000009EC,?,?), ref: 0044CC29
                • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0044CC37
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CapsDevice$Release
                • String ID:
                • API String ID: 1035833867-0
                • Opcode ID: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                • Instruction ID: 50bf861fd692b93b916a63282857a41227f0dfa19545bc4f0a59f576ae553c11
                • Opcode Fuzzy Hash: ae25b50e6df40ac1760f249dbc4ceec79d7598f555d49c24eefaf783d5b8ff63
                • Instruction Fuzzy Hash: 560184B1641314BFF6009BA1DC4AF1BBB9CEF55755F01842EFF44A7241D6B098008BA9
                Function 0044B64F Relevance: 9.0, APIs: 6, Instructions: 40synchronizationthreadCOMMON
                Download Yara Rule
                APIs
                • InterlockedExchange.KERNEL32(0042A369,057401F8), ref: 0044B66E
                • EnterCriticalSection.KERNEL32(0042A321), ref: 0044B67B
                • TerminateThread.KERNEL32(?,000001F6), ref: 0044B689
                • WaitForSingleObject.KERNEL32(?,000003E8,?,000001F6), ref: 0044B697
                  • Part of subcall function 004356CD: CloseHandle.KERNEL32(00000000,0042A365,0044B6A3,0042A365,?,000003E8,?,000001F6), ref: 004356D9
                • InterlockedExchange.KERNEL32(0042A369,000001F6), ref: 0044B6AC
                • LeaveCriticalSection.KERNEL32(0042A321), ref: 0044B6AF
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                • String ID:
                • API String ID: 3495660284-0
                • Opcode ID: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                • Instruction ID: 3e278a896620ffa5fdfd5bcc44ba61fc9bc9ab212b345b13b81bb6ec37c91fca
                • Opcode Fuzzy Hash: 7ab0c325316775d38e8d9aa2ca09049d0c02a968ddf60f226b23d446a35990e5
                • Instruction Fuzzy Hash: E3F0F672141206BBD210AB24EE89DBFB37CFF44315F41096AF60142550CB75F811CBBA
                Function 00437118 Relevance: 9.0, APIs: 6, Instructions: 37windowtimethreadCOMMON
                Download Yara Rule
                APIs
                • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00437127
                • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00437140
                • GetWindowThreadProcessId.USER32(?,?), ref: 00437150
                • OpenProcess.KERNEL32(001F0FFF,00000000,?), ref: 00437162
                • TerminateProcess.KERNEL32(00000000,00000000), ref: 0043716D
                • CloseHandle.KERNEL32(00000000), ref: 00437174
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                • String ID:
                • API String ID: 839392675-0
                • Opcode ID: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                • Instruction ID: 38550948ec006cf47bed7574f40cc63f5aae242ba43c895826076912260f23cd
                • Opcode Fuzzy Hash: 9671eea5464782d863345c1ba519a7d6af1158a8c6613e6f42f5b6706bbe0782
                • Instruction Fuzzy Hash: 37F054352813117BE6215B109E4EFEF37A8AF49F02F104828FB41B51D0E7E469458BAE
                Function 0043604B Relevance: 9.0, APIs: 6, Instructions: 33serviceCOMMON
                Download Yara Rule
                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000008,004A8E80,BC000000,00431B28,C:\Users\user\Desktop\Invoices #645473.exe,00000004), ref: 00436055
                • LockServiceDatabase.ADVAPI32(00000000), ref: 00436062
                • UnlockServiceDatabase.ADVAPI32(00000000), ref: 0043606D
                • CloseServiceHandle.ADVAPI32(00000000), ref: 00436076
                • GetLastError.KERNEL32 ref: 00436081
                • CloseServiceHandle.ADVAPI32(00000000), ref: 00436091
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Service$CloseDatabaseHandle$ErrorLastLockManagerOpenUnlock
                • String ID:
                • API String ID: 1690418490-0
                • Opcode ID: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                • Instruction ID: 156e5f382d75df54ba3c5c30185d6bb62b1a9e6e0194ec4ef6b9e4a62dbea0b3
                • Opcode Fuzzy Hash: 49e5e78db470eb3b31ed20f2670ed0ea18d225c835d46e40371f5509899a8be7
                • Instruction Fuzzy Hash: 9BE0E5319821216BC6231B30AE4DBCF3B99DB1F311F041827F701D2250CB998404DBA8
                Function 00475ACA Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 237comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                • CoInitialize.OLE32(00000000), ref: 00475B71
                • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 00475B8A
                • CoUninitialize.OLE32 ref: 00475D71
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk$HH
                • API String ID: 886957087-3121654589
                • Opcode ID: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                • Instruction ID: f4d7caca580305710a2a5ca379fd8543151c5613ecc12b631d1ff665410dc3a0
                • Opcode Fuzzy Hash: 75a96ccae25093af7e6917375c938c281093df7f6cda4de25b1c017a61ab28fd
                • Instruction Fuzzy Hash: B0819D75604300AFD310EF65CC82F5AB3A9EF88704F50892DF658AF2D2D6B5E905CB99
                Function 0045F132 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$Delete$InfoItem_memset
                • String ID: 0
                • API String ID: 1173514356-4108050209
                • Opcode ID: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                • Instruction ID: b3a4179b3c174fb1a3aa0d908437eb3f68f1f523a6631853a4ee88e897a1c7ed
                • Opcode Fuzzy Hash: e31d5a25326cfad936127cde49464cb56a2d17833d4ec3f4ad79405d5b41ed43
                • Instruction Fuzzy Hash: 31418CB55043019BD710CF19C884B5BBBE5AFC5324F148A6EFCA49B282C375E809CBA6
                Function 004692E4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 98windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00469368
                • SendMessageW.USER32(00000000,0000018A,00000000,00000000), ref: 00469379
                • SendMessageW.USER32(?,?,00000000,00000000), ref: 004693AB
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 763830540-1403004172
                • Opcode ID: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                • Instruction ID: 8c71ebf423f389569590ff88e643f185c263fd61562863516bde62979c95be4e
                • Opcode Fuzzy Hash: 169cb05da2f7371639be8c7bcea77e944b24e4bfad061a6cd0ac94a92c737455
                • Instruction Fuzzy Hash: E0210C7160020067C210BB3A9C46FAF77989B85364F09052FF959AB3D1EA7CE94A436E
                Function 00443981 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 86COMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(?), ref: 004439B4
                  • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                  • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                  • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CurrentHandleProcess$Duplicate
                • String ID: nul
                • API String ID: 2124370227-2873401336
                • Opcode ID: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                • Instruction ID: e5202fea31d744cc2812a948a395a4146b23d8233fafbd02014e3d546f800e0b
                • Opcode Fuzzy Hash: 1f0ba76bcec97c73efa3faab39b1dec00fe260a428cb25b20c1b65e4e3d5eb1c
                • Instruction Fuzzy Hash: 8921A070104301ABE320DF28D886B9B77E4AF94B24F504E1EF9D4972D1E3B5DA54CBA6
                Function 00443887 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85COMMON
                Download Yara Rule
                APIs
                • GetStdHandle.KERNEL32(000000F6), ref: 004438B7
                  • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(0000002C,00000000,00000000,00000002,74DF2EE0,00000000,004437E2,?,0000002C,00000000,?,?,?), ref: 004356BD
                  • Part of subcall function 0043569D: GetCurrentProcess.KERNEL32(?,00000000,?,?,?), ref: 004356C1
                  • Part of subcall function 0043569D: DuplicateHandle.KERNEL32(00000000,?,?,?), ref: 004356C4
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CurrentHandleProcess$Duplicate
                • String ID: nul
                • API String ID: 2124370227-2873401336
                • Opcode ID: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                • Instruction ID: 183321404fa0000a7fb955016a75d3ae5bd0bbc3c7f5d4043dd6f74a8503dfc6
                • Opcode Fuzzy Hash: 1c1504a6ed80816e8cc684f5e798812a6452e5ed6eae5ac994518d836d8835bd
                • Instruction Fuzzy Hash: 4E2182701002019BE210DF28DC45F9BB7E4AF54B34F204A1EF9E4962D0E7759654CB56
                Function 004412AE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 84windowlibraryCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00441333
                • LoadLibraryW.KERNEL32(?,?,?,?,0047B4D0,?,?,?,?,?,?,?,?,?,00000000), ref: 0044133A
                • SendMessageW.USER32(?,00000467,00000000,?), ref: 00441352
                • DestroyWindow.USER32(00000000,?,00000467,00000000,?,?,?,?,0047B4D0,?,?,?,?,?,?), ref: 0044135B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$DestroyLibraryLoadWindow
                • String ID: SysAnimate32
                • API String ID: 3529120543-1011021900
                • Opcode ID: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                • Instruction ID: 28effd0bdeb99d0e0a50349a2d6ccdc4655b9339127a2247ff1827a793b197f6
                • Opcode Fuzzy Hash: 7eb070968e116bc4f0d30e0eba70c7f8d943bdaa5f5f9b6b4db71aa758301bcd
                • Instruction Fuzzy Hash: D0216271204301ABF7209AA5DC84F6B73ECEBD9724F104A1EF651D72E0D6B4DC818729
                Function 00443009 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 82windowCOMMON
                Download Yara Rule
                APIs
                • PeekMessageW.USER32(00000000,00000000,00000000,00000000,00000001), ref: 0044304E
                • TranslateMessage.USER32(?), ref: 0044308B
                • DispatchMessageW.USER32(?), ref: 00443096
                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 004430AD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Message$Peek$DispatchTranslate
                • String ID: *.*
                • API String ID: 1795658109-438819550
                • Opcode ID: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                • Instruction ID: a39ada88e739a490af96418dc0f35d82e94fc94c1e76e22fe960a83301852fb1
                • Opcode Fuzzy Hash: a5394e60fa5dc12563cec3cf09e66162f870e5be06c650d2d1f2ad27f88770fd
                • Instruction Fuzzy Hash: 9F2138715183419EF720DF289C80FA3B7949B60B05F008ABFF66492191E6B99608C76E
                Function 004609BD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                  • Part of subcall function 004389A1: SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                  • Part of subcall function 004389A1: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                  • Part of subcall function 004389A1: GetCurrentThreadId.KERNEL32 ref: 004389DA
                  • Part of subcall function 004389A1: AttachThreadInput.USER32(00000000), ref: 004389E1
                • GetFocus.USER32 ref: 004609EF
                  • Part of subcall function 004389EB: GetParent.USER32(?), ref: 004389F7
                  • Part of subcall function 004389EB: GetParent.USER32(?), ref: 00438A04
                • GetClassNameW.USER32(?,?,00000100), ref: 00460A37
                • EnumChildWindows.USER32(?,00445A31,?), ref: 00460A60
                • __swprintf.LIBCMT ref: 00460A7A
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Thread$Parent$AttachChildClassCurrentEnumFocusInputMessageNameProcessSendTimeoutWindowWindows__swprintf_wcslen
                • String ID: %s%d
                • API String ID: 991886796-1110647743
                • Opcode ID: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                • Instruction ID: 20a4aa43144560c0524e92d1094e5dcb4402c89d1d481f65a72662ac57dae138
                • Opcode Fuzzy Hash: 4a64ff5b06e5e341b473abb9bc2bdd7182ed8da111ba9effa567358a3114916c
                • Instruction Fuzzy Hash: 7521A4712403046BD610FB65DC8AFEFB7ACAF98704F00481FF559A7181EAB8A509877A
                Function 0040F790 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _memset$_sprintf
                • String ID: %02X
                • API String ID: 891462717-436463671
                • Opcode ID: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                • Instruction ID: c3235ccac5cd273424cb9b73a8b9e0f10e05fa8943de770f4571b5c3e9b76774
                • Opcode Fuzzy Hash: 3d61b25fa3990800e5a694d7793c27d494b4b6e65897825e99c1223689708875
                • Instruction Fuzzy Hash: 5B11E97225021167D314FA698C93BEE724CAB45704F50453FF541A75C1EF6CB558839E
                Function 0040F3B0 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 49COMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0042CD00
                • GetOpenFileNameW.COMDLG32 ref: 0042CD51
                  • Part of subcall function 0040FFB0: GetFullPathNameW.KERNEL32(00000000,00000104,C:\Users\user\Desktop\Invoices #645473.exe,?,C:\Users\user\Desktop\Invoices #645473.exe,004A8E80,C:\Users\user\Desktop\Invoices #645473.exe,0040F3D2), ref: 0040FFCA
                  • Part of subcall function 00410130: SHGetMalloc.SHELL32(00000000), ref: 0041013A
                  • Part of subcall function 00410130: SHGetDesktopFolder.SHELL32(?,004A8E80), ref: 00410150
                  • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 00410160
                  • Part of subcall function 00410130: SHGetPathFromIDListW.SHELL32(?,?), ref: 00410197
                  • Part of subcall function 00410130: _wcscpy.LIBCMT ref: 004101AC
                  • Part of subcall function 00410020: GetFullPathNameW.KERNEL32(?,00000104,?,?,?), ref: 00410037
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: NamePath$Full_wcscpy$DesktopFileFolderFromListMallocOpen_memset
                • String ID: $OH$@OH$X
                • API String ID: 3491138722-1394974532
                • Opcode ID: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                • Instruction ID: e3e81f3fa603e1d093c5df9e9287f390c0398a0e5563e0e16fb911f44c5f658a
                • Opcode Fuzzy Hash: b307b7495d9e484b77ad3edce91dc90ef7c994e26f1a80758083a935cdf7c966
                • Instruction Fuzzy Hash: 2111C2B02043405BC311EF19984175FBBE9AFD5308F14882EF68497292D7FD854DCB9A
                Function 00463D7E Relevance: 7.6, APIs: 5, Instructions: 141libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryW.KERNEL32(00000000), ref: 00463DD1
                • GetProcAddress.KERNEL32(?,?), ref: 00463E68
                • GetProcAddress.KERNEL32(?,00000000), ref: 00463E84
                • GetProcAddress.KERNEL32(?,?), ref: 00463ECE
                • FreeLibrary.KERNEL32(?,?,?,00000000,?), ref: 00463EF0
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressProc$Library$FreeLoad
                • String ID:
                • API String ID: 2449869053-0
                • Opcode ID: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                • Instruction ID: 5a5949aabc30296464acd143044f95cbdcafad8a77d2d24e7d672d776762960f
                • Opcode Fuzzy Hash: fa0419033c450d646a7a4ef883371915f5dff59722895d189eba4af2447b2958
                • Instruction Fuzzy Hash: 9051C1752043409FC300EF25C881A5BB7A4FF89305F00456EF945A73A2DB79EE45CBAA
                Function 0044C379 Relevance: 7.6, APIs: 5, Instructions: 137windowkeyboardCOMMON
                Download Yara Rule
                APIs
                • GetKeyboardState.USER32(?,?,00000001,00000001,?,00000000), ref: 0044C3DA
                • SetKeyboardState.USER32(00000080), ref: 0044C3ED
                • PostMessageW.USER32(00000000,00000105,?,?), ref: 0044C441
                • PostMessageW.USER32(00000000,00000101,?,?), ref: 0044C465
                • SendInput.USER32 ref: 0044C509
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: KeyboardMessagePostState$InputSend
                • String ID:
                • API String ID: 3031425849-0
                • Opcode ID: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                • Instruction ID: f46f63d78903415e516a46676784f6fcea1caa301ceb581e17347d916cd8316d
                • Opcode Fuzzy Hash: b49b686b41cf8e4dc8898cf8a112ca1a8544ab09a95107e5a7613c5accf95fc9
                • Instruction Fuzzy Hash: DB413B715462446FF760AB24D944BBFBB94AF99324F04061FF9D4122C2D37D9908C77A
                Function 004422B9 Relevance: 7.6, APIs: 5, Instructions: 108registryCOMMON
                Download Yara Rule
                APIs
                • RegEnumKeyExW.ADVAPI32 ref: 004422F0
                • RegOpenKeyExW.ADVAPI32(?,00000000,00000000,?,?), ref: 0044232B
                • RegCloseKey.ADVAPI32(00000000), ref: 0044234E
                • RegDeleteKeyW.ADVAPI32(?,?), ref: 00442390
                • RegEnumKeyExW.ADVAPI32(?,00000000), ref: 004423C0
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Enum$CloseDeleteOpen
                • String ID:
                • API String ID: 2095303065-0
                • Opcode ID: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                • Instruction ID: 24d8057b763805d248a02a33893b377b1579bd56aab3fff97e90bb3d062a49ad
                • Opcode Fuzzy Hash: 367b6e42355be36f427f5e4c5f923650598af64a8eac08207e4f2af605b886a1
                • Instruction Fuzzy Hash: 0C3150721043056EE210DF94DD84FBF73ECEBC9314F44492EBA9596141D7B8E9098B6A
                Function 0045C277 Relevance: 7.6, APIs: 5, Instructions: 105COMMON
                Download Yara Rule
                APIs
                • GetPrivateProfileSectionW.KERNEL32(00000000,?,?,00007FFF), ref: 0045C2F4
                • GetPrivateProfileSectionW.KERNEL32(00000000,00000003,?,00000003), ref: 0045C31B
                • WritePrivateProfileSectionW.KERNEL32(00000000,00000003,?), ref: 0045C363
                • WritePrivateProfileStringW.KERNEL32(00000000,?,00000000,00000000), ref: 0045C385
                • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 0045C392
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: PrivateProfile$SectionWrite$String
                • String ID:
                • API String ID: 2832842796-0
                • Opcode ID: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                • Instruction ID: eb365ed5c03c4bb3a44f9ddbc5128f2f56e5f8affd5b6ace934fe40af23b551f
                • Opcode Fuzzy Hash: c76cc1094b5fb1fc43fcb7877a7661b5ae667b5fa7796de5023eb6f45200691f
                • Instruction Fuzzy Hash: 00318675240305ABD610DFA1DC85F9BB3A8AF84705F00891DF94497292D7B9E889CB94
                Function 0044796B Relevance: 7.6, APIs: 5, Instructions: 96COMMON
                Download Yara Rule
                APIs
                • GetClientRect.USER32(?,?), ref: 00447997
                • GetCursorPos.USER32(?), ref: 004479A2
                • ScreenToClient.USER32(?,?), ref: 004479BE
                • WindowFromPoint.USER32(?,?), ref: 004479FF
                • DefDlgProcW.USER32(?,00000020,?,?), ref: 00447A78
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Client$CursorFromPointProcRectScreenWindow
                • String ID:
                • API String ID: 1822080540-0
                • Opcode ID: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                • Instruction ID: e9c1e18ea4fcc9a2ad4b32cd349e8b57ec7287094a91df3c43d19f1875151664
                • Opcode Fuzzy Hash: c356f0f93048ebf3c0a873f2be17aa192b5fb9472fb724aa4a6a449873fe30ba
                • Instruction Fuzzy Hash: DE3188742082029BD710CF19D88596FB7A9EBC8714F144A1EF88097291D778EA57CBAA
                Function 00447BAF Relevance: 7.6, APIs: 5, Instructions: 95COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00447C1B
                • ScreenToClient.USER32(?,?), ref: 00447C39
                • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00447C4C
                • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00447C93
                • EndPaint.USER32(?,?), ref: 00447CD1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClientPaintRectRectangleScreenViewportWindow
                • String ID:
                • API String ID: 659298297-0
                • Opcode ID: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                • Instruction ID: 653bb342b0117225c29b14224c0e663a7b864e912777eddc33bb147bcfad3e12
                • Opcode Fuzzy Hash: a6d698a2242c6caf7091173c4181dadfabb51550506680b35635a03376f271bc
                • Instruction Fuzzy Hash: 8A3150706043019FE320CF15D9C8F7B7BE8EB89724F044A6EF994873A1D774A8468B69
                Function 00447870 Relevance: 7.6, APIs: 5, Instructions: 94windowCOMMON
                Download Yara Rule
                APIs
                • GetCursorPos.USER32(?), ref: 004478A7
                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 004478C3
                • DefDlgProcW.USER32(?,0000007B,?,?,004A83D8,?,004A83D8,?), ref: 004478E7
                • GetCursorPos.USER32(?), ref: 00447935
                • TrackPopupMenuEx.USER32(00000000,00000000,?,?,?,00000000), ref: 0044795B
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CursorMenuPopupTrack$Proc
                • String ID:
                • API String ID: 1300944170-0
                • Opcode ID: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                • Instruction ID: 600148c7f6f0e64f7aba5c2d0a58757112576a5c49d56a392ea253be37485a5b
                • Opcode Fuzzy Hash: 00aabaf84d80e4f8c92fc7d2a6c816b999107077810d41e1d32a7af9c3da8c6b
                • Instruction Fuzzy Hash: 2B31E475244204ABE214DB48DC48FABB7A5FBC9711F14491EF64483390D7B96C4BC779
                Function 00438EAD Relevance: 7.6, APIs: 5, Instructions: 90sleepwindowCOMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00438ECC
                • PostMessageW.USER32(00000001,?,00000001,?), ref: 00438F7C
                • Sleep.KERNEL32(00000000), ref: 00438F84
                • PostMessageW.USER32(?,00000202,00000000,?), ref: 00438F95
                • Sleep.KERNEL32(00000000,?,00000202,00000000,?), ref: 00438F9D
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessagePostSleep$RectWindow
                • String ID:
                • API String ID: 3382505437-0
                • Opcode ID: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
                • Instruction ID: 0163f4fbfa3540aa74b75641586733f0f0ecdd6424bf32d6baecdffd05b1cde8
                • Opcode Fuzzy Hash: 2ab6e8217c4101ef9f031d568675ad0bf41e28325206932565347c4090b4e9a4
                • Instruction Fuzzy Hash: 9B31C032104305AFD300CF68CA88A6BB7E5EBC8314F555A2DF9A497291DB74EC06CB56
                Function 00448837 Relevance: 7.6, APIs: 5, Instructions: 89COMMON
                Download Yara Rule
                APIs
                • EnableWindow.USER32(004A83D8,00000000), ref: 00448BAB
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448BC1
                • ShowWindow.USER32(004A83D8,00000000,004A83D8,?,?), ref: 00448C37
                • ShowWindow.USER32(004A83D8,00000004,004A83D8), ref: 00448C43
                • EnableWindow.USER32(004A83D8,00000001), ref: 00448C58
                  • Part of subcall function 004413F0: SendMessageW.USER32(?,000000F0,00000000,00000000), ref: 0044140E
                  • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441452
                  • Part of subcall function 004413F0: GetWindowLongW.USER32(?,000000F0), ref: 00441493
                  • Part of subcall function 004413F0: SendMessageW.USER32(02FC1B98,000000F1,00000000,00000000), ref: 004414C6
                  • Part of subcall function 004413F0: SendMessageW.USER32(02FC1B98,000000F1,00000001,00000000), ref: 004414F1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$EnableMessageSend$LongShow
                • String ID:
                • API String ID: 142311417-0
                • Opcode ID: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                • Instruction ID: 53ead31d82dc60d0a1ec6489c26700cf05fac79e8a5bf65a12bf69c5108a1aee
                • Opcode Fuzzy Hash: 63a7105258867651d9446b65671e60b54e1f680e017c4d0f27b0fbeeb6060130
                • Instruction Fuzzy Hash: 942105B07053809BF7148E28C8C47AFB7D0FB95345F08482EF981A6391DBAC9845C72E
                Function 00449549 Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                Download Yara Rule
                APIs
                • _memset.LIBCMT ref: 0044955A
                  • Part of subcall function 00433A98: _wcspbrk.LIBCMT ref: 00433AAC
                • SendMessageW.USER32(?,00001060,00000000,00000004), ref: 004495B3
                • _wcslen.LIBCMT ref: 004495C1
                • _wcslen.LIBCMT ref: 004495CE
                • SendMessageW.USER32(?,00001060,00000000,?), ref: 004495FF
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend_wcslen$_memset_wcspbrk
                • String ID:
                • API String ID: 1843234404-0
                • Opcode ID: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                • Instruction ID: 2eba0e6ca7bf2f01d6f4dc0284c8cedbdf4c7ea0b5caad0642d64795040b3bc6
                • Opcode Fuzzy Hash: b21334e59b332bdcefcacb45badc01962a29afe58654cc2f886ab9dc01dd4065
                • Instruction Fuzzy Hash: 1821F87260430556E630EB15AC81BFBB3D8EBD0761F10483FEE4081280E67E9959D3AA
                Function 00455014 Relevance: 7.6, APIs: 5, Instructions: 78COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                • Instruction ID: 4734ce3ce40af5b77ad59fd8baedf6a3e56741e39cc50bb30d89ac3ca2d3bd52
                • Opcode Fuzzy Hash: 43986f9d4d7e017d9aea9f4dce7e52c9963f71054abe4abd36fa420e2ae722de
                • Instruction Fuzzy Hash: 1321E0712006409BCB10EF29D994D6B73A8EF45321B40466EFE5597382DB34EC08CBA9
                Function 00445719 Relevance: 7.6, APIs: 5, Instructions: 76windowCOMMON
                Download Yara Rule
                APIs
                • IsWindowVisible.USER32(?), ref: 00445721
                • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0044573C
                • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00445773
                • _wcslen.LIBCMT ref: 004457A3
                • CharUpperBuffW.USER32(00000000,00000000), ref: 004457AD
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen
                • String ID:
                • API String ID: 3087257052-0
                • Opcode ID: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                • Instruction ID: 00e09c3d40749c53521e9302b0eb92bb7bfe2d7d521d01ead8474e6f611d5aec
                • Opcode Fuzzy Hash: b8615011704e714012d326b35a72e373024cdcb02b0b49a0115346f3c93ca327
                • Instruction Fuzzy Hash: FA11E972601741BBF7105B35DC46F5B77CDAF65320F04443AF40AE6281FB69E84583AA
                Function 00459DCF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                Download Yara Rule
                APIs
                • IsWindow.USER32(00000000), ref: 00459DEF
                • GetForegroundWindow.USER32 ref: 00459E07
                • GetDC.USER32(00000000), ref: 00459E44
                • GetPixel.GDI32(00000000,?,00000000), ref: 00459E4F
                • ReleaseDC.USER32(00000000,00000000), ref: 00459E8B
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$ForegroundPixelRelease
                • String ID:
                • API String ID: 4156661090-0
                • Opcode ID: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                • Instruction ID: f25aa70a507d7fb142791e963b89e5313ab4350e7ab13503248c443e15a863bf
                • Opcode Fuzzy Hash: c25ec76bf159445cc401153d518622b926736981535c7bd42fe0b2b106eefd61
                • Instruction Fuzzy Hash: 76219D76600202ABD700EFA5CD49A5AB7E9FF84315F19483DF90597642DB78FC04CBA9
                Function 00464950 Relevance: 7.6, APIs: 5, Instructions: 68networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004647A2: inet_addr.WSOCK32(?), ref: 004647C7
                • socket.WSOCK32(00000002,00000001,00000006,00000000), ref: 00464985
                • WSAGetLastError.WSOCK32(00000000,00000002,00000001,00000006,00000000), ref: 00464993
                • connect.WSOCK32(00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649CD
                • WSAGetLastError.WSOCK32(00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 004649F4
                • closesocket.WSOCK32(00000000,00000000,00000000,00000000,00000000,00000010,00000002,00000001,00000006,00000000), ref: 00464A07
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLast$closesocketconnectinet_addrsocket
                • String ID:
                • API String ID: 245547762-0
                • Opcode ID: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                • Instruction ID: b27d5ee258410aac5bd3077dd9c53ce90635b59006b610d0ec7ee295a05cd03d
                • Opcode Fuzzy Hash: c11d93ef0e5925fc7b778e12926c76e847d2ba71e7f4531691fb5523561cfb0e
                • Instruction Fuzzy Hash: 3211DA712002109BD310FB2AC842F9BB3D8AF85728F04895FF594A72D2D7B9A885875A
                Function 0044710F Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(00000000), ref: 00447151
                • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                • SelectObject.GDI32(?,00000000), ref: 004471A2
                • BeginPath.GDI32(?), ref: 004471B7
                • SelectObject.GDI32(?,00000000), ref: 004471DC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Object$Select$BeginCreateDeletePath
                • String ID:
                • API String ID: 2338827641-0
                • Opcode ID: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                • Instruction ID: ab30216038401830d00444c504d41f25dcbf82a6e2307e0a418987ed8484b610
                • Opcode Fuzzy Hash: f19e52de08adcd67550c2e9faff4417be3cdd69e9125f029607893bae639c511
                • Instruction Fuzzy Hash: 7E2171B18083019FD320CF29AD44A1B7FACF74A724F14052FF654933A1EB789849CB69
                Function 0043770A Relevance: 7.6, APIs: 5, Instructions: 56sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043771E
                • QueryPerformanceCounter.KERNEL32(?,?,00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043773C
                • Sleep.KERNEL32(00000000,?,?,?,?,004448B6,0000000F,?), ref: 0043775C
                • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,004448B6,0000000F,?), ref: 00437767
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CounterPerformanceQuerySleep
                • String ID:
                • API String ID: 2875609808-0
                • Opcode ID: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                • Instruction ID: fd8a8a83491f03de43ea78fbc63302b75a2fa5438857304713168bbc83ca9150
                • Opcode Fuzzy Hash: 901ea73111326f2a8af3d8a1217edfde6b6dff748f8bb26d3b0ac17b2ce0a9c5
                • Instruction Fuzzy Hash: EA11A3B64093119BC210EF1ADA88A8FB7F4FFD8765F004D2EF9C462250DB34D5598B9A
                Function 0046FCC6 Relevance: 7.5, APIs: 5, Instructions: 49windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 0046FD00
                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 0046FD2E
                • SendMessageW.USER32(?,00001015,?,?), ref: 0046FD4B
                • DestroyIcon.USER32(?), ref: 0046FD58
                • DestroyIcon.USER32(?), ref: 0046FD5F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$DestroyIcon
                • String ID:
                • API String ID: 3419509030-0
                • Opcode ID: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                • Instruction ID: ba7c1cc62690e465ab1dcb48fa3e0f79152c3dc78d34179caeeeb49ed344ab69
                • Opcode Fuzzy Hash: a24bc400bf7eaff3d1708451a80103ed5292b50ec6011cebb58ec712c1110a53
                • Instruction Fuzzy Hash: 5F1182B15043449BE730DF14DC46BABB7E8FBC5714F00492EE6C857291D6B8A84A8B67
                Function 004175A2 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 004175AE
                  • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                  • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                • __amsg_exit.LIBCMT ref: 004175CE
                • __lock.LIBCMT ref: 004175DE
                • InterlockedDecrement.KERNEL32(?), ref: 004175FB
                • InterlockedIncrement.KERNEL32(02FC2CE0), ref: 00417626
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                • String ID:
                • API String ID: 4271482742-0
                • Opcode ID: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                • Instruction ID: de548182bd5f57d4f8c9f8a4c79293bfa6802d75d0085d2526eaa3c6a777046b
                • Opcode Fuzzy Hash: 9041076209036267701916e3e7e7a5ecd924b858c75713c79b1599e88ef874d9
                • Instruction Fuzzy Hash: 9401AD31944A11AFC710ABA998497CE7BB0BB11724F0540ABE80063791CB3CA9C1CFEE
                Function 004555B8 Relevance: 7.5, APIs: 5, Instructions: 45windowCOMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$Icon
                • String ID:
                • API String ID: 4023252218-0
                • Opcode ID: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                • Instruction ID: d1816f9fa450f538fb043821254e2bd2cfb9ade9207d957631f6d0e9d50691b6
                • Opcode Fuzzy Hash: 187bd120907745c88baacffad0920a9106e1cca1ea6db424662e0a83cd01c53e
                • Instruction Fuzzy Hash: 05015E70300605ABCB20DF65D9D4B2B77A8BF14712B50452AFD04D7346EB38EC48CB69
                Function 0046032B Relevance: 7.5, APIs: 5, Instructions: 43windowtimeCOMMON
                Download Yara Rule
                APIs
                • GetDlgItem.USER32(?,000003E9), ref: 00460342
                • GetWindowTextW.USER32(00000000,00000100,00000100), ref: 00460357
                • MessageBeep.USER32(00000000), ref: 0046036D
                • KillTimer.USER32(?,0000040A), ref: 00460392
                • EndDialog.USER32(?,00000001), ref: 004603AB
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BeepDialogItemKillMessageTextTimerWindow
                • String ID:
                • API String ID: 3741023627-0
                • Opcode ID: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                • Instruction ID: 48c257e0c270193328064fa19c5b46d6a870d8092b70dfec968bdaebd9a60f08
                • Opcode Fuzzy Hash: 5e0545b8da8baa7cb8324f4116d33f6edaa60507eab9176a587cebaf75a8c25b
                • Instruction Fuzzy Hash: BE018831500300A7E7209B54DE5DBDB77A8BF44B05F00492EB681A25D0E7F8A584CB55
                Function 00455505 Relevance: 7.5, APIs: 5, Instructions: 43windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001101,00000000,?), ref: 00455514
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DeleteDestroyObject$IconMessageSendWindow
                • String ID:
                • API String ID: 1489400265-0
                • Opcode ID: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                • Instruction ID: 68d82c845863845e83b9d92669df32d5d1b96a6c2c0272d07869f65424c05900
                • Opcode Fuzzy Hash: fb8346e1cf28bbdc4ad062342734fe1bacbf25b41774fd01ae6266dc65fad9d1
                • Instruction Fuzzy Hash: D9014F703006419BDB10EF65DED8A2A73A9FB44712B40455AFE05DB286DB78EC49CB68
                Function 0045551F Relevance: 7.5, APIs: 5, Instructions: 42windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0043343D: InvalidateRect.USER32(?,00000000,00000001), ref: 004334BE
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455640
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Destroy$DeleteObjectWindow$IconInvalidateRect
                • String ID:
                • API String ID: 1042038666-0
                • Opcode ID: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                • Instruction ID: 707d1f3050e1f0ff98422ce5efa9f9a4d3559fdafbc0a23101ed238e91bf2869
                • Opcode Fuzzy Hash: 920ee65d6839c6288c76afce6441748d32e1b72318fe83d584ccefe2da360159
                • Instruction Fuzzy Hash: B2014B702006419BCB10AF65D9C8A2A33ACAF19322780456AFD05D7242DB28EC498B79
                Function 0043315E Relevance: 7.5, APIs: 5, Instructions: 33COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Path$ObjectStroke$DeleteFillSelect
                • String ID:
                • API String ID: 2625713937-0
                • Opcode ID: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                • Instruction ID: 1b0d13c7bbaa275692c81ef4a4760df4fcf6218f807946f7e03cce85d1463269
                • Opcode Fuzzy Hash: a89ec47609df172868659220a46891f09f78d761c189f4b7bb4a315096e7830c
                • Instruction Fuzzy Hash: F7F0A4751052019BD7508F18EC0C70E7FA8FB4F325F04462EEA19932E0DB781546CBAD
                Function 004140CF Relevance: 7.5, APIs: 5, Instructions: 24threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                • ___set_flsgetvalue.LIBCMT ref: 004140E1
                  • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                  • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                  • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                • ___fls_getvalue@4.LIBCMT ref: 004140EC
                  • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                • ___fls_setvalue@8.LIBCMT ref: 004140FF
                  • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 00414108
                • ExitThread.KERNEL32 ref: 0041410F
                • GetCurrentThreadId.KERNEL32 ref: 00414115
                • __freefls@4.LIBCMT ref: 00414135
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00414148
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Value$CurrentThread__decode_pointer$ErrorExitImageLastNonwritable___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                • String ID:
                • API String ID: 132634196-0
                • Opcode ID: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                • Instruction ID: c6f54ac6c47f72d6c6be617d0ab0d95393642b3a08ca47198428750b18cc63fb
                • Opcode Fuzzy Hash: dbe0df41a3d89f03eebcd77cedb8c7fbd95cde8327ee68e759feca9a6a87dff2
                • Instruction Fuzzy Hash: EFE0B6318012096B8F0177F28E2A8DF3A2DAD56799B12842EBF10A3112DA6DD9D147AD
                Function 00415601 Relevance: 7.5, APIs: 5, Instructions: 23threadCOMMON
                Download Yara Rule
                APIs
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00415610
                  • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                • __getptd_noexit.LIBCMT ref: 00415620
                • CloseHandle.KERNEL32(?,?,0041566B), ref: 00415634
                • __freeptd.LIBCMT ref: 0041563B
                • ExitThread.KERNEL32 ref: 00415643
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseCurrentExitFindHandleImageNonwritableSectionThread__freeptd__getptd_noexit
                • String ID:
                • API String ID: 3798957060-0
                • Opcode ID: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                • Instruction ID: 5ad9b57b40d8b41da6f03c32f2a15b2799e0bbfe2e5ad1689210a27a588f1b2a
                • Opcode Fuzzy Hash: d3b08fe511e09ca6ea2d918a54b62a74066439bca0a0e456eaad9824bd7e2a02
                • Instruction Fuzzy Hash: 29E01A31501A1197C2212BB9AC097DE3255AF01F36F944A6EF81A952A0DB6CD98147AD
                Function 0041567F Relevance: 7.5, APIs: 5, Instructions: 22threadCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00411A35: _doexit.LIBCMT ref: 00411A41
                • ___set_flsgetvalue.LIBCMT ref: 00415690
                  • Part of subcall function 00416A84: TlsGetValue.KERNEL32(00411739,00416C10,?,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416A8D
                  • Part of subcall function 00416A84: __decode_pointer.LIBCMT ref: 00416A9F
                  • Part of subcall function 00416A84: TlsSetValue.KERNEL32(00000000,00411739,00417F28,00413979,?,?,00411739,?,00401C0B), ref: 00416AAE
                • ___fls_getvalue@4.LIBCMT ref: 0041569B
                  • Part of subcall function 00416A64: TlsGetValue.KERNEL32(?,?,004140F1,00000000), ref: 00416A72
                • ___fls_setvalue@8.LIBCMT ref: 004156AD
                  • Part of subcall function 00416AB8: __decode_pointer.LIBCMT ref: 00416AC9
                • GetLastError.KERNEL32(00000000,?,00000000), ref: 004156B6
                • ExitThread.KERNEL32 ref: 004156BD
                • __freefls@4.LIBCMT ref: 004156D9
                • __IsNonwritableInCurrentImage.LIBCMT ref: 004156EC
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Value$__decode_pointer$CurrentErrorExitImageLastNonwritableThread___fls_getvalue@4___fls_setvalue@8___set_flsgetvalue__freefls@4_doexit
                • String ID:
                • API String ID: 1537469427-0
                • Opcode ID: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                • Instruction ID: 6f4b581ce684dac4bce1a6396b1ab204a3b2196504341234b7a244e47b3a25b0
                • Opcode Fuzzy Hash: 99715b5f8e2ff19c7b8f3a2e2e0a417857e73ed83bc070766e6b29f9400adc7a
                • Instruction Fuzzy Hash: 83E0E6308003096BCF0037F29E1A9DF392DAD41389B52841E7E14B2122DE6DD9D1466D
                Function 0040AB16 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 423COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _malloc
                • String ID: Default$|k
                • API String ID: 1579825452-2254895183
                • Opcode ID: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                • Instruction ID: 39a525bc613f0e7e9485e4ea944b13d532e73913c0a35fc25f8fa2b96209a7b9
                • Opcode Fuzzy Hash: becd5b91230c6b3cce4541e76e7ed3885ca0e1da08972e6e30288734a84e99a9
                • Instruction Fuzzy Hash: 51F19F706083018BD714DF25C484A6BB7E5AF85314F64886FF885AB392D738EC55CB9B
                Function 0044F0B1 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 377COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _memcmp
                • String ID: '$[$h
                • API String ID: 2931989736-1224472061
                • Opcode ID: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                • Instruction ID: c2eec353cbd26a418970a1643da97c958d9efd09d44d369c5aec2a2e92b02032
                • Opcode Fuzzy Hash: b65a2ba19e68ffe8a11284d2d069350b2f2ae6a9059e42b54d6f98484e49560c
                • Instruction Fuzzy Hash: EBE1B3756083858FE725CF28C8807ABBBE1FFC9304F18896EE89587341D7799849CB56
                Function 0044F1F5 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 358COMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _strncmp
                • String ID: >$R$U
                • API String ID: 909875538-1924298640
                • Opcode ID: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                • Instruction ID: f6794502b7c89560a677b30a08de70cb8bc1b17d125f16f135907c58c8460d8d
                • Opcode Fuzzy Hash: 83caccdc30ebaedd60eda3635d3ed4fa95617b34971efb7504fa10d53abc7e5a
                • Instruction Fuzzy Hash: 46E19C745083818FEB25CF29C49076BBBE1EFD9304F28496EE89587381D378E849CB56
                Function 0046CDA0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 263comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                • CoInitialize.OLE32(00000000), ref: 0046CE18
                • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                • CoUninitialize.OLE32 ref: 0046CE50
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                • Instruction ID: 09ec1e36491b9dee8eccbfa157b0fc1a83632a56aae6c10d58f94140378ad3aa
                • Opcode Fuzzy Hash: cf95cfa125c39178dc1728bd48ca6ee468afe444b27fb378bb5b47a8cf5920ff
                • Instruction Fuzzy Hash: D3A1ABB5A042019FC704EF64C980E6BB7E9EF88714F14895EF8849B392D735EC45CBA6
                Function 00469BED Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 219COMMON
                Download Yara Rule
                Strings
                • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00469C37
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen
                • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                • API String ID: 176396367-557222456
                • Opcode ID: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                • Instruction ID: 5ec49088f7a0f5eff408c40ec761cfb1cab3d77d8e9f1d748350f88cc39ab646
                • Opcode Fuzzy Hash: 6ed3ee7040cf52f7c8cf58c24b37417f7719ae2cfab6dfb5b0d2deafceea8a2b
                • Instruction Fuzzy Hash: 2C818F715183009FC310EF65C88186BB7E8AF85714F408A2FF5959B2A2E778ED45CB9B
                Function 0042D2CC Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 204COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • VariantInit.OLEAUT32(00000000), ref: 0042D2E0
                • VariantCopy.OLEAUT32(?,?), ref: 0042D2EE
                • VariantClear.OLEAUT32(00000000), ref: 0042D2FF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Variant$ClearCopyInit_malloc
                • String ID: 4RH
                • API String ID: 2981388473-749298218
                • Opcode ID: 0ecc23cf10d45d221d402e646a959f016f56f7df0d424eb76d23c0d4b9967ba2
                • Instruction ID: 2430bd0654d197d786bc988f6f01769df72c779a088326c60667d263ff95ce9f
                • Opcode Fuzzy Hash: 0ecc23cf10d45d221d402e646a959f016f56f7df0d424eb76d23c0d4b9967ba2
                • Instruction Fuzzy Hash: CC913874A083519FC720CF29D480A1AB7E1FF89304F64892EE999DB351D774EC85CB96
                Function 004667A7 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 170shareCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0040FFF0: _wcslen.LIBCMT ref: 0040FFF2
                  • Part of subcall function 0040FFF0: _wcscpy.LIBCMT ref: 00410012
                • __wcsnicmp.LIBCMT ref: 0046681A
                • WNetUseConnectionW.MPR(00000000,?,00000000,?,00000000,?,00000000,?), ref: 004668B9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Connection__wcsnicmp_wcscpy_wcslen
                • String ID: LPT$HH
                • API String ID: 3035604524-2728063697
                • Opcode ID: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                • Instruction ID: 32c7950bcbaa764ae6d62266904c1b9f72d26d84b6ae022b5f72856ccecd4d84
                • Opcode Fuzzy Hash: 4168d29b7d0848dc605f9ce781fdb6688c60699af114ee795911c582be7b9077
                • Instruction Fuzzy Hash: 2151D5B16043009FC720EF65C881B1BB7E5AF85704F11491EFA859B382E779ED49C79A
                Function 00438A5D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 004374AF: WriteProcessMemory.KERNEL32(?,?,00000000,00000000,00000000,?,00461142,?), ref: 004374E2
                • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00438AB8
                  • Part of subcall function 00437472: ReadProcessMemory.KERNEL32(?,00000000,00000000,?,00000000,00000000,00460C33,?,00000000,?,00000202), ref: 004374A5
                • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00438B2F
                • SendMessageW.USER32(00000000,00001111,00000000,00000000), ref: 00438BAF
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$MemoryProcess$ReadWrite
                • String ID: @
                • API String ID: 4055202900-2766056989
                • Opcode ID: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                • Instruction ID: 682097a2b5231093ce935cfc9f6f49684b756042c0be5430c67da702d62f7190
                • Opcode Fuzzy Hash: 95f302c56ad406a71ba46a757bfca5032ac46bd5be6e99a0861c43b96ce9d769
                • Instruction Fuzzy Hash: E6518FB2208304ABD310DB64CC81FEFB7A9EFC9714F04591EFA8597181D678F9498B66
                Function 00465D41 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 119networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CrackInternet_memset_wcslen
                • String ID: |
                • API String ID: 915713708-2343686810
                • Opcode ID: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                • Instruction ID: 59fb16093b155e5aebf0565036b17e76eaaa1a90c891d08183ce313382d628e9
                • Opcode Fuzzy Hash: 49a329c21d3e2b60aa9c34259f3774bde857317d5b4f329263fe64f76368b085
                • Instruction Fuzzy Hash: AE417EB2754301ABD204EF69DC81B9BF7E8FB88714F00052EF64593290DB75E909CBA6
                Function 0044A7DC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 0044A7FE
                • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0044A851
                • HttpQueryInfoW.WININET ref: 0044A892
                  • Part of subcall function 0044286A: GetLastError.KERNEL32(00000000,0044AA07,?,00000000,00000000,00000001,?,?), ref: 00442880
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Http$ErrorInfoInternetLastOpenQueryRequestSend
                • String ID:
                • API String ID: 3705125965-3916222277
                • Opcode ID: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                • Instruction ID: e2ea4e726a01332d61d4ddbc0b4be6fd5f15ca60b5c099a75bcf819f780d651a
                • Opcode Fuzzy Hash: 978b0a3adb57e12b693652f0a59e9f67067917ae502be6042813f4078819ed5c
                • Instruction Fuzzy Hash: F431C6B56813416BE320EB16DC42F9FB7E8EFD9714F00091FF65057281D7A8A50D876A
                Function 004509D1 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                APIs
                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00450A84
                • GetWindowLongW.USER32(?,000000F0), ref: 00450AA2
                • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00450AB3
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Long
                • String ID: SysTreeView32
                • API String ID: 847901565-1698111956
                • Opcode ID: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                • Instruction ID: 1ec52148e0427fd314aa46f8515fbaae5756f8dde681787cc4d1a4a364837cef
                • Opcode Fuzzy Hash: 8beaa76caf08e9d8622144d4cb1fe8de975b1c4a0fa94bb7914df260c0b4a9df
                • Instruction Fuzzy Hash: 9831E670244301AFE710DB64CC84B6BB3E8EF98325F104A1EF9A5932D1D7B8AD85CB25
                Function 00437CA6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 107libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(?), ref: 00437CB2
                • GetProcAddress.KERNEL32(?,AU3_GetPluginDetails), ref: 00437D26
                • FreeLibrary.KERNEL32(?,?,AU3_GetPluginDetails), ref: 00437D3D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Library$AddressFreeLoadProc
                • String ID: AU3_GetPluginDetails
                • API String ID: 145871493-4132174516
                • Opcode ID: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                • Instruction ID: 909018a8305b4cb0ce841e730e5bf8c258fddf5044228ae68d4d210ccee2088c
                • Opcode Fuzzy Hash: e60d032cda8e07fae4321829b238a90b33a1110472f30aca6681d3aeba7a8f27
                • Instruction Fuzzy Hash: 054147B96042019FC314DF68D8C4D5AF3E5FF8D304B20866EE9568B751DB35E802CB96
                Function 00450C09 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92COMMON
                Download Yara Rule
                APIs
                • DestroyWindow.USER32(00000000,004A83D8,00000000,?,?), ref: 00450C60
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DestroyWindow
                • String ID: msctls_updown32
                • API String ID: 3375834691-2298589950
                • Opcode ID: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                • Instruction ID: 6a1e1189e42626fde14bc74b9d87f1f450c181bb0fe7a510af516aef360d3f61
                • Opcode Fuzzy Hash: 2a2b7300f3f0896f723b2acc27284ae87319393b418436251cb0663837fc8f9c
                • Instruction Fuzzy Hash: CE31A279300201AFD624DF54DC81F5B73A9EB9A714F20451EF640AB382C7B4AC4ACB6A
                Function 00451191 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 0045122A
                • SendMessageW.USER32(00000000,00000186,00000000,00000000), ref: 00451238
                • MoveWindow.USER32(?,?,00000000,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 0045125D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$MoveWindow
                • String ID: Listbox
                • API String ID: 3315199576-2633736733
                • Opcode ID: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                • Instruction ID: bfe1e9b3800f224edd0053b2d0d87a77da448e7bf5b17050dc61905274d7532a
                • Opcode Fuzzy Hash: ec94c338bdc408a6213732be15a93177a4dce0f95fa1299e59073e0341a0244e
                • Instruction Fuzzy Hash: E421D3712043047BE6209A65DC81F6BB3E8EBCD735F104B1EFA60A72D1C675EC458729
                Function 0045D235 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D243
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D2C7
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D30C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: HH
                • API String ID: 2507767853-2761332787
                • Opcode ID: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                • Instruction ID: 4a708fd112bc3492f79fb502a293ca5b83a6a9b53d4ab80d782c21126568c1ab
                • Opcode Fuzzy Hash: 10a78899cac0a24ca5bd241ff5c46140465ea67f957306f93882c0fc43b3d187
                • Instruction Fuzzy Hash: 622148756083019FC310EF55D944A6BB7E4FF88704F40882EFA45972A2D774E909CB5A
                Function 0045D42B Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                Download Yara Rule
                APIs
                • SetErrorMode.KERNEL32(00000001), ref: 0045D44A
                • GetVolumeInformationW.KERNEL32(?,?,000000FF,?,?,?,?,000000FF,?), ref: 0045D4CE
                • SetErrorMode.KERNEL32(?,00000001,00000000), ref: 0045D502
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorMode$InformationVolume
                • String ID: HH
                • API String ID: 2507767853-2761332787
                • Opcode ID: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                • Instruction ID: 8e4373afe1f51974a95c06a3ae407364d3098df30383bdf5f9e51316f0e0b5c8
                • Opcode Fuzzy Hash: a403ffe69dae12f4374470e721856d745e9457d8bcd1b2c0f65575075c8e6c3b
                • Instruction Fuzzy Hash: 902137756083019FC314EF55D944A5AB7E8FF88710F40882EFA49972A2D778E909CB9A
                Function 00450D00 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00450D74
                • SendMessageW.USER32(00000000,00000406,00000000,00640000), ref: 00450D8A
                • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00450D98
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: msctls_trackbar32
                • API String ID: 3850602802-1010561917
                • Opcode ID: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                • Instruction ID: c83169f0c5ec68c29a3e9aa847b4a28030a04f73c00385235601d1c9d4ce90e2
                • Opcode Fuzzy Hash: e14717e3cb06623c4553287ca90ea840a6fcf4d017620d4062bb11778db8dfcd
                • Instruction Fuzzy Hash: 4F1193717403117BE610CAA8DC81F5B73E8AB98B25F204A1AFA50A72C1D2B4FC458B68
                Function 0046BD4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 69networkCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0045EFE7: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0047D14B,?,?,?,?), ref: 0045F003
                • gethostbyname.WSOCK32(?,00000000,?,?), ref: 0046BD78
                • WSAGetLastError.WSOCK32(00000000,?,?,00000000,?,?), ref: 0046BD83
                • inet_ntoa.WSOCK32(00000000,?), ref: 0046BDCD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ByteCharErrorLastMultiWidegethostbynameinet_ntoa
                • String ID: HH
                • API String ID: 1515696956-2761332787
                • Opcode ID: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                • Instruction ID: 2fad99cf3c45da3a785a9a513efbde0c8943f1fdc9598a344110207fd9df59bd
                • Opcode Fuzzy Hash: 536d88bcd2219f00ee4950b39be395ae06382d48515621a82e1548501abb3963
                • Instruction Fuzzy Hash: E21142765043006BC744FB66D885D9FB3A8AFC4318F448C2EF945A7242DA39E949876A
                Function 0046CD9A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67comCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00442C52: _wcslen.LIBCMT ref: 00442C82
                • CoInitialize.OLE32(00000000), ref: 0046CE18
                • CoCreateInstance.OLE32(00482A50,00000000,00000001,004828B0,?), ref: 0046CE31
                • CoUninitialize.OLE32 ref: 0046CE50
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateInitializeInstanceUninitialize_wcslen
                • String ID: .lnk
                • API String ID: 886957087-24824748
                • Opcode ID: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                • Instruction ID: 634f95a1702cd93f148e07eb64efb4b351689d97c5b229aafe37579347e0b37e
                • Opcode Fuzzy Hash: 8095c6d59d69238af541582e7c79e2891b33013a97e816c4c493b562f1f8ea66
                • Instruction Fuzzy Hash: E821AF312083009FC700EF55C985F5ABBF4EF89724F148A6EF9549B2E2D7B5A805CB56
                Function 004497A4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • GetMenuItemInfoW.USER32 ref: 004497EA
                • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00449817
                • DrawMenuBar.USER32 ref: 00449828
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Menu$InfoItem$Draw_malloc
                • String ID: 0
                • API String ID: 772068139-4108050209
                • Opcode ID: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                • Instruction ID: 895394c4ac3d8cdb9511dba433443d5742fa96e32f07ab63668b9f5a94eb31d1
                • Opcode Fuzzy Hash: c8976dca06d6b4a67e3115e3fbda4fe950bcb9b91ddbb3afb2d21d0cb6793a10
                • Instruction Fuzzy Hash: 941182B16042009BF730EB55EC96FABB7A8FB91714F00452EE648CA281DB7A9445CB76
                Function 00424F47 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON
                Download Yara Rule
                APIs
                • GetModuleHandleA.KERNEL32(KERNEL32,0041AEF9), ref: 00424F4C
                • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00424F5C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: IsProcessorFeaturePresent$KERNEL32
                • API String ID: 1646373207-3105848591
                • Opcode ID: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
                • Instruction ID: 69bd3651b8917f7fc34e3109133611cda39c57594410afc054872b2319d2a534
                • Opcode Fuzzy Hash: e8a2c195ee76dfd59a84a35b1cdf9e15a3b06e47dea4a5400648535d534bf17f
                • Instruction Fuzzy Hash: F7F03030A00A19D2DB006FB1FE1A66F7AB5FBC0B43F920895E591A0084DFB58571838A
                Function 004342A8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33memoryCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AllocTask_wcslen
                • String ID: hkG
                • API String ID: 2651040394-3610518997
                • Opcode ID: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                • Instruction ID: 372044899b15e8c53ead78f1c779643819f92c4817f04f111663958edd7e2adf
                • Opcode Fuzzy Hash: 13332cee77e5ed885d7d4fc6bfcacd5b22b96a16ce8d99b05f9432ebd764b12e
                • Instruction Fuzzy Hash: DCE065736442225B97506A79AC045CBA7D8AFB0370B15482BF880E7310E278E89643E5
                Function 0043416A Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll), ref: 0043417A
                • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0043418C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetSystemWow64DirectoryW$kernel32.dll
                • API String ID: 2574300362-1816364905
                • Opcode ID: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                • Instruction ID: 1a9860a365f0c849ce8c10f1c40c5c80f9dda93506fd3415c38c98a37cde1a5a
                • Opcode Fuzzy Hash: 58df7aafb5ba6d6c6a2aff3317d08040102bec91f6a73b36e13bbbd5fede489a
                • Instruction Fuzzy Hash: F9D05EB1440B039FCB109FA0D80C64BB6E4AB64301F148C2EF885B2654D7B8E8C0CBA8
                Function 004343CE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434466,?,?,00464B68,?,?,?,?,?,00000000,?,?,00000101,?), ref: 004343DE
                • GetProcAddress.KERNEL32(00000000,IcmpSendEcho), ref: 004343F0
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpSendEcho
                • API String ID: 2574300362-58917771
                • Opcode ID: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                • Instruction ID: bde82dd314f67bb94adb8237e566b22d9cd50c1f3059090bebd97951f1ce1dc3
                • Opcode Fuzzy Hash: 4b46215cfc07257f28131f0af9bcf44c57d27cd5d24dcd7dc697cbf0f45d51b4
                • Instruction Fuzzy Hash: C9D017B45043039BD7105B21D80874A76E4AF58310F118C2FF881E2250CBBCE8808B79
                Function 004343FD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL,?,0043447D,?,?,00464B56,?,?,?,?,00000000,?,?,00000101,?,?), ref: 0043440D
                • GetProcAddress.KERNEL32(00000000,IcmpCloseHandle), ref: 0043441F
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCloseHandle
                • API String ID: 2574300362-3530519716
                • Opcode ID: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                • Instruction ID: 815a2f2ef77883dfca24b23846b24e776c3b140ddfaf16f0983d17b56328066b
                • Opcode Fuzzy Hash: 42f9b5773da98e9266fb1162e4ae0909fe6bfc7ac22b46aa183d999fe3c035a4
                • Instruction Fuzzy Hash: 9FD017B04443129AD7106B64D80874A76E4AB68302F129C3FF881A2660C7BCA8808B39
                Function 0043442C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(ICMP.DLL,?,00434494,?,?,00464A94,?), ref: 0043443C
                • GetProcAddress.KERNEL32(00000000,IcmpCreateFile), ref: 0043444E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: ICMP.DLL$IcmpCreateFile
                • API String ID: 2574300362-275556492
                • Opcode ID: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                • Instruction ID: c247b13c068300da1972229949477068df6ba5342f41feac8fae2a533bc96115
                • Opcode Fuzzy Hash: aa837af65d1bad252c0530eb36f48db089182c3e5c3795977f5f1506c5c05052
                • Instruction Fuzzy Hash: 97D017B04043029ADB105B60D90875A77E4AB68300F118C7FF9A1A2250C7BCA8808B29
                Function 0040EE70 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,0040E551,?), ref: 0040EE7B
                • GetProcAddress.KERNEL32(00000000,IsWow64Process), ref: 0040EE8D
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: IsWow64Process$kernel32.dll
                • API String ID: 2574300362-3024904723
                • Opcode ID: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                • Instruction ID: 75875fa2f3f8b89ed4c8cde0d061cde3839b728dd3838c322d7dfd2ddbff31fa
                • Opcode Fuzzy Hash: 16a412f97595c511ed2c9e877c1bae7dd0f808d0cf5b3a9fdd28adcf59ee176d
                • Instruction Fuzzy Hash: 51D0C9B0940707DAC7301F72C91871B7AE4AB40342F204C3EB995A1290DBBCC0408B28
                Function 0040EEE0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 12libraryloaderCOMMON
                Download Yara Rule
                APIs
                • LoadLibraryA.KERNEL32(kernel32.dll,0040E5BF,?), ref: 0040EEEB
                • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0040EEFD
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetNativeSystemInfo$kernel32.dll
                • API String ID: 2574300362-192647395
                • Opcode ID: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                • Instruction ID: 788ba9bdae5bc0ddad915f4d08bdcf590d5e3b2ea1e3da194f5c7121584c3133
                • Opcode Fuzzy Hash: 58ac1dddc1eea1967b9e3df612208a50857473a21dbb81c427901d39c1ebcba1
                • Instruction Fuzzy Hash: ABD0C9B0944703AAC7311F72C91C70A7AE4AB40341F204C3EB996E1691DBBCC0508B2C
                Function 0040ACA0 Relevance: 6.4, APIs: 4, Instructions: 368COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClearVariant
                • String ID:
                • API String ID: 1473721057-0
                • Opcode ID: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                • Instruction ID: 4e1e522645e86f73b8885f2d86dba7d443b77ce6b8f7ad4508257b27d10f8221
                • Opcode Fuzzy Hash: d2d12c55b876e5fa1efbcf51686f09b2c55b87fd727dd21d929d390e382c4fef
                • Instruction Fuzzy Hash: 3DD18D746003018FD724DF25D484A26B7E1EF49704F64887EE9899B3A1D739EC92CB9A
                Function 00468F1E Relevance: 6.1, APIs: 4, Instructions: 144windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,0000110A,00000004,?), ref: 00468F7C
                • __itow.LIBCMT ref: 00468FBD
                  • Part of subcall function 004610CB: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0046114D
                • SendMessageW.USER32(00000000,0000110A,00000001,?), ref: 00469038
                • __itow.LIBCMT ref: 0046909F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$__itow
                • String ID:
                • API String ID: 3379773720-0
                • Opcode ID: 6e47951fcf4712585c244f1dfe2b28078b4dd7be5086c6a9f29add8b9ffa0b86
                • Instruction ID: 3271f2b780b50099ef266a7e1ca8c19dfe2923c7f184821f87219ee34da58f28
                • Opcode Fuzzy Hash: 6e47951fcf4712585c244f1dfe2b28078b4dd7be5086c6a9f29add8b9ffa0b86
                • Instruction Fuzzy Hash: C441A571604300ABD624EF55D941FAF73E8AF88714F00091EFA8567281EB79AD09C76B
                Function 0041456C Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                Download Yara Rule
                APIs
                • __flush.LIBCMT ref: 00414630
                • __fileno.LIBCMT ref: 00414650
                • __locking.LIBCMT ref: 00414657
                • __flsbuf.LIBCMT ref: 00414682
                  • Part of subcall function 00417F23: __getptd_noexit.LIBCMT ref: 00417F23
                  • Part of subcall function 00417EBB: __decode_pointer.LIBCMT ref: 00417EC6
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __decode_pointer__fileno__flsbuf__flush__getptd_noexit__locking
                • String ID:
                • API String ID: 3240763771-0
                • Opcode ID: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                • Instruction ID: ec1a4dff6c5341ad57a53ba98b0f539b864df2cc4a0ba96fecd891c5d8a4160d
                • Opcode Fuzzy Hash: da881668a639e25d03d88a6d97948a76b4f19f87a827f6f9fc91a47de182ffa5
                • Instruction Fuzzy Hash: 4841A571A00605ABDB249FA5C9445DFB7B6EFC1328F28852FE41997280D77CDEC18B48
                Function 004781AE Relevance: 6.1, APIs: 4, Instructions: 135COMMON
                Download Yara Rule
                APIs
                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                • VariantCopy.OLEAUT32(?,?), ref: 00478259
                • VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                • VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CopyVariant$ErrorLast
                • String ID:
                • API String ID: 2286883814-0
                • Opcode ID: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                • Instruction ID: 2d87100fc18953c9afe9b7e879878e48daa4ef19e0256d9a4550ae3fa38499cf
                • Opcode Fuzzy Hash: 5518b7b53ef3ca50261af568c513a59c65815d8cf0fffae25230fe941ba47538
                • Instruction Fuzzy Hash: 5F517C751543409FC310DF69C880A9BBBE4FF88314F448A6EF9499B352DB39E909CB99
                Function 0047404B Relevance: 6.1, APIs: 4, Instructions: 133networkCOMMON
                Download Yara Rule
                APIs
                • socket.WSOCK32(00000002,00000002,00000011), ref: 00474068
                • WSAGetLastError.WSOCK32(00000000,00000002,00000002,00000011), ref: 00474076
                • #21.WSOCK32 ref: 004740E0
                • WSAGetLastError.WSOCK32(00000000), ref: 004740EB
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLast$socket
                • String ID:
                • API String ID: 1881357543-0
                • Opcode ID: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                • Instruction ID: ff1742a21ceaee7448286ece46cbaad1fa76dded649dcd1b12ff87c083dae87e
                • Opcode Fuzzy Hash: 34147ac461a0e284a181aa69957adffe558344c6371ca04fba36d93f3b76d486
                • Instruction Fuzzy Hash: 7641D9717403006AE720BF6ADC47F5672C89B54B18F14496EF648BF2C3D6FAA881869C
                Function 00441CB4 Relevance: 6.1, APIs: 4, Instructions: 112windowCOMMON
                Download Yara Rule
                APIs
                • ClientToScreen.USER32(00000000,?), ref: 00441CDE
                • GetWindowRect.USER32(?,?), ref: 00441D5A
                • PtInRect.USER32(?,?,?), ref: 00441D6F
                • MessageBeep.USER32(00000000), ref: 00441DF2
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Rect$BeepClientMessageScreenWindow
                • String ID:
                • API String ID: 1352109105-0
                • Opcode ID: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                • Instruction ID: 11ad13a84751b34e4f8a983c71a6a29643224e7bbeba0240db3aabd8edeb2108
                • Opcode Fuzzy Hash: f335056d542ece3fcaf1afd85692f97af485635a3f9ffa8235448c3f06d12885
                • Instruction Fuzzy Hash: E64192B5A042418FE710DF18D884AABB7E5FFC9311F18866FE8518B360D734AC85CBA5
                Function 0042384A Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 0042387E
                • __isleadbyte_l.LIBCMT ref: 004238B2
                • MultiByteToWideChar.KERNEL32(?,00000009,00000002,?,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 004238E3
                • MultiByteToWideChar.KERNEL32(?,00000009,00000002,00000001,00000000,00000000,?,?,?,00000000,00000002,00000000), ref: 00423951
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                • String ID:
                • API String ID: 3058430110-0
                • Opcode ID: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                • Instruction ID: 550681b3841f0f34ee613cb5364b25607849a03987ccfca5eaaec14299199b49
                • Opcode Fuzzy Hash: f131ee11c0d220cb2dc6b3da44158834730645c68ebbd2a61d5b0c3ed448205f
                • Instruction Fuzzy Hash: A931C270B00265EFDB20EF64D8849AA7BF5EF01312B9445AAF0A09F291D338CE81CB55
                Function 0045D070 Relevance: 6.1, APIs: 4, Instructions: 100fileCOMMON
                Download Yara Rule
                APIs
                • CreateHardLinkW.KERNEL32(00000000,?,00000000,?,00000000), ref: 0045D10A
                • GetLastError.KERNEL32(?,00000000), ref: 0045D12B
                • DeleteFileW.KERNEL32(00000000,?), ref: 0045D14C
                • CreateHardLinkW.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0045D16A
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CreateHardLink$DeleteErrorFileLast
                • String ID:
                • API String ID: 3321077145-0
                • Opcode ID: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                • Instruction ID: 240381fd0e223f31e6bb83dc4f900fe278965bce5f9bbaa9f824fb1079ab41c9
                • Opcode Fuzzy Hash: 7cd5f2a63614e36a101d3a24e32b13d83311d412b7f68151a30e37c1c693f1dc
                • Instruction Fuzzy Hash: 393180B5900301ABCB10AF71C985A1BF7E8AF84755F10891EF85497392C739FC45CB68
                Function 0045058D Relevance: 6.1, APIs: 4, Instructions: 98COMMON
                Download Yara Rule
                APIs
                • GetParent.USER32(?), ref: 004505BF
                • DefDlgProcW.USER32(?,00000138,?,?,004A83D8,?,004A83D8,?), ref: 00450610
                • DefDlgProcW.USER32(?,00000133,?,?,004A83D8,?,004A83D8,?), ref: 0045065A
                • DefDlgProcW.USER32(?,00000134,?,?,004A83D8,?,004A83D8,?), ref: 00450688
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Proc$Parent
                • String ID:
                • API String ID: 2351499541-0
                • Opcode ID: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                • Instruction ID: e3e31f905615dd8bfbe674c7a91f48f64006a8638b4dc9b760805e547d05c650
                • Opcode Fuzzy Hash: 93bb19dea30658450b5dada9832e261aba4ffbe4fc891123e7e77a8d6405a749
                • Instruction Fuzzy Hash: 8C3128362411006BC2209B299C58DBB7B58EBC7336F14465BFA54832D3CB769826C768
                Function 004613E0 Relevance: 6.1, APIs: 4, Instructions: 90windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00438C85: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00438C95
                  • Part of subcall function 004021E0: _wcslen.LIBCMT ref: 004021F2
                • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 00461420
                • SendMessageW.USER32(00000000,0000102C,00000000,00000002), ref: 0046144F
                • __itow.LIBCMT ref: 00461461
                • __itow.LIBCMT ref: 004614AB
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$__itow$_wcslen
                • String ID:
                • API String ID: 2875217250-0
                • Opcode ID: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                • Instruction ID: b65c482f8247f617b799fd724a7506577ebf884cdb52d0d4602b18db992df379
                • Opcode Fuzzy Hash: 347b44770508ca88cf5981266e998b528a2978f718c0dd2978777487f2c1d3f7
                • Instruction Fuzzy Hash: 3A213D7670031067D210BA169C86FAFB794EB94714F08443FFF44AB241EE69E94687EB
                Function 004727F8 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                Download Yara Rule
                APIs
                • GetForegroundWindow.USER32 ref: 00472806
                  • Part of subcall function 00443EEF: GetWindowThreadProcessId.USER32(00000001,00000000), ref: 00443F11
                  • Part of subcall function 00443EEF: GetCurrentThreadId.KERNEL32 ref: 00443F18
                  • Part of subcall function 00443EEF: AttachThreadInput.USER32(00000000), ref: 00443F1F
                • GetCaretPos.USER32(?), ref: 0047281A
                • ClientToScreen.USER32(00000000,?), ref: 00472856
                • GetForegroundWindow.USER32 ref: 0047285C
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                • String ID:
                • API String ID: 2759813231-0
                • Opcode ID: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                • Instruction ID: 38f02bd9b1f6bed34cfa7ce2d7f69328ba3456287a0ba45db7850a86b8391dd2
                • Opcode Fuzzy Hash: f08c9821fa495b0e17bd1c697e1e5286648ea95901ecf1a9ceb1535147bec3ee
                • Instruction Fuzzy Hash: FF2195716403056FE310EF65CC42F5BB7E8AF84708F144D2EF544AB282D6FAB9858795
                Function 0047721A Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0046DD22: IsWindow.USER32(00000000), ref: 0046DD51
                • GetWindowLongW.USER32(?,000000EC), ref: 0047728E
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772A9
                • SetWindowLongW.USER32(?,000000EC,00000000), ref: 004772C0
                • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002,?,000000EC,00000000,?,000000EC,?,00000001,?,?), ref: 004772D0
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$Long$AttributesLayered
                • String ID:
                • API String ID: 2169480361-0
                • Opcode ID: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                • Instruction ID: faea1ea985e506ac999786301d765d91882fdca708237d94abe4bce3661c65f1
                • Opcode Fuzzy Hash: cf64f2ba38e7b8586118add57273b6dbf74680437e58013ae8f64db123384f26
                • Instruction Fuzzy Hash: 5F11B431205510ABD310FB29DD45F9BB798FF91720F10862EF455E72E2C7A8AC45C7A8
                Function 00448C8B Relevance: 6.1, APIs: 4, Instructions: 73windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32 ref: 00448CB8
                • GetWindowLongW.USER32(?,000000EC), ref: 00448CE0
                • SendMessageW.USER32(?,0000104C,00000000,?), ref: 00448D19
                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 00448D62
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend$LongWindow
                • String ID:
                • API String ID: 312131281-0
                • Opcode ID: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                • Instruction ID: 9d6bf2a2f0cb0d5184a29e15ea511504db1ac53b4253ca88fa0f688086887250
                • Opcode Fuzzy Hash: 75ae646de43e531ea10203f5aba75cb55710deee3f48b72b110124c921b55059
                • Instruction Fuzzy Hash: B12174715053019BF3208F18D98879FB7E4FBD5325F140B2EF594962D0DBB58449C796
                Function 004588B0 Relevance: 6.1, APIs: 4, Instructions: 67networkCOMMON
                Download Yara Rule
                APIs
                • select.WSOCK32 ref: 0045890A
                • __WSAFDIsSet.WSOCK32(00000000,00000000), ref: 00458919
                • accept.WSOCK32(00000000,00000000,00000000,00000000,00000000), ref: 00458927
                • WSAGetLastError.WSOCK32(00000000), ref: 00458952
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ErrorLastacceptselect
                • String ID:
                • API String ID: 385091864-0
                • Opcode ID: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                • Instruction ID: 93f38c3b8a65fd8a68e5265ae944391143789c71a4918893f245a539b4228a7d
                • Opcode Fuzzy Hash: 4f99be09ea3748399bcd45f1fb284b1e509608db9923cba0f0141099163bafeb
                • Instruction Fuzzy Hash: 1F2166712043019BD314EF29C842BABB7E5AFC4714F144A2EF994DB2C1DBB4A985CB99
                Function 00438D4E Relevance: 6.1, APIs: 4, Instructions: 67windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,000000B0,?,?), ref: 00438D6F
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D82
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438D9A
                • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00438DB4
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend
                • String ID:
                • API String ID: 3850602802-0
                • Opcode ID: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                • Instruction ID: 707762f1bc06eebb59e9357f9c77b20c0e090dcf7cedc03b298b4f863176c0ea
                • Opcode Fuzzy Hash: 265964968b448329a9940c71d90cafee1d95b27ec759889be900fe0a368f8aeb
                • Instruction Fuzzy Hash: 77113AB6204305AFD210EF58DC84F6BF7E8EBE8750F20491EF580D7290D6B1A8468BA1
                Function 0043362D Relevance: 6.1, APIs: 4, Instructions: 54windowCOMMON
                Download Yara Rule
                APIs
                • CreateWindowExW.USER32(?,?,?,FFFFFFFF,?,?,?,?,?,?,00400000,00000000), ref: 0043367E
                • GetStockObject.GDI32(00000011), ref: 00433695
                • SendMessageW.USER32(00000000,00000030,00000000), ref: 0043369F
                • ShowWindow.USER32(00000000,00000000), ref: 004336BA
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Window$CreateMessageObjectSendShowStock
                • String ID:
                • API String ID: 1358664141-0
                • Opcode ID: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                • Instruction ID: 5bb77caae3378c1c36de35f78993aeb7f53e4fc0e9047450929301c31466c70f
                • Opcode Fuzzy Hash: a78582cd8c915fd270119012ff4eddf0033f410814d91724adacf9cac7d73a6b
                • Instruction Fuzzy Hash: 60114F72204A00BFD254DF55CC49F5BB3F9AFCCB01F20950DB254922A0D7B4E9418BA9
                Function 0044419B Relevance: 6.1, APIs: 4, Instructions: 53synchronizationthreadwindowCOMMON
                Download Yara Rule
                APIs
                • GetCurrentThreadId.KERNEL32 ref: 004441B8
                • MessageBoxW.USER32(?,?,?,?), ref: 004441F6
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0044420C
                • CloseHandle.KERNEL32(00000000), ref: 00444213
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                • String ID:
                • API String ID: 2880819207-0
                • Opcode ID: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                • Instruction ID: a177bb78e812b0c83f085b16f259857c8a511f23e32e5024349264f8b0df3d09
                • Opcode Fuzzy Hash: 146d2f4ba151d14deb3aa3acfdd6de045567f86e28c98b22242e1e1489ea4094
                • Instruction Fuzzy Hash: C401E5364183105BD300DB28ED08A9BBBD8BFD9721F18067EF89893351E6B48948C7B6
                Function 0043401C Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                Download Yara Rule
                APIs
                • GetWindowRect.USER32(?,?), ref: 00434037
                • ScreenToClient.USER32(?,?), ref: 0043405B
                • ScreenToClient.USER32(?,?), ref: 00434085
                • InvalidateRect.USER32(?,?,?), ref: 004340A4
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ClientRectScreen$InvalidateWindow
                • String ID:
                • API String ID: 357397906-0
                • Opcode ID: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                • Instruction ID: 02545dd0d615a745195cb6f618e51c1f9c2552a202a2369b8695847d2ce6fb2f
                • Opcode Fuzzy Hash: 751e48bbdad3fa965b56aea51b9fa4e55de6b4169d4940aca7a3583b508516de
                • Instruction Fuzzy Hash: 24117EB9608302AFC304DF18D98095BBBE9FFD8650F10891EF88993350D770E9498BA2
                Function 00424E33 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                • String ID:
                • API String ID: 3016257755-0
                • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                • Instruction ID: 11ead64bc5c18606fe5fffcedc2bbdf89ccfa4faa7bd693ca83be0ddd2add3a5
                • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                • Instruction Fuzzy Hash: AA11A272500059BBCF225E85EC018EE3F66FB88354B898416FE2858131C73AC9B1AB85
                Function 00436A1D Relevance: 6.0, APIs: 4, Instructions: 48COMMON
                Download Yara Rule
                APIs
                • __wsplitpath.LIBCMT ref: 00436A45
                  • Part of subcall function 00413DB0: __wsplitpath_helper.LIBCMT ref: 00413DF2
                • __wsplitpath.LIBCMT ref: 00436A6C
                • __wcsicoll.LIBCMT ref: 00436A93
                • __wcsicoll.LIBCMT ref: 00436AB0
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __wcsicoll__wsplitpath$__wsplitpath_helper
                • String ID:
                • API String ID: 1187119602-0
                • Opcode ID: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                • Instruction ID: cc447ddabc085245cf6c6bda96777749177fc915bba42f20b5b260b799017f3a
                • Opcode Fuzzy Hash: 5b78189461bd351535feab14c2aa3b28919a840a222a6c91b90152b853837e7b
                • Instruction Fuzzy Hash: 690165B64043416BD724EB50D881EEBB3ED7BD8304F04C91EB5C982041FB38D24C87A6
                Function 00437AFE Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: _wcslen$_malloc_wcscat_wcscpy
                • String ID:
                • API String ID: 1597257046-0
                • Opcode ID: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                • Instruction ID: 9df5ee2dcc5f1a759a9cde70f7b42babd8a8bdcc369222b22224423102f690bd
                • Opcode Fuzzy Hash: a0a60491a2b11ab92cb2618fcf1664bc73e22867390c023d5d6986141a6dc3e0
                • Instruction Fuzzy Hash: BFF06D32200200AFC314EB66C885E6BB3EAEBC5324F04852EF556C7791DB39F841C764
                Function 004555D6 Relevance: 6.0, APIs: 4, Instructions: 40windowCOMMON
                Download Yara Rule
                APIs
                • DeleteObject.GDI32(?), ref: 0045564E
                • DeleteObject.GDI32(?), ref: 0045565C
                • DestroyIcon.USER32(?,?,?,?,?), ref: 0045566A
                • DestroyWindow.USER32(?,?,?,?,?), ref: 00455678
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: DeleteDestroyObject$IconWindow
                • String ID:
                • API String ID: 3349847261-0
                • Opcode ID: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                • Instruction ID: 3a9029eb8e47786e7dec82746d504bb216afab776d143f23dce7b1a7602128e4
                • Opcode Fuzzy Hash: 3ca9d014447a04aedc0dfd8276f5a6e9fbff97cfd7386ed498fa31ba53dce0fe
                • Instruction Fuzzy Hash: 06F03C702006419BDB20AF65DDD8A2B77ACEF45322740456AFD04D7242DB28DC498B7D
                Function 0044B600 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                Download Yara Rule
                APIs
                • EnterCriticalSection.KERNEL32(?), ref: 0044B60B
                • InterlockedExchange.KERNEL32(?,?), ref: 0044B619
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B630
                • LeaveCriticalSection.KERNEL32(?), ref: 0044B641
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CriticalSection$Leave$EnterExchangeInterlocked
                • String ID:
                • API String ID: 2223660684-0
                • Opcode ID: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                • Instruction ID: 8f2921e390180aa9c6083979f061463a0462abb68b72a76a452ff5fd2bc04521
                • Opcode Fuzzy Hash: ff66e887f7cbb15f4500d5b6eb7e85b0bae77af45fe5867796c74117f3ed7197
                • Instruction Fuzzy Hash: 35F08C362422019F82249B59EA488DBB3FDEBE97213009C2FE142C32108BB5F806CB75
                Function 00447268 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 0044710F: DeleteObject.GDI32(00000000), ref: 00447151
                  • Part of subcall function 0044710F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,00000000,?,?,?), ref: 00447195
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471A2
                  • Part of subcall function 0044710F: BeginPath.GDI32(?), ref: 004471B7
                  • Part of subcall function 0044710F: SelectObject.GDI32(?,00000000), ref: 004471DC
                • MoveToEx.GDI32(?,?,00000000,00000000), ref: 0044728F
                • LineTo.GDI32(?,00000000,00000002), ref: 004472A0
                • EndPath.GDI32(?), ref: 004472B0
                • StrokePath.GDI32(?), ref: 004472BE
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: ObjectPath$Select$BeginCreateDeleteLineMoveStroke
                • String ID:
                • API String ID: 2783949968-0
                • Opcode ID: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                • Instruction ID: 15f667079dd022c0076d5117e5ffb33549464faf874781034dcdd6a9c0a79bb3
                • Opcode Fuzzy Hash: 09270453bc364e96d12f6c3f9be453f1264e71f62e0889bc66601f12e66ee767
                • Instruction Fuzzy Hash: 46F09030109361BFE211DB10DC0AF9F3B98AB46310F10490CF641622D2C7B46845C7BA
                Function 00417D0E Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • __getptd.LIBCMT ref: 00417D1A
                  • Part of subcall function 00416C72: __getptd_noexit.LIBCMT ref: 00416C75
                  • Part of subcall function 00416C72: __amsg_exit.LIBCMT ref: 00416C82
                • __getptd.LIBCMT ref: 00417D31
                • __amsg_exit.LIBCMT ref: 00417D3F
                • __lock.LIBCMT ref: 00417D4F
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                • String ID:
                • API String ID: 3521780317-0
                • Opcode ID: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                • Instruction ID: 784cd6646040312d8c3929352b57c791f513dbd9ce30c249d09a92555f0e5bc7
                • Opcode Fuzzy Hash: 6e88b35b2b81098ca19d257f076875e832caf49443e3c23eeee739354b537ff9
                • Instruction Fuzzy Hash: D4F06D319447089AD720FB66E4067EA32B0AF01728F11856FA4415B7D2DB3C99C08B9E
                Function 00471144 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00471144
                • GetDC.USER32(00000000), ref: 0047114D
                • GetDeviceCaps.GDI32(00000000,00000074), ref: 0047115A
                • ReleaseDC.USER32(00000000,?), ref: 0047117B
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                • Instruction ID: a1da8b046b56c0024f4e51319ca7c868ce9b42ab557c4db2e47d6af70bf9fcef
                • Opcode Fuzzy Hash: 949280357db84fa49407f8095e759b2e277f1c53a9819964645a6bf04a6d26c7
                • Instruction Fuzzy Hash: 75F05E759042009FC310DF65DC4856EBBA4FB94351F108C3EFD05D2251DB7889059B99
                Function 00471102 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                Download Yara Rule
                APIs
                • GetDesktopWindow.USER32 ref: 00471102
                • GetDC.USER32(00000000), ref: 0047110B
                • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00471118
                • ReleaseDC.USER32(00000000,?), ref: 00471139
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CapsDesktopDeviceReleaseWindow
                • String ID:
                • API String ID: 2889604237-0
                • Opcode ID: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                • Instruction ID: 5204c471e266b2ed5cdb435334cd6f206910ee07043e0bb223494c3f632f6575
                • Opcode Fuzzy Hash: 179ddf2500a9669b2282ba4880ad99879b6dd87bde84ab61e923a9eee80713d7
                • Instruction Fuzzy Hash: 78F05E759042009FD310EF65DC5896EBBA4FB94351F104C3EFC05D2251DB7489059B99
                Function 004389A1 Relevance: 6.0, APIs: 4, Instructions: 27threadwindowtimeCOMMON
                Download Yara Rule
                APIs
                • SendMessageTimeoutW.USER32(00000001,00000000,00000000,00000000,00000002,00001388,004848E8), ref: 004389C0
                • GetWindowThreadProcessId.USER32(00000001,00000000), ref: 004389D3
                • GetCurrentThreadId.KERNEL32 ref: 004389DA
                • AttachThreadInput.USER32(00000000), ref: 004389E1
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                • String ID:
                • API String ID: 2710830443-0
                • Opcode ID: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                • Instruction ID: 438da6915ae72ab6a15f098678a9856147cbf2dc0a85cf0a700465948addd5b0
                • Opcode Fuzzy Hash: fc668e8f88677791c9032932ff1b39d21009c78d2dca35edbf1b20bb29ea35ff
                • Instruction Fuzzy Hash: 14E012712853107BE72157509D0EFAF7B98AF18B11F14481EB241B50D0DAF8A941876E
                Function 004390C2 Relevance: 6.0, APIs: 4, Instructions: 26synchronizationCOMMON
                Download Yara Rule
                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF), ref: 004390CD
                • UnloadUserProfile.USERENV(?,?,?,000000FF), ref: 004390DB
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390EB
                • CloseHandle.KERNEL32(?,?,000000FF), ref: 004390F0
                  • Part of subcall function 00438FB6: GetProcessHeap.KERNEL32(00000000,?,00439504,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00438FC1
                  • Part of subcall function 00438FB6: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00438FC8
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                • String ID:
                • API String ID: 146765662-0
                • Opcode ID: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                • Instruction ID: e19b07cb6d87eea3d85dfea562759309df1919ba68b29a0146d7a5ec0ea3c710
                • Opcode Fuzzy Hash: 7cdfdd2e005e28f5438e9d3b399fcd684928161159dd652c77b09849c549b5d2
                • Instruction Fuzzy Hash: 5DE0C976504311ABC620EB65DC48C4BB7E9EF883303114E1DF89693260CA74E881CB65
                Function 0041405D Relevance: 6.0, APIs: 4, Instructions: 19threadCOMMON
                Download Yara Rule
                APIs
                • __IsNonwritableInCurrentImage.LIBCMT ref: 00414070
                  • Part of subcall function 00418540: __FindPESection.LIBCMT ref: 0041859B
                • __getptd_noexit.LIBCMT ref: 00414080
                • __freeptd.LIBCMT ref: 0041408A
                • ExitThread.KERNEL32 ref: 00414093
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CurrentExitFindImageNonwritableSectionThread__freeptd__getptd_noexit
                • String ID:
                • API String ID: 3182216644-0
                • Opcode ID: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                • Instruction ID: 8c1b811a677bc0208766d104aadce1409d27245c16b3af4a320e27a455eae914
                • Opcode Fuzzy Hash: 18f79961a183a005566c851b5a75566c8a37b9a59448809cc1b4ea10e33ea091
                • Instruction Fuzzy Hash: F8D0EC7051024256D6207BA7ED097AA3A589B44B26B15446EA905801B1DF68D9C1862D
                Function 0046EDC6 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 383COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BuffCharLower
                • String ID: $8'I
                • API String ID: 2358735015-3608026889
                • Opcode ID: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                • Instruction ID: 1bf34105e022c250dd7240f1ea7ec4803edb57b208c13e69c3fb06210d7c4844
                • Opcode Fuzzy Hash: d6f66c2f2361e76d4402681cdd51d930a97151c2fdd89a539067bc835b5788b1
                • Instruction Fuzzy Hash: 9FE1AE745043018BCB24EF16D88166BB7E4BF94348F40482FF88597292EB79DD89CB9B
                Function 00478373 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 277comCOMMON
                Download Yara Rule
                APIs
                • OleSetContainedObject.OLE32(00000000,00000001), ref: 0047857A
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 00445513: OleSetContainedObject.OLE32(?,00000000), ref: 00445593
                  • Part of subcall function 004781AE: GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00000001,00000000,NULL Pointer assignment,00000001), ref: 00478201
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(?,?), ref: 00478259
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000058,?), ref: 00478270
                  • Part of subcall function 004781AE: VariantCopy.OLEAUT32(-00000078,?), ref: 00478287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: CopyVariant$ContainedObject$ErrorLast_malloc
                • String ID: AutoIt3GUI$Container
                • API String ID: 3380330463-3941886329
                • Opcode ID: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                • Instruction ID: 8a51a4197b359b89da059ec4b883cd23719ad159cb4f439b8c2c8f5fea4c1b32
                • Opcode Fuzzy Hash: 167728f1ef0b290fa0ab537cd1f49c444f99f24bf3b7fe0b60cc3227d219d98d
                • Instruction Fuzzy Hash: FEA16A71240601AFC760EF69C880A6BB7E9FB88304F10892EF649CB361EB75E945CB55
                Function 004099A8 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 228COMMON
                Download Yara Rule
                APIs
                • _wcslen.LIBCMT ref: 00409A61
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                  • Part of subcall function 0041171A: std::bad_alloc::bad_alloc.LIBCMT ref: 00411757
                  • Part of subcall function 0041171A: std::bad_exception::bad_exception.LIBCMT ref: 0041176B
                  • Part of subcall function 0041171A: __CxxThrowException@8.LIBCMT ref: 00411779
                • CharUpperBuffW.USER32(?,?), ref: 00409AF5
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: BuffCharException@8ThrowUpper_malloc_wcslenstd::bad_alloc::bad_allocstd::bad_exception::bad_exception
                • String ID: 0vH
                • API String ID: 1143807570-3662162768
                • Opcode ID: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                • Instruction ID: 5e67718e4417cbef977f4cc7974cb0b4b39b480e5382bb1977b3cac956c07efc
                • Opcode Fuzzy Hash: bf773a96792e7386fbbaa0db16cdf7f70de857e2ea7db1c9c90ef838773f5a19
                • Instruction Fuzzy Hash: 53515BB1A083009FC718CF18C48065BB7E1FF88314F54856EF9999B391D779E942CB96
                Function 00466587 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: HH$HH
                • API String ID: 0-1787419579
                • Opcode ID: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                • Instruction ID: b2aab3850ea6996be17d3b26b1a0d96f4757dd5de2ef7d298d9c2790e2b3b10f
                • Opcode Fuzzy Hash: fed4e066af51e45fc8c5976399addcc25001bc25a5639efd16b547c1275b717f
                • Instruction Fuzzy Hash: 1241BF367042009FC310EF69E881F5AF3A1EF99314F548A6EFA589B381D776E811CB95
                Function 00444652 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 104windowCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: InfoItemMenu_memset
                • String ID: 0
                • API String ID: 2223754486-4108050209
                • Opcode ID: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                • Instruction ID: 143d79469fb3e570aa9bb1e7a79db7ad77638f8ab3c2e89d41e08a42c99b444e
                • Opcode Fuzzy Hash: 60781951bb834b78e0167a3e9afe01c70176745dc522d898366d6ad0e6242f51
                • Instruction Fuzzy Hash: CB3101721043009BF3249F18DC85BABBBE4EBC6310F14081FFA90C62A0E379D949C75A
                Function 00448358 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 99windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001132,00000000,?), ref: 0044846C
                • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0044847E
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: '
                • API String ID: 3850602802-1997036262
                • Opcode ID: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                • Instruction ID: cecdca06d5aa7ecc7109d5e1ff25192cbd540bafe2d1ef24ff7c1b98f096cb5f
                • Opcode Fuzzy Hash: 40c115dbe3bb232f42185e8835a3c48b8da925c0788aed463fb6e16a301179a8
                • Instruction Fuzzy Hash: 984179706083459FE710CF18C880BABB7E1FB89700F54882EF9888B351DB75A841CF5A
                Function 00444571 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON
                Download Yara Rule
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                • Instruction ID: 268d240ecd79f719a1425e83c09d650ed443e1bf0ac8ef4f8d51517adc50c1d2
                • Opcode Fuzzy Hash: b6c602b1dd263d2c99a5ec9127bd928e029cd45f71d746a48c0c49a5726287e2
                • Instruction Fuzzy Hash: B6210D765042206BEB15DF08D844B97B7A4FBDA310F44492BEE9897250D379E848C7AA
                Function 0045126C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 74windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00451305
                • SendMessageW.USER32(00000000,0000014E,00000000,00000000), ref: 00451313
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend
                • String ID: Combobox
                • API String ID: 3850602802-2096851135
                • Opcode ID: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                • Instruction ID: f266216a818347eeb58d59163185d0479ace604409515c443b0f4894c7ad90f2
                • Opcode Fuzzy Hash: 0499e5d8541f4f9e55005c4c3969ca7e279e19a534152943b96dd4c6f47caa3c
                • Instruction Fuzzy Hash: D9110A72A0430067E6109AA4DC80F5BB3D8EB99735F10071BFA24E72E1D774FC448768
                Function 004515AB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                Download Yara Rule
                APIs
                • GetWindowTextLengthW.USER32(00000000), ref: 004515DA
                • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 004515EA
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: LengthMessageSendTextWindow
                • String ID: edit
                • API String ID: 2978978980-2167791130
                • Opcode ID: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                • Instruction ID: b80de1f22085cd2d24dcce0fe83431d10f7d2aff66e66183492c5b70af3c9e13
                • Opcode Fuzzy Hash: 255065f22875c24af3de74cb0bd99753dbe1335258aa39c92c973eb9156a9169
                • Instruction Fuzzy Hash: 2011E4716003006BD6109A64D884F6BB3DCEBD8335F104B1EFA61D32E1D779EC458729
                Function 00474827 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72sleepCOMMON
                Download Yara Rule
                APIs
                • Sleep.KERNEL32(00000000), ref: 00474833
                • GlobalMemoryStatusEx.KERNEL32 ref: 00474846
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: GlobalMemorySleepStatus
                • String ID: @
                • API String ID: 2783356886-2766056989
                • Opcode ID: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                • Instruction ID: 41c327e25453105c4ca6c880754d33c67e761007402a238c65fd2e715fefe222
                • Opcode Fuzzy Hash: 6b539aa5d60aaa410447b6e5f9627e9a7b549f395ce9a021d490b3e8c5b2361e
                • Instruction Fuzzy Hash: 4421C230929A14B7C2107F6ABD4BB5E7BB8AF44716F008C5DF5C562094DF785268836F
                Function 004647A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59networkCOMMON
                Download Yara Rule
                APIs
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: htonsinet_addr
                • String ID: 255.255.255.255
                • API String ID: 3832099526-2422070025
                • Opcode ID: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                • Instruction ID: e3b5e028fda38c0aed97ec3d425ece65e45bc088e5f3683a6f0e3ee8de0e9224
                • Opcode Fuzzy Hash: 8f81358a7508e033a1ccca041802c5cf6ea433113977ffec7d790c03bda6a3ba
                • Instruction Fuzzy Hash: 6F11253620030057DA10EB69C882F9BB394EFC4728F00896BFA105B283D679F45A832E
                Function 004694DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 56windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(00000000,000001A2,000000FF,00000000), ref: 00469547
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 455545452-1403004172
                • Opcode ID: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                • Instruction ID: d7878a024921556205560296ec06e6abf53b779169672b4943ab7ad66f70e2c7
                • Opcode Fuzzy Hash: 19b239a33d6ccea3c1be09f9a3ff48f3ef4fb117e78275193105084191351ab7
                • Instruction Fuzzy Hash: 2601D6327011106B8600BB299C019AFB39DDBC2370F544A2FF965573D1EA39AC0E476A
                Function 00442AFE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                Download Yara Rule
                APIs
                • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00442B8C
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: InternetOpen
                • String ID: <local>
                • API String ID: 2038078732-4266983199
                • Opcode ID: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                • Instruction ID: 525aca290fb55aeb65c4bf55ca0deee88c9418ef2a1db54778758d1eb2e06c8a
                • Opcode Fuzzy Hash: 6ab628e9b643b7f337e7eb9a1eb164a667740d16f62f34970bb7649561c47b18
                • Instruction Fuzzy Hash: 9011A934144751AAF621DF108D86FB77794FB50B01F50480FF9866B2C0D6F4B848C766
                Function 004695F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(00000000,00000180,00000000,00000000), ref: 00469660
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 455545452-1403004172
                • Opcode ID: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                • Instruction ID: 486d2595d5a7427da4a9c048e684990a8dc9cac685a8154682435d05c4426571
                • Opcode Fuzzy Hash: 9c387d355752c609e3ec3b71bdfa1ce54c6356e755a59a855018ee08606d8eab
                • Instruction Fuzzy Hash: A101D87274121027C600BA259C01AEBB39CEB96354F04443BF94597291EA6DED0E43AA
                Function 0046956F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53windowCOMMON
                Download Yara Rule
                APIs
                  • Part of subcall function 00401B70: _wcslen.LIBCMT ref: 00401B71
                • SendMessageW.USER32(00000182,00000182,?,00000000), ref: 004695D6
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend_wcslen
                • String ID: ComboBox$ListBox
                • API String ID: 455545452-1403004172
                • Opcode ID: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                • Instruction ID: 72d13aeac174e9c1a3a177398698555a642000804846b33da1492f44d6438514
                • Opcode Fuzzy Hash: ebc0188a5584a95c85a0cdadc4297c14a5cc600b4744d97cee4f9a5f6612b8f9
                • Instruction Fuzzy Hash: 4D01A77374111067C610BA6A9C01AEB739CABD2364F44443BF94597292EA7DED0E43AA
                Function 004560AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36windowCOMMON
                Download Yara Rule
                APIs
                • SendMessageW.USER32(?,00001001,00000000,?), ref: 004560BA
                  • Part of subcall function 0041171A: _malloc.LIBCMT ref: 00411734
                • wsprintfW.USER32 ref: 004560E9
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: MessageSend_mallocwsprintf
                • String ID: %d/%02d/%02d
                • API String ID: 1262938277-328681919
                • Opcode ID: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                • Instruction ID: 2a73c44ac592e0fe880a68d863bd42ca8887a008949f121bccc13d44bcf2ebb3
                • Opcode Fuzzy Hash: 5e9390f3fa6d631e890f8db483ee3f325bf10843f83bb080d9b0d170336394c6
                • Instruction Fuzzy Hash: 13F08272744220A7E2105BA5AC01BBFB3D4EB84762F10443BFE44D12C0E66E8455D7BA
                Function 00442262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 0044226C
                • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 0044227F
                  • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                • Instruction ID: f0ed9326d30a696a9ade51716a531e8bd1705000bbe21894ac7a57cb5589152b
                • Opcode Fuzzy Hash: 62d1e1a02585172d548c808ed695c1d9d3028cc69dace886715b1b3d1423c17e
                • Instruction Fuzzy Hash: 71D0A772F8130177E92077706D0FFCB26246F14710F010C3AB305AA1C0D4E8D440C358
                Function 0044222A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17windowCOMMON
                Download Yara Rule
                APIs
                • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00442240
                • PostMessageW.USER32(00000000), ref: 00442247
                  • Part of subcall function 00436272: Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,0044269D,0000000A), ref: 00436287
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: FindMessagePostSleepWindow
                • String ID: Shell_TrayWnd
                • API String ID: 529655941-2988720461
                • Opcode ID: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                • Instruction ID: d1e5b9be119239975405e397b0c0efdc35250005003305bf123d4268f2ecb06f
                • Opcode Fuzzy Hash: d3682f88803cb2a3efb7847c83fab5a73234bf1983908037f6894d5424c159e3
                • Instruction Fuzzy Hash: 4DD05E72B813013BE92076706D0FF8B26246B14710F010C2AB205AA1C0D4E8A4408358
                Function 00439514 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 8windowCOMMON
                Download Yara Rule
                APIs
                • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00439522
                  • Part of subcall function 00411A1F: _doexit.LIBCMT ref: 00411A2B
                Strings
                Memory Dump Source
                • Source File: 00000000.00000002.1700116027.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                • Associated: 00000000.00000002.1700100790.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700160575.0000000000482000.00000002.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.0000000000490000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700433872.00000000004A7000.00000004.00000001.01000000.00000003.sdmpDownload File
                • Associated: 00000000.00000002.1700469850.00000000004AB000.00000002.00000001.01000000.00000003.sdmpDownload File
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_0_2_400000_Invoices #645473.jbxd
                Similarity
                • API ID: Message_doexit
                • String ID: AutoIt$Error allocating memory.
                • API String ID: 1993061046-4017498283
                • Opcode ID: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                • Instruction ID: 5d68346425d2699d55792fe39b85c2381918ba1f955abba655776c5540820644
                • Opcode Fuzzy Hash: 98c4a6cf209f69c689245cd57ea7e643062e7ce984d6ae84015e6f4dd77dfbd0
                • Instruction Fuzzy Hash: 82B092343C038627E20437A01C0BF8C28049B64F42F220C2AB308384D259D90080231E